github/proxmark3
1
0
Fork 0
mirror of https://github.com/Proxmark/proxmark3.git synced 2025-08-22 22:23:38 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 1365b3a35f into d2197f967a

Browse source
This commit is contained in:
Iceman 2015-01-06 18:00:10 +00:00
commit 225643168c
69 changed files with 1105 additions and 847 deletions
Download patch file Download diff file Expand all files Collapse all files

5
armsrc/Makefile
View file

@ -10,7 +10,7 @@ APP_INCLUDES = apps.h
#remove one of the following defines and comment out the relevant line
#in the next section to remove that particular feature from compilation
APP_CFLAGS = -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG
APP_CFLAGS = -DWITH_LF -DWITH_ISO15693 -DWITH_ISO14443a -DWITH_ISO14443b -DWITH_ICLASS -DWITH_LEGICRF -DWITH_HITAG -fno-strict-aliasing
#-DWITH_LCD
#SRC_LCD = fonts.c LCD.c
@ -24,7 +24,8 @@ THUMBSRC = start.c \
$(SRC_LCD) \
$(SRC_ISO15693) \
$(SRC_LF) \
appmain.c printf.c \
appmain.c \
printf.c \
util.c \
string.c \
usb_cdc.c \

120
armsrc/appmain.c
View file

@ -18,7 +18,6 @@
#include "util.h"
#include "printf.h"
#include "string.h"
#include <stdarg.h>
#include "legicrf.h"
@ -82,40 +81,12 @@ void DbpString(char *str)
{
byte_t len = strlen(str);
cmd_send(CMD_DEBUG_PRINT_STRING,len,0,0,(byte_t*)str,len);
// /* this holds up stuff unless we're connected to usb */
// if (!UsbConnected())
// return;
//
// UsbCommand c;
// c.cmd = CMD_DEBUG_PRINT_STRING;
// c.arg[0] = strlen(str);
// if(c.arg[0] > sizeof(c.d.asBytes)) {
// c.arg[0] = sizeof(c.d.asBytes);
// }
// memcpy(c.d.asBytes, str, c.arg[0]);
//
// UsbSendPacket((uint8_t *)&c, sizeof(c));
// // TODO fix USB so stupid things like this aren't req'd
// SpinDelay(50);
}
#if 0
void DbpIntegers(int x1, int x2, int x3)
{
cmd_send(CMD_DEBUG_PRINT_INTEGERS,x1,x2,x3,0,0);
// /* this holds up stuff unless we're connected to usb */
// if (!UsbConnected())
// return;
//
// UsbCommand c;
// c.cmd = CMD_DEBUG_PRINT_INTEGERS;
// c.arg[0] = x1;
// c.arg[1] = x2;
// c.arg[2] = x3;
//
// UsbSendPacket((uint8_t *)&c, sizeof(c));
// // XXX
// SpinDelay(50);
}
#endif
@ -332,7 +303,7 @@ extern struct version_information version_information;
extern char *_bootphase1_version_pointer, _flash_start, _flash_end;
void SendVersion(void)
{
char temp[256]; /* Limited data payload in USB packets */
char temp[512]; /* Limited data payload in USB packets */
DbpString("Prox/RFID mark3 RFID instrument");
/* Try to find the bootrom version information. Expect to find a pointer at
@ -381,13 +352,13 @@ void SamyRun()
int selected = 0;
int playing = 0;
int cardRead = 0;
// Turn on selected LED
LED(selected + 1, 0);
for (;;)
{
// UsbPoll(FALSE);
usb_poll();
WDT_HIT();
@ -396,7 +367,7 @@ void SamyRun()
SpinDelay(300);
// Button was held for a second, begin recording
if (button_pressed > 0)
if (button_pressed > 0 && cardRead == 0)
{
LEDsoff();
LED(selected + 1, 0);
@ -422,6 +393,40 @@ void SamyRun()
// If we were previously playing, set playing off
// so next button push begins playing what we recorded
playing = 0;
cardRead = 1;
}
else if (button_pressed > 0 && cardRead == 1)
{
LEDsoff();
LED(selected + 1, 0);
LED(LED_ORANGE, 0);
// record
Dbprintf("Cloning %x %x %x", selected, high[selected], low[selected]);
// wait for button to be released
while(BUTTON_PRESS())
WDT_HIT();
/* need this delay to prevent catching some weird data */
SpinDelay(500);
CopyHIDtoT55x7(high[selected], low[selected], 0, 0);
Dbprintf("Cloned %x %x %x", selected, high[selected], low[selected]);
LEDsoff();
LED(selected + 1, 0);
// Finished recording
// If we were previously playing, set playing off
// so next button push begins playing what we recorded
playing = 0;
cardRead = 0;
}
// Change where to record (or begin playing)
@ -635,18 +640,18 @@ void UsbPacketReceived(uint8_t *packet, int len)
cmd_send(CMD_ACK,0,0,0,0,0);
break;
case CMD_HID_DEMOD_FSK:
CmdHIDdemodFSK(c->arg[0], 0, 0, 1); // Demodulate HID tag
CmdHIDdemodFSK(c->arg[0], 0, 0, 1);
break;
case CMD_HID_SIM_TAG:
CmdHIDsimTAG(c->arg[0], c->arg[1], 1); // Simulate HID tag by ID
CmdHIDsimTAG(c->arg[0], c->arg[1], 1);
break;
case CMD_HID_CLONE_TAG: // Clone HID tag by ID to T55x7
case CMD_HID_CLONE_TAG:
CopyHIDtoT55x7(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
break;
case CMD_IO_DEMOD_FSK:
CmdIOdemodFSK(c->arg[0], 0, 0, 1); // Demodulate IO tag
CmdIOdemodFSK(c->arg[0], 0, 0, 1);
break;
case CMD_IO_CLONE_TAG: // Clone IO tag by ID to T55x7
case CMD_IO_CLONE_TAG:
CopyIOtoT55x7(c->arg[0], c->arg[1], c->d.asBytes[0]);
break;
case CMD_EM410X_DEMOD:
@ -669,10 +674,10 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_LF_SIMULATE_BIDIR:
SimulateTagLowFrequencyBidir(c->arg[0], c->arg[1]);
break;
case CMD_INDALA_CLONE_TAG: // Clone Indala 64-bit tag by UID to T55x7
case CMD_INDALA_CLONE_TAG:
CopyIndala64toT55x7(c->arg[0], c->arg[1]);
break;
case CMD_INDALA_CLONE_TAG_L: // Clone Indala 224-bit tag by UID to T55x7
case CMD_INDALA_CLONE_TAG_L:
CopyIndala224toT55x7(c->d.asDwords[0], c->d.asDwords[1], c->d.asDwords[2], c->d.asDwords[3], c->d.asDwords[4], c->d.asDwords[5], c->d.asDwords[6]);
break;
case CMD_T55XX_READ_BLOCK:
@ -681,13 +686,12 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_T55XX_WRITE_BLOCK:
T55xxWriteBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes[0]);
break;
case CMD_T55XX_READ_TRACE: // Clone HID tag by ID to T55x7
case CMD_T55XX_READ_TRACE:
T55xxReadTrace();
break;
case CMD_PCF7931_READ: // Read PCF7931 tag
case CMD_PCF7931_READ:
ReadPCF7931();
cmd_send(CMD_ACK,0,0,0,0,0);
// UsbSendPacket((uint8_t*)&ack, sizeof(ack));
break;
case CMD_EM4X_READ_WORD:
EM4xReadWord(c->arg[1], c->arg[2],c->d.asBytes[0]);
@ -733,7 +737,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
ReaderIso15693(c->arg[0]);
break;
case CMD_SIMTAG_ISO_15693:
SimTagIso15693(c->arg[0]);
SimTagIso15693(c->arg[0], c->d.asBytes);
break;
#endif
@ -782,6 +786,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_SIMULATE_TAG_ISO_14443a:
SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes); // ## Simulate iso14443a tag - pass tag type & UID
break;
case CMD_EPA_PACE_COLLECT_NONCE:
EPA_PACE_Collect_Nonce(c);
break;
@ -838,12 +843,15 @@ void UsbPacketReceived(uint8_t *packet, int len)
break;
// Work with "magic Chinese" card
case CMD_MIFARE_EML_CSETBLOCK:
case CMD_MIFARE_CSETBLOCK:
MifareCSetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
break;
case CMD_MIFARE_EML_CGETBLOCK:
case CMD_MIFARE_CGETBLOCK:
MifareCGetBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
break;
case CMD_MIFARE_CIDENT:
MifareCIdent();
break;
// mifare sniffer
case CMD_MIFARE_SNIFFER:
@ -894,18 +902,6 @@ void UsbPacketReceived(uint8_t *packet, int len)
break;
case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K:
// UsbCommand n;
// if(c->cmd == CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K) {
// n.cmd = CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K;
// } else {
// n.cmd = CMD_DOWNLOADED_RAW_BITS_TI_TYPE;
// }
// n.arg[0] = c->arg[0];
// memcpy(n.d.asBytes, BigBuf+c->arg[0], 48); // 12*sizeof(uint32_t)
// LED_B_ON();
// usb_write((uint8_t *)&n, sizeof(n));
// UsbSendPacket((uint8_t *)&n, sizeof(n));
// LED_B_OFF();
LED_B_ON();
for(size_t i=0; i<c->arg[1]; i += USB_CMD_DATA_SIZE) {
@ -919,9 +915,7 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_DOWNLOADED_SIM_SAMPLES_125K: {
uint8_t *b = (uint8_t *)BigBuf;
memcpy(b+c->arg[0], c->d.asBytes, 48);
//Dbprintf("copied 48 bytes to %i",b+c->arg[0]);
// UsbSendPacket((uint8_t*)&ack, sizeof(ack));
memcpy(b+c->arg[0], c->d.asBytes, USB_CMD_DATA_SIZE);
cmd_send(CMD_ACK,0,0,0,0,0);
break;
}
@ -979,7 +973,6 @@ void UsbPacketReceived(uint8_t *packet, int len)
case CMD_DEVICE_INFO: {
uint32_t dev_info = DEVICE_INFO_FLAG_OSIMAGE_PRESENT | DEVICE_INFO_FLAG_CURRENT_MODE_OS;
if(common_area.flags.bootrom_present) dev_info |= DEVICE_INFO_FLAG_BOOTROM_PRESENT;
// UsbSendPacket((uint8_t*)&c, sizeof(c));
cmd_send(CMD_DEVICE_INFO,dev_info,0,0,0,0);
break;
}
@ -1006,9 +999,8 @@ void __attribute__((noreturn)) AppMain(void)
LED_B_OFF();
LED_A_OFF();
// Init USB device`
// Init USB device
usb_enable();
// UsbStart();
// The FPGA gets its clock from us from PCK0 output, so set that up.
AT91C_BASE_PIOA->PIO_BSR = GPIO_PCK0;
@ -1044,8 +1036,6 @@ void __attribute__((noreturn)) AppMain(void)
UsbPacketReceived(rx,rx_len);
}
}
// UsbPoll(FALSE);
WDT_HIT();
#ifdef WITH_LF

3
armsrc/apps.h
View file

@ -192,12 +192,13 @@ void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
void MifareECardLoad(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain); // Work with "magic Chinese" card
void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain);
void MifareCIdent(); // is "magic chinese" card?
/// iso15693.h
void RecordRawAdcSamplesIso15693(void);
void AcquireRawAdcSamplesIso15693(void);
void ReaderIso15693(uint32_t parameter); // Simulate an ISO15693 reader - greg
void SimTagIso15693(uint32_t parameter); // simulate an ISO15693 tag - greg
void SimTagIso15693(uint32_t parameter, uint8_t *uid); // simulate an ISO15693 tag - greg
void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag - atrox
void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8_t data[]); // send arbitrary commands from CLI - atrox
void SetDebugIso15693(uint32_t flag);

4
armsrc/crapto1.c
View file

@ -44,12 +44,12 @@ static void quicksort(uint32_t* const start, uint32_t* const stop)
else if(*rit > *start)
--rit;
else
*it ^= (*it ^= *rit, *rit ^= *it);
*it ^= ( (*it ^= *rit ), *rit ^= *it);
if(*rit >= *start)
--rit;
if(rit != start)
*rit ^= (*rit ^= *start, *start ^= *rit);
*rit ^= ( (*rit ^= *start), *start ^= *rit);
quicksort(start, rit - 1);
quicksort(rit + 1, stop);

18
armsrc/epa.c
View file

@ -185,6 +185,7 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
|| response_apdu[rapdu_length - 4] != 0x90
|| response_apdu[rapdu_length - 3] != 0x00)
{
Dbprintf("epa - no select cardaccess");
return -1;
}
@ -196,6 +197,7 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
|| response_apdu[rapdu_length - 4] != 0x90
|| response_apdu[rapdu_length - 3] != 0x00)
{
Dbprintf("epa - no read cardaccess");
return -1;
}
@ -223,7 +225,6 @@ static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return)
// send the USB packet
cmd_send(CMD_ACK,step,func_return,0,0,0);
//UsbSendPacket((void *)ack, sizeof(UsbCommand));
}
//-----------------------------------------------------------------------------
@ -243,7 +244,7 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
*/
// return value of a function
int func_return;
int func_return = 0;
// // initialize ack with 0s
// memset(ack->arg, 0, 12);
@ -301,7 +302,6 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
// save received information
// ack->arg[1] = func_return;
// memcpy(ack->d.asBytes, nonce, func_return);
// UsbSendPacket((void *)ack, sizeof(UsbCommand));
cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
}
@ -416,25 +416,27 @@ int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
//-----------------------------------------------------------------------------
int EPA_Setup()
{
// return code
int return_code = 0;
// card UID
uint8_t uid[10];
// card select information
uint8_t pps_response[3];
uint8_t pps_response_par[1];
iso14a_card_select_t card_select_info;
// power up the field
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
iso14a_set_timeout(10500);
// select the card
return_code = iso14443a_select_card(uid, &card_select_info, NULL);
if (return_code != 1) {
Dbprintf("Epa: Can't select card");
return 1;
}
// send the PPS request
ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
uint8_t pps_response[3];
uint8_t pps_response_par[1];
return_code = ReaderReceive(pps_response, pps_response_par);
if (return_code != 3 || pps_response[0] != 0xD0) {
return return_code == 0 ? 2 : return_code;

16
armsrc/hitag2.c
View file

@ -990,19 +990,19 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
// Disable timer during configuration
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
// Capture mode, defaul timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
// Capture mode, default timer source = MCK/2 (TIMER_CLOCK1), TIOA is external trigger,
// external trigger rising edge, load RA on rising edge of TIOA.
AT91C_BASE_TC1->TC_CMR = AT91C_TC_CLKS_TIMER_DIV1_CLOCK | AT91C_TC_ETRGEDG_RISING | AT91C_TC_ABETRG | AT91C_TC_LDRA_RISING;
// Enable and reset counter
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
// Reset the received frame, frame count and timing info
memset(rx,0x00,sizeof(rx));
frame_count = 0;
response = 0;
overflow = 0;
// Enable and reset counter
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKEN | AT91C_TC_SWTRG;
while(!BUTTON_PRESS()) {
// Watchdog hit
WDT_HIT();
@ -1105,9 +1105,9 @@ void SimulateHitagTag(bool tag_mem_supplied, byte_t* data) {
AT91C_BASE_TC1->TC_CCR = AT91C_TC_CLKDIS;
AT91C_BASE_TC0->TC_CCR = AT91C_TC_CLKDIS;
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
// Dbprintf("frame received: %d",frame_count);
// Dbprintf("Authentication Attempts: %d",(auth_table_len/8));
// DbpString("All done");
DbpString("Sim Stopped");
}
void ReaderHitag(hitag_function htf, hitag_data* htd) {
@ -1158,7 +1158,7 @@ void ReaderHitag(hitag_function htf, hitag_data* htd) {
case RHT2F_CRYPTO: {
DbpString("Authenticating using key:");
memcpy(key,htd->crypto.key,4);
memcpy(key,htd->crypto.key,4); //HACK; 4 or 6?? I read both in the code.
Dbhexdump(6,key,false);
blocknr = 0;
bQuiet = false;

14
armsrc/iclass.c
View file

@ -433,7 +433,6 @@ static RAMFUNC int ManchesterDecoding(int v)
else {
modulation = bit & Demod.syncBit;
modulation |= ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
//modulation = ((bit << 1) ^ ((Demod.buffer & 0x08) >> 3)) & Demod.syncBit;
Demod.samples += 4;
@ -842,10 +841,7 @@ static int GetIClassCommandFromReader(uint8_t *received, int *len, int maxLen)
}
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
uint8_t b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
/*if(OutOfNDecoding((b & 0xf0) >> 4)) {
*len = Uart.byteCnt;
return TRUE;
}*/
if(OutOfNDecoding(b & 0x0f)) {
*len = Uart.byteCnt;
return TRUE;
@ -1001,8 +997,6 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain
*/
int doIClassSimulation(uint8_t csn[], int breakAfterMacReceived, uint8_t *reader_mac_buf)
{
// CSN followed by two CRC bytes
uint8_t response2[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t response3[] = { 0,0,0,0,0,0,0,0,0,0};
@ -1368,7 +1362,6 @@ void ReaderTransmitIClass(uint8_t* frame, int len)
int samples = 0;
// This is tied to other size changes
// uint8_t* frame_addr = ((uint8_t*)BigBuf) + 2024;
CodeIClassCommand(frame,len);
// Select the card
@ -1423,10 +1416,7 @@ static int GetIClassAnswer(uint8_t *receivedResponse, int maxLen, int *samples,
b = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
skip = !skip;
if(skip) continue;
/*if(ManchesterDecoding((b>>4) & 0xf)) {
*samples = ((c - 1) << 3) + 4;
return TRUE;
}*/
if(ManchesterDecoding(b & 0x0f)) {
*samples = c << 3;
return TRUE;

6
armsrc/iso14443.c
View file

@ -293,8 +293,7 @@ static int GetIso14443CommandFromReader(uint8_t *received, int *len, int maxLen)
// only, since we are receiving, not transmitting).
// Signal field is off with the appropriate LED
LED_D_OFF();
FpgaWriteConfWord(
FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_NO_MODULATION);
// Now run a `software UART' on the stream of incoming samples.
@ -401,8 +400,7 @@ void SimulateIso14443Tag(void)
// Modulate BPSK
// Signal field is off with the appropriate LED
LED_D_OFF();
FpgaWriteConfWord(
FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR | FPGA_HF_SIMULATOR_MODULATE_BPSK);
AT91C_BASE_SSC->SSC_THR = 0xff;
FpgaSetupSsc();

43
armsrc/iso14443a.c
View file

@ -144,7 +144,6 @@ const uint8_t OddByteParity[256] = {
1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
};
void iso14a_set_trigger(bool enable) {
trigger = enable;
}
@ -310,6 +309,7 @@ static RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time)
Uart.twoBits = (Uart.twoBits << 8) | bit;
if (Uart.state == STATE_UNSYNCD) { // not yet synced
if (Uart.highCnt < 7) { // wait for a stable unmodulated signal
if (Uart.twoBits == 0xffff) {
Uart.highCnt++;
@ -990,6 +990,12 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
response1[1] = 0x00;
sak = 0x28;
} break;
case 5: { // MIFARE TNP3XXX
// Says: I am a toy
response1[0] = 0x01;
response1[1] = 0x0f;
sak = 0x01;
} break;
default: {
Dbprintf("Error: unkown tagtype (%d)",tagType);
return;
@ -1123,7 +1129,7 @@ void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data)
// We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
p_response = NULL;
} else if(receivedCmd[0] == 0x50) { // Received a HALT
// DbpString("Reader requested we HALT!:");
if (tracing) {
LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
}
@ -1308,13 +1314,6 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing
// clear TXRDY
AT91C_BASE_SSC->SSC_THR = SEC_Y;
// for(uint16_t c = 0; c < 10;) { // standard delay for each transfer (allow tag to be ready after last transmission)
// if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
// AT91C_BASE_SSC->SSC_THR = SEC_Y;
// c++;
// }
// }
uint16_t c = 0;
for(;;) {
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
@ -1327,7 +1326,6 @@ static void TransmitFor14443a(const uint8_t *cmd, uint16_t len, uint32_t *timing
}
NextTransferTime = MAX(NextTransferTime, LastTimeProxToAirStart + REQUEST_GUARD_TIME);
}
@ -1669,7 +1667,6 @@ static int GetIso14443aAnswerFromTag(uint8_t *receivedResponse, uint8_t *receive
void ReaderTransmitBitsPar(uint8_t* frame, uint16_t bits, uint8_t *par, uint32_t *timing)
{
CodeIso14443aBitsAsReaderPar(frame, bits, par);
// Send command to tag
@ -1744,7 +1741,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
// Receive the ATQA
if(!ReaderReceive(resp, resp_par)) return 0;
//Dbprintf("atqa: %02x %02x",resp[1],resp[0]);
if(p_hi14a_card) {
memcpy(p_hi14a_card->atqa, resp, 2);
@ -1800,7 +1796,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
memcpy(uid_resp, resp, 4);
}
uid_resp_len = 4;
//Dbprintf("uid: %02x %02x %02x %02x",uid_resp[0],uid_resp[1],uid_resp[2],uid_resp[3]);
// calculate crypto UID. Always use last 4 Bytes.
if(cuid_ptr) {
@ -1818,15 +1813,10 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
if (!ReaderReceive(resp, resp_par)) return 0;
sak = resp[0];
// Test if more parts of the uid are comming
// Test if more parts of the uid are coming
if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) {
// Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of:
// http://www.nxp.com/documents/application_note/AN10927.pdf
// This was earlier:
//memcpy(uid_resp, uid_resp + 1, 3);
// But memcpy should not be used for overlapping arrays,
// and memmove appears to not be available in the arm build.
// Therefore:
uid_resp[0] = uid_resp[1];
uid_resp[1] = uid_resp[2];
uid_resp[2] = uid_resp[3];
@ -1849,9 +1839,8 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
p_hi14a_card->ats_len = 0;
}
if( (sak & 0x20) == 0) {
return 2; // non iso14443a compliant tag
}
// non iso14443a compliant tag
if( (sak & 0x20) == 0) return 2;
// Request for answer to select
AppendCrc14443a(rats, 2);
@ -1859,6 +1848,7 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
if (!(len = ReaderReceive(resp, resp_par))) return 0;
if(p_hi14a_card) {
memcpy(p_hi14a_card->ats, resp, sizeof(p_hi14a_card->ats));
p_hi14a_card->ats_len = len;
@ -1866,7 +1856,6 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_hi14a_card, u
// reset the PCB block number
iso14_pcb_blocknum = 0;
return 1;
}
@ -1957,7 +1946,7 @@ void ReaderIso14443a(UsbCommand *c)
}
if(param & ISO14A_SET_TIMEOUT) {
iso14a_timeout = c->arg[2];
iso14a_set_timeout(c->arg[2]);
}
if(param & ISO14A_APDU) {
@ -2047,8 +2036,8 @@ void ReaderMifare(bool first_try)
uint32_t nt = 0;
uint32_t previous_nt = 0;
static uint32_t nt_attacked = 0;
byte_t par_list[8] = {0,0,0,0,0,0,0,0};
byte_t ks_list[8] = {0,0,0,0,0,0,0,0};
byte_t par_list[8] = {0x00};
byte_t ks_list[8] = {0x00};
static uint32_t sync_time;
static uint32_t sync_cycles;
@ -2057,8 +2046,6 @@ void ReaderMifare(bool first_try)
uint16_t consecutive_resyncs = 0;
int isOK = 0;
if (first_try) {
mf_nr_ar3 = 0;
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);

177
armsrc/iso15693.c
View file

@ -263,13 +263,10 @@ static void TransmitTo15693Tag(const uint8_t *cmd, int len, int *samples, int *w
//-----------------------------------------------------------------------------
static void TransmitTo15693Reader(const uint8_t *cmd, int len, int *samples, int *wait)
{
int c;
// FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_TX);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR); // No requirement to energise my coils
int c = 0;
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_SIMULATOR|FPGA_HF_SIMULATOR_MODULATE_424K);
if(*wait < 10) { *wait = 10; }
c = 0;
for(;;) {
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) {
AT91C_BASE_SSC->SSC_THR = cmd[c];
@ -464,8 +461,7 @@ static int GetIso15693AnswerFromSniff(uint8_t *receivedResponse, int maxLen, int
AT91C_BASE_SSC->SSC_THR = 0x43;
}
if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_RXRDY)) {
int8_t b;
b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
int8_t b = (int8_t)AT91C_BASE_SSC->SSC_RHR;
// The samples are correlations against I and Q versions of the
// tone that the tag AM-modulates, so every other sample is I,
@ -600,10 +596,10 @@ static void BuildIdentifyRequest(void);
//-----------------------------------------------------------------------------
void AcquireRawAdcSamplesIso15693(void)
{
int c = 0;
uint8_t *dest = (uint8_t *)BigBuf;
int getNext = 0;
int c = 0;
int getNext = 0;
int8_t prev = 0;
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
@ -682,10 +678,10 @@ void AcquireRawAdcSamplesIso15693(void)
void RecordRawAdcSamplesIso15693(void)
{
int c = 0;
uint8_t *dest = (uint8_t *)BigBuf;
int getNext = 0;
uint8_t *dest = (uint8_t *)BigBuf;
int c = 0;
int getNext = 0;
int8_t prev = 0;
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
@ -836,24 +832,25 @@ static void BuildReadBlockRequest(uint8_t *uid, uint8_t blockNumber )
}
// Now the VICC>VCD responses when we are simulating a tag
static void BuildInventoryResponse(void)
static void BuildInventoryResponse( uint8_t *uid)
{
uint8_t cmd[12];
uint16_t crc;
// one sub-carrier, inventory, 1 slot, fast rate
// AFI is at bit 5 (1<<4) when doing an INVENTORY
cmd[0] = 0; //(1 << 2) | (1 << 5) | (1 << 1);
cmd[1] = 0;
//(1 << 2) | (1 << 5) | (1 << 1);
cmd[0] = 0; //
cmd[1] = 0; // DSFID (data storage format identifier). 0x00 = not supported
// 64-bit UID
cmd[2] = 0x32;
cmd[3]= 0x4b;
cmd[4] = 0x03;
cmd[5] = 0x01;
cmd[6] = 0x00;
cmd[7] = 0x10;
cmd[8] = 0x05;
cmd[9]= 0xe0;
cmd[2] = uid[7]; //0x32;
cmd[3] = uid[6]; //0x4b;
cmd[4] = uid[5]; //0x03;
cmd[5] = uid[4]; //0x01;
cmd[6] = uid[3]; //0x00;
cmd[7] = uid[2]; //0x10;
cmd[8] = uid[1]; //0x05;
cmd[9] = uid[0]; //0xe0;
//Now the CRC
crc = Crc(cmd, 10);
cmd[10] = crc & 0xff;
@ -1002,23 +999,27 @@ void ReaderIso15693(uint32_t parameter)
LED_C_OFF();
LED_D_OFF();
//DbpString(parameter);
//uint8_t *answer0 = (((uint8_t *)BigBuf) + 3560); // allow 100 bytes per reponse (way too much)
uint8_t *answer1 = (((uint8_t *)BigBuf) + 3660); //
uint8_t *answer2 = (((uint8_t *)BigBuf) + 3760);
uint8_t *answer3 = (((uint8_t *)BigBuf) + 3860);
//uint8_t *TagUID= (((uint8_t *)BigBuf) + 3960); // where we hold the uid for hi15reader
// int answerLen0 = 0;
int answerLen1 = 0;
int answerLen2 = 0;
int answerLen3 = 0;
int i=0; // counter
int i = 0;
int samples = 0;
int tsamples = 0;
int wait = 0;
int elapsed = 0;
uint8_t TagUID[8] = {0x00};
// Blank arrays
memset(BigBuf + 3660, 0, 300);
memset(BigBuf + 3660, 0x00, 300);
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
// Setup SSC
FpgaSetupSsc();
@ -1026,9 +1027,6 @@ void ReaderIso15693(uint32_t parameter)
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(200);
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
FpgaSetupSsc();
// Give the tags time to energize
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
SpinDelay(200);
@ -1038,44 +1036,19 @@ void ReaderIso15693(uint32_t parameter)
LED_C_OFF();
LED_D_OFF();
int samples = 0;
int tsamples = 0;
int wait = 0;
int elapsed = 0;
// FIRST WE RUN AN INVENTORY TO GET THE TAG UID
// THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME
uint8_t TagUID[8] = {0, 0, 0, 0, 0, 0, 0, 0}; // where we hold the uid for hi15reader
// BuildIdentifyRequest();
// //TransmitTo15693Tag(ToSend,ToSendMax+3,&tsamples, &wait);
// TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3
// // Now wait for a response
// responseLen0 = GetIso15693AnswerFromTag(receivedAnswer0, 100, &samples, &elapsed) ;
// if (responseLen0 >=12) // we should do a better check than this
// {
// // really we should check it is a valid mesg
// // but for now just grab what we think is the uid
// TagUID[0] = receivedAnswer0[2];
// TagUID[1] = receivedAnswer0[3];
// TagUID[2] = receivedAnswer0[4];
// TagUID[3] = receivedAnswer0[5];
// TagUID[4] = receivedAnswer0[6];
// TagUID[5] = receivedAnswer0[7];
// TagUID[6] = receivedAnswer0[8]; // IC Manufacturer code
// DbpIntegers(TagUID[6],TagUID[5],TagUID[4]);
//}
// Now send the IDENTIFY command
BuildIdentifyRequest();
//TransmitTo15693Tag(ToSend,ToSendMax+3,&tsamples, &wait);
TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3
TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait);
// Now wait for a response
answerLen1 = GetIso15693AnswerFromTag(answer1, 100, &samples, &elapsed) ;
if (answerLen1 >=12) // we should do a better check than this
{
TagUID[0] = answer1[2];
TagUID[1] = answer1[3];
TagUID[2] = answer1[4];
@ -1085,23 +1058,6 @@ void ReaderIso15693(uint32_t parameter)
TagUID[6] = answer1[8]; // IC Manufacturer code
TagUID[7] = answer1[9]; // always E0
// Now send the SELECT command
// since the SELECT command is optional, we should not rely on it.
//// BuildSelectRequest(TagUID);
// TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3
// Now wait for a response
/// answerLen2 = GetIso15693AnswerFromTag(answer2, 100, &samples, &elapsed);
// Now send the MULTI READ command
// BuildArbitraryRequest(*TagUID,parameter);
/// BuildArbitraryCustomRequest(TagUID,parameter);
// BuildReadBlockRequest(*TagUID,parameter);
// BuildSysInfoRequest(*TagUID);
//TransmitTo15693Tag(ToSend,ToSendMax+3,&tsamples, &wait);
/// TransmitTo15693Tag(ToSend,ToSendMax,&tsamples, &wait); // No longer ToSendMax+3
// Now wait for a response
/// answerLen3 = GetIso15693AnswerFromTag(answer3, 100, &samples, &elapsed) ;
}
Dbprintf("%d octets read from IDENTIFY request:", answerLen1);
@ -1110,9 +1066,9 @@ void ReaderIso15693(uint32_t parameter)
// UID is reverse
if (answerLen1>=12)
//Dbprintf("UID = %*D",8,TagUID," ");
Dbprintf("UID = %02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",TagUID[7],TagUID[6],TagUID[5],
TagUID[4],TagUID[3],TagUID[2],TagUID[1],TagUID[0]);
Dbprintf("UID = %02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",
TagUID[7],TagUID[6],TagUID[5],TagUID[4],
TagUID[3],TagUID[2],TagUID[1],TagUID[0]);
Dbprintf("%d octets read from SELECT request:", answerLen2);
@ -1123,7 +1079,6 @@ void ReaderIso15693(uint32_t parameter)
DbdecodeIso15693Answer(answerLen3,answer3);
Dbhexdump(answerLen3,answer3,true);
// read all pages
if (answerLen1>=12 && DEBUG) {
i=0;
@ -1141,13 +1096,6 @@ void ReaderIso15693(uint32_t parameter)
}
}
// str2[0]=0;
// for(i = 0; i < responseLen3; i++) {
// itoa(str1,receivedAnswer3[i]);
// strncat(str2,str1,8);
// }
// DbpString(str2);
LED_A_OFF();
LED_B_OFF();
LED_C_OFF();
@ -1156,32 +1104,31 @@ void ReaderIso15693(uint32_t parameter)
// Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands
// all demodulation performed in arm rather than host. - greg
void SimTagIso15693(uint32_t parameter)
void SimTagIso15693(uint32_t parameter, uint8_t *uid)
{
LED_A_ON();
LED_B_ON();
LED_C_OFF();
LED_D_OFF();
uint8_t *answer1 = (((uint8_t *)BigBuf) + 3660); //
int answerLen1 = 0;
uint8_t *buf = (((uint8_t *)BigBuf) + 3660); //
// Blank arrays
memset(answer1, 0, 100);
int answerLen1 = 0;
int samples = 0;
int tsamples = 0;
int wait = 0;
int elapsed = 0;
memset(buf, 0x00, 100);
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
// Setup SSC
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
FpgaSetupSsc();
// Start from off (no field generated)
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(200);
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
FpgaSetupSsc();
// Give the tags time to energize
// FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); // NO GOOD FOR SIM TAG!!!!
SpinDelay(200);
LED_A_OFF();
@ -1189,24 +1136,26 @@ void SimTagIso15693(uint32_t parameter)
LED_C_ON();
LED_D_OFF();
int samples = 0;
int tsamples = 0;
int wait = 0;
int elapsed = 0;
answerLen1 = GetIso15693AnswerFromSniff(answer1, 100, &samples, &elapsed) ;
// Listen to reader
answerLen1 = GetIso15693AnswerFromSniff(buf, 100, &samples, &elapsed) ;
if (answerLen1 >=1) // we should do a better check than this
{
// Build a suitable reponse to the reader INVENTORY cocmmand
BuildInventoryResponse();
// not so obsvious, but in the call to BuildInventoryResponse, the command is copied to the global ToSend buffer used below.
BuildInventoryResponse(uid);
TransmitTo15693Reader(ToSend,ToSendMax, &tsamples, &wait);
}
Dbprintf("%d octets read from reader command: %x %x %x %x %x %x %x %x %x", answerLen1,
answer1[0], answer1[1], answer1[2],
answer1[3], answer1[4], answer1[5],
answer1[6], answer1[7], answer1[8]);
buf[0], buf[1], buf[2], buf[3],
buf[4], buf[5], buf[6], buf[7], buf[8]);
Dbprintf("Simulationg uid: %x %x %x %x %x %x %x %x",
uid[0], uid[1], uid[2], uid[3],
uid[4], uid[5], uid[6], uid[7]);
LED_A_OFF();
LED_B_OFF();
@ -1275,12 +1224,8 @@ void DirectTag15693Command(uint32_t datalen,uint32_t speed, uint32_t recv, uint8
recvlen=SendDataTag(data,datalen,1,speed,(recv?&recvbuf:NULL));
if (recv) {
// n.cmd=/* CMD_ISO_15693_COMMAND_DONE */ CMD_ACK;
// n.arg[0]=recvlen>48?48:recvlen;
// memcpy(n.d.asBytes, recvbuf, 48);
LED_B_ON();
cmd_send(CMD_ACK,recvlen>48?48:recvlen,0,0,recvbuf,48);
// UsbSendPacket((uint8_t *)&n, sizeof(n));
LED_B_OFF();
if (DEBUG) {

9
armsrc/lfops.c
View file

@ -179,8 +179,6 @@ void ReadTItag(void)
signed char *dest = (signed char *)BigBuf;
int n = sizeof(BigBuf);
// int *dest = GraphBuffer;
// int n = GraphTraceLen;
// 128 bit shift register [shift3:shift2:shift1:shift0]
uint32_t shift3 = 0, shift2 = 0, shift1 = 0, shift0 = 0;
@ -625,6 +623,7 @@ void CmdHIDsimTAG(int hi, int lo, int ledcontrol)
if (ledcontrol)
LED_A_ON();
SimulateTagLowFrequency(n, 0, ledcontrol);
if (ledcontrol)
@ -1337,7 +1336,6 @@ void WriteEM410x(uint32_t card, uint32_t id_hi, uint32_t id_lo)
// Clone Indala 64-bit tag by UID to T55x7
void CopyIndala64toT55x7(int hi, int lo)
{
//Program the 2 data blocks for supplied 64bit UID
// and the block 0 for Indala64 format
T55xxWriteBlock(hi,1,0,0);
@ -1351,12 +1349,10 @@ void CopyIndala64toT55x7(int hi, int lo)
// T5567WriteBlock(0x603E1042,0);
DbpString("DONE!");
}
void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int uid6, int uid7)
{
//Program the 7 data blocks for supplied 224bit UID
// and the block 0 for Indala224 format
T55xxWriteBlock(uid1,1,0,0);
@ -1375,7 +1371,6 @@ void CopyIndala224toT55x7(int uid1, int uid2, int uid3, int uid4, int uid5, int
// T5567WriteBlock(0x603E10E2,0);
DbpString("DONE!");
}
@ -1525,7 +1520,6 @@ int IsBlock1PCF7931(uint8_t *Block) {
return 0;
}
#define ALLOC 16
void ReadPCF7931() {
@ -1785,6 +1779,7 @@ void SendForward(uint8_t fwd_bit_count) {
}
}
void EM4xLogin(uint32_t Password) {
uint8_t fwd_bit_count;

109
armsrc/mifarecmd.c
View file

@ -2,6 +2,9 @@
// Merlok - June 2011, 2012
// Gerhard de Koning Gans - May 2008
// Hagen Fritsch - June 2010
// Midnitesnake - Dec 2013
// Andy Davies - Apr 2014
// Iceman - May 2014
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
@ -36,8 +39,6 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
@ -81,8 +82,6 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
// iso14a_set_tracing(TRUE);
}
void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
@ -129,14 +128,10 @@ void MifareUReadBlock(uint8_t arg0,uint8_t *datain)
LED_B_ON();
cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16);
LED_B_OFF();
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
}
//-----------------------------------------------------------------------------
// Select, Authenticate, Read a MIFARE tag.
// read sector (data = 4 x 16 bytes = 64 bytes, or 16 x 16 bytes = 256 bytes)
@ -150,7 +145,7 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
ui64Key = bytes_to_num(datain, 6);
// variables
byte_t isOK;
byte_t isOK = 0;
byte_t dataoutbuf[16 * 16];
uint8_t uid[10];
uint32_t cuid;
@ -160,7 +155,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -192,7 +186,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");
}
// ----------------------------- crypto1 destroy
crypto1_destroy(pcs);
@ -205,7 +198,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
// iso14a_set_tracing(TRUE);
}
@ -222,7 +214,6 @@ void MifareUReadCard(uint8_t arg0, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -288,7 +279,6 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -334,11 +324,8 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
// iso14a_set_tracing(TRUE);
}
void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
{
// params
@ -355,7 +342,6 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -396,7 +382,6 @@ void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
// iso14a_set_tracing(TRUE);
}
void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
{
// params
@ -412,7 +397,6 @@ void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
// clear trace
iso14a_clear_trace();
// iso14a_set_tracing(false);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -446,15 +430,11 @@ void MifareUWriteBlock_Special(uint8_t arg0, uint8_t *datain)
cmd_send(CMD_ACK,isOK,0,0,0,0);
LED_B_OFF();
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
// iso14a_set_tracing(TRUE);
}
// Return 1 if the nonce is invalid else return 0
int valid_nonce(uint32_t Nt, uint32_t NtEnc, uint32_t Ks1, uint8_t *parity) {
return ((oddparity((Nt >> 24) & 0xFF) == ((parity[0]) ^ oddparity((NtEnc >> 24) & 0xFF) ^ BIT(Ks1,16))) & \
@ -510,6 +490,7 @@ void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *dat
// statistics on nonce distance
if (calibrate) { // for first call only. Otherwise reuse previous calibration
LED_B_ON();
WDT_HIT();
davg = dmax = 0;
dmin = 2000;
@ -733,7 +714,6 @@ void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);
LED_B_OFF();
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
@ -750,7 +730,6 @@ void MifareSetDbgLvl(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
Dbprintf("Debug level: %d", MF_DBGLEVEL);
}
//-----------------------------------------------------------------------------
// Work with emulator memory
//
@ -759,23 +738,19 @@ void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain)
emlClearMem();
}
void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
emlSetMem(datain, arg0, arg1); // data, block num, blocks count
}
void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){
byte_t buf[48];
byte_t buf[USB_CMD_DATA_SIZE];
emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)
LED_B_ON();
cmd_send(CMD_ACK,arg0,arg1,0,buf,48);
cmd_send(CMD_ACK,arg0,arg1,0,buf,USB_CMD_DATA_SIZE);
LED_B_OFF();
}
//-----------------------------------------------------------------------------
// Load a card into the emulator memory
//
@ -884,32 +859,26 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
// variables
byte_t isOK = 0;
uint8_t uid[10];
uint8_t d_block[18];
uint8_t uid[10] = {0x00};
uint8_t d_block[18] = {0x00};
uint32_t cuid;
memset(uid, 0x00, 10);
uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
// reset FPGA and LED
if (workFlags & 0x08) {
// clear trace
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
LED_C_OFF();
SpinDelay(300);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(100);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
}
while (true) {
// get UID from chip
if (workFlags & 0x01) {
if(!iso14443a_select_card(uid, NULL, &cuid)) {
@ -988,7 +957,6 @@ void MifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
LED_B_OFF();
if ((workFlags & 0x10) || (!isOK)) {
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
}
@ -1011,28 +979,20 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
// variables
byte_t isOK = 0;
uint8_t data[18];
uint8_t data[18] = {0x00};
uint32_t cuid = 0;
memset(data, 0x00, 18);
uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
if (workFlags & 0x08) {
// clear trace
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
LED_A_ON();
LED_B_OFF();
LED_C_OFF();
SpinDelay(300);
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(100);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_ISO14443A | FPGA_HF_ISO14443A_READER_MOD);
iso14a_clear_trace();
iso14a_set_tracing(TRUE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
}
while (true) {
@ -1073,9 +1033,40 @@ void MifareCGetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datai
LED_B_OFF();
if ((workFlags & 0x10) || (!isOK)) {
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
LEDsoff();
}
}
void MifareCIdent(){
// card commands
uint8_t wupC1[] = { 0x40 };
uint8_t wupC2[] = { 0x43 };
// variables
byte_t isOK = 1;
uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
ReaderTransmitBitsPar(wupC1,7,0, NULL);
if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
isOK = 0;
};
ReaderTransmit(wupC2, sizeof(wupC2), NULL);
if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {
isOK = 0;
};
if (mifare_classic_halt(NULL, 0)) {
isOK = 0;
};
cmd_send(CMD_ACK,isOK,0,0,0,0);
}
//
// DESFIRE
//

29
armsrc/mifareutil.c
View file

@ -54,10 +54,12 @@ void mf_crypto1_encrypt(struct Crypto1State *pcs, uint8_t *data, uint16_t len, u
uint8_t bt = 0;
int i;
par[0] = 0;
for (i = 0; i < len; i++) {
bt = data[i];
data[i] = crypto1_byte(pcs, 0x00, 0) ^ data[i];
if((i&0x0007) == 0) par[i>>3] = 0;
if((i&0x0007) == 0)
par[i>>3] = 0;
par[i>>3] |= (((filter(pcs->odd) ^ oddparity(bt)) & 0x01)<<(7-(i&0x0007)));
}
return;
@ -81,9 +83,7 @@ int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd,
int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t* data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing)
{
uint8_t dcmd[8];//, ecmd[4];
//uint32_t par=0;
uint8_t dcmd[8];
dcmd[0] = cmd;
dcmd[1] = data[0];
dcmd[2] = data[1];
@ -91,10 +91,6 @@ int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint
dcmd[4] = data[3];
dcmd[5] = data[4];
AppendCrc14443a(dcmd, 6);
//Dbprintf("Data command: %02x", dcmd[0]);
//Dbprintf("Data R: %02x %02x %02x %02x %02x %02x %02x", dcmd[1],dcmd[2],dcmd[3],dcmd[4],dcmd[5],dcmd[6],dcmd[7]);
//memcpy(ecmd, dcmd, sizeof(dcmd));
ReaderTransmit(dcmd, sizeof(dcmd), NULL);
int len = ReaderReceive(answer, answer_parity);
if(!len)
@ -165,7 +161,7 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN
int len;
uint32_t pos;
uint8_t tmp4[4];
uint8_t par[1] = {0};
uint8_t par[1] = {0x00};
byte_t nr[4];
uint32_t nt, ntpp; // Supplied tag nonce
@ -210,7 +206,6 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN
if (ntptr)
*ntptr = nt;
// Generate (encrypted) nr+parity by loading it into the cipher (Nr)
par[0] = 0;
for (pos = 0; pos < 4; pos++)
@ -292,6 +287,7 @@ int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
// command MIFARE_CLASSIC_READBLOCK
len = mifare_sendcmd_short(NULL, 1, 0x30, blockNo, receivedAnswer, receivedAnswerPar, NULL);
if (len == 1) {
@ -318,7 +314,7 @@ int mifare_ultra_readblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData)
{
// variables
int len, i;
uint16_t len, i;
uint32_t pos;
uint8_t par[3] = {0}; // enough for 18 Bytes to send
byte_t res;
@ -367,7 +363,6 @@ int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
// variables
uint16_t len;
uint8_t par[3] = {0}; // enough for 18 parity bits
uint8_t d_block[18];
uint8_t* receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t* receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
@ -400,7 +395,6 @@ int mifare_ultra_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *blockData)
{
uint16_t len;
uint8_t d_block[8];
uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
@ -424,10 +418,7 @@ int mifare_ultra_special_writeblock(uint32_t uid, uint8_t blockNo, uint8_t *bloc
int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
{
// variables
uint16_t len;
// Mifare HALT
uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
@ -443,8 +434,6 @@ int mifare_classic_halt(struct Crypto1State *pcs, uint32_t uid)
int mifare_ultra_halt(uint32_t uid)
{
uint16_t len;
// Mifare HALT
uint8_t *receivedAnswer = get_bigbufptr_recvrespbuf();
uint8_t *receivedAnswerPar = receivedAnswer + MAX_FRAME_SIZE;
@ -481,19 +470,16 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo)
// work with emulator memory
void emlSetMem(uint8_t *data, int blockNum, int blocksCount) {
uint8_t* emCARD = get_bigbufptr_emlcardmem();
memcpy(emCARD + blockNum * 16, data, blocksCount * 16);
}
void emlGetMem(uint8_t *data, int blockNum, int blocksCount) {
uint8_t* emCARD = get_bigbufptr_emlcardmem();
memcpy(data, emCARD + blockNum * 16, blocksCount * 16);
}
void emlGetMemBt(uint8_t *data, int bytePtr, int byteCount) {
uint8_t* emCARD = get_bigbufptr_emlcardmem();
memcpy(data, emCARD + bytePtr, byteCount);
}
@ -522,7 +508,6 @@ int emlGetValBl(uint32_t *blReg, uint8_t *blBlock, int blockNum) {
memcpy(blReg, data, 4);
*blBlock = data[12];
return 0;
}

5
armsrc/string.c
View file

@ -48,6 +48,11 @@ int memcmp(const void *av, const void *bv, int len)
return 0;
}
void memxor(uint8_t * dest, uint8_t * src, size_t len) {
for( ; len > 0; len--,dest++,src++)
*dest ^= *src;
}
int strlen(const char *str)
{
int l = 0;

8
armsrc/string.h
View file

@ -12,10 +12,14 @@
#ifndef __STRING_H
#define __STRING_H
#include <stdint.h>
#include <util.h>
int strlen(const char *str);
void *memcpy(void *dest, const void *src, int len);
RAMFUNC void *memcpy(void *dest, const void *src, int len);
void *memset(void *dest, int c, int len);
int memcmp(const void *av, const void *bv, int len);
RAMFUNC int memcmp(const void *av, const void *bv, int len);
void memxor(uint8_t * dest, uint8_t * src, size_t len);
char *strncat(char *dest, const char *src, unsigned int n);
char *strcat(char *dest, const char *src);
void strreverse(char s[]);

4
client/Makefile
View file

@ -13,9 +13,9 @@ CXX=g++
VPATH = ../common
OBJDIR = obj
LDLIBS = -L/opt/local/lib -L/usr/local/lib -lreadline -lpthread ../liblua/liblua.a
LDLIBS = -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lm -lreadline -lpthread -lcrypto
LDFLAGS = $(COMMON_FLAGS)
CFLAGS = -std=c99 -lcrypto -I. -I../include -I../common -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4
CFLAGS = -std=c99 -I. -I../include -I../common -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4
LUAPLATFORM = generic
ifneq (,$(findstring MINGW,$(platform)))

100
client/cmddata.c
View file

@ -329,7 +329,7 @@ int CmdBiphaseDecodeRaw(const char *Cmd)
//prints binary found and saves in graphbuffer for further commands
int Cmdaskrawdemod(const char *Cmd)
{
uint32_t i;
int invert=0;
int clk=0;
uint8_t BitStream[MAX_GRAPH_TRACE_LEN]={0};
@ -340,7 +340,7 @@ int Cmdaskrawdemod(const char *Cmd)
}
int BitLen = getFromGraphBuf(BitStream);
int errCnt=0;
errCnt = askrawdemod(BitStream, &BitLen,&clk,&invert);
errCnt = askrawdemod(BitStream, &BitLen, &clk, &invert);
if (errCnt==-1){ //throw away static - allow 1 and -1 (in case of threshold command first)
PrintAndLog("no data found");
return 0;
@ -349,19 +349,14 @@ int Cmdaskrawdemod(const char *Cmd)
PrintAndLog("Using Clock: %d - invert: %d - Bits Found: %d",clk,invert,BitLen);
//PrintAndLog("Data start pos:%d, lastBit:%d, stop pos:%d, numBits:%d",iii,lastBit,i,bitnum);
//move BitStream back to GraphBuffer
setGraphBuf(BitStream, BitLen);
ClearGraph(0);
for (i=0; i < BitLen; ++i){
GraphBuffer[i]=BitStream[i];
}
GraphTraceLen=BitLen;
RepaintGraphWindow();
//output
if (errCnt>0){
PrintAndLog("# Errors during Demoding (shown as 77 in bit stream): %d",errCnt);
}
PrintAndLog("ASK demoded bitstream:");
// Now output the bitstream to the scrollback by line of 16 bits
printBitStream(BitStream,BitLen);
@ -477,10 +472,6 @@ int CmdBitstream(const char *Cmd)
bit ^= 1;
AppendGraph(0, clock, bit);
// for (j = 0; j < (int)(clock/2); j++)
// GraphBuffer[(i * clock) + j] = bit ^ 1;
// for (j = (int)(clock/2); j < clock; j++)
// GraphBuffer[(i * clock) + j] = bit;
}
RepaintGraphWindow();
@ -510,8 +501,6 @@ int CmdDec(const char *Cmd)
int CmdDetectClockRate(const char *Cmd)
{
GetClock("",0,0);
//int clock = DetectASKClock(0);
//PrintAndLog("Auto-detected clock rate: %d", clock);
return 0;
}
@ -773,8 +762,7 @@ int CmdFSKdemod(const char *Cmd) //old CmdFSKdemod needs updating
PrintAndLog("actual data bits start at sample %d", maxPos);
PrintAndLog("length %d/%d", highLen, lowLen);
uint8_t bits[46];
bits[sizeof(bits)-1] = '\0';
uint8_t bits[46] = {0x00};
// find bit pairs and manchester decode them
for (i = 0; i < arraylen(bits) - 1; ++i) {
@ -881,22 +869,21 @@ int CmdHpf(const char *Cmd)
int CmdSamples(const char *Cmd)
{
int cnt = 0;
int n;
uint8_t got[40000];
uint8_t got[40000] = {0x00};
n = strtol(Cmd, NULL, 0);
if (n == 0) n = 6000;
if (n > sizeof(got)) n = sizeof(got);
int n = strtol(Cmd, NULL, 0);
if (n == 0)
n = 20000;
PrintAndLog("Reading %d samples\n", n);
if (n > sizeof(got))
n = sizeof(got);
PrintAndLog("Reading %d samples from device memory\n", n);
GetFromBigBuf(got,n,0);
WaitForResponse(CMD_ACK,NULL);
for (int j = 0; j < n; j++) {
GraphBuffer[cnt++] = ((int)got[j]) - 128;
for (int j = 0; j < n; ++j) {
GraphBuffer[j] = ((int)got[j]) - 128;
}
PrintAndLog("Done!\n");
GraphTraceLen = n;
RepaintGraphWindow();
return 0;
@ -904,21 +891,52 @@ int CmdSamples(const char *Cmd)
int CmdTuneSamples(const char *Cmd)
{
int cnt = 0;
int n = 255;
uint8_t got[255];
int timeout = 0;
printf("\nMeasuring antenna characteristics, please wait...");
PrintAndLog("Reading %d samples\n", n);
GetFromBigBuf(got,n,7256); // armsrc/apps.h: #define FREE_BUFFER_OFFSET 7256
WaitForResponse(CMD_ACK,NULL);
for (int j = 0; j < n; j++) {
GraphBuffer[cnt++] = ((int)got[j]) - 128;
UsbCommand c = {CMD_MEASURE_ANTENNA_TUNING};
SendCommand(&c);
UsbCommand resp;
while(!WaitForResponseTimeout(CMD_MEASURED_ANTENNA_TUNING,&resp,1000)) {
timeout++;
printf(".");
if (timeout > 7) {
PrintAndLog("\nNo response from Proxmark. Aborting...");
return 1;
}
}
int peakv, peakf;
int vLf125, vLf134, vHf;
vLf125 = resp.arg[0] & 0xffff;
vLf134 = resp.arg[0] >> 16;
vHf = resp.arg[1] & 0xffff;;
peakf = resp.arg[2] & 0xffff;
peakv = resp.arg[2] >> 16;
PrintAndLog("");
PrintAndLog("# LF antenna: %5.2f V @ 125.00 kHz", vLf125/1000.0);
PrintAndLog("# LF antenna: %5.2f V @ 134.00 kHz", vLf134/1000.0);
PrintAndLog("# LF optimal: %5.2f V @%9.2f kHz", peakv/1000.0, 12000.0/(peakf+1));
PrintAndLog("# HF antenna: %5.2f V @ 13.56 MHz", vHf/1000.0);
if (peakv<2000)
PrintAndLog("# Your LF antenna is unusable.");
else if (peakv<10000)
PrintAndLog("# Your LF antenna is marginal.");
if (vHf<2000)
PrintAndLog("# Your HF antenna is unusable.");
else if (vHf<5000)
PrintAndLog("# Your HF antenna is marginal.");
for (int i = 0; i < 256; i++) {
GraphBuffer[i] = resp.d.asBytes[i] - 128;
}
PrintAndLog("Done! Divisor 89 is 134khz, 95 is 125khz.\n");
PrintAndLog("\n");
GraphTraceLen = n;
RepaintGraphWindow();
GraphTraceLen = 256;
ShowGraphWindow();
return 0;
}
@ -1340,8 +1358,8 @@ static command_t CommandTable[] =
{"help", CmdHelp, 1, "This help"},
{"amp", CmdAmp, 1, "Amplify peaks"},
{"askdemod", Cmdaskdemod, 1, "<0 or 1> -- Attempt to demodulate simple ASK tags"},
{"askmandemod", Cmdaskmandemod, 1, "[clock] [invert<0 or 1>] -- Attempt to demodulate ASK/Manchester tags and output binary (args optional[clock will try Auto-detect])"},
{"askrawdemod", Cmdaskrawdemod, 1, "[clock] [invert<0 or 1>] -- Attempt to demodulate ASK tags and output binary (args optional[clock will try Auto-detect])"},
{"askmandemod", Cmdaskmandemod, 1, "[clock] [invert <0|1>] -- Attempt to demodulate ASK/Manchester tags and output binary"},
{"askrawdemod", Cmdaskrawdemod, 1, "[clock] [invert <0|1>] -- Attempt to demodulate ASK tags and output binary"},
{"autocorr", CmdAutoCorr, 1, "<window length> -- Autocorrelation over window"},
{"biphaserawdecode",CmdBiphaseDecodeRaw,1,"[offset] Biphase decode binary stream already in graph buffer (offset = bit to start decode from)"},
{"bitsamples", CmdBitsamples, 0, "Get raw samples as bitstring"},

1
client/cmdhf.c
View file

@ -10,7 +10,6 @@
#include <stdio.h>
#include <string.h>
//#include "proxusb.h"
#include "proxmark3.h"
#include "graph.h"
#include "ui.h"

139
client/cmdhf14a.c
View file

@ -27,6 +27,108 @@
static int CmdHelp(const char *Cmd);
static void waitCmd(uint8_t iLen);
// structure and database for uid -> tagtype lookups
typedef struct {
uint8_t uid;
char* desc;
} manufactureName;
const manufactureName manufactureMapping[] = {
// ID, "Vendor Country"
{ 0x01, "Motorola UK" },
{ 0x02, "ST Microelectronics SA France" },
{ 0x03, "Hitachi, Ltd Japan" },
{ 0x04, "NXP Semiconductors Germany" },
{ 0x05, "Infineon Technologies AG Germany" },
{ 0x06, "Cylink USA" },
{ 0x07, "Texas Instrument France" },
{ 0x08, "Fujitsu Limited Japan" },
{ 0x09, "Matsushita Electronics Corporation, Semiconductor Company Japan" },
{ 0x0A, "NEC Japan" },
{ 0x0B, "Oki Electric Industry Co. Ltd Japan" },
{ 0x0C, "Toshiba Corp. Japan" },
{ 0x0D, "Mitsubishi Electric Corp. Japan" },
{ 0x0E, "Samsung Electronics Co. Ltd Korea" },
{ 0x0F, "Hynix / Hyundai, Korea" },
{ 0x10, "LG-Semiconductors Co. Ltd Korea" },
{ 0x11, "Emosyn-EM Microelectronics USA" },
{ 0x12, "INSIDE Technology France" },
{ 0x13, "ORGA Kartensysteme GmbH Germany" },
{ 0x14, "SHARP Corporation Japan" },
{ 0x15, "ATMEL France" },
{ 0x16, "EM Microelectronic-Marin SA Switzerland" },
{ 0x17, "KSW Microtec GmbH Germany" },
{ 0x18, "ZMD AG Germany" },
{ 0x19, "XICOR, Inc. USA" },
{ 0x1A, "Sony Corporation Japan Identifier Company Country" },
{ 0x1B, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
{ 0x1C, "Emosyn USA" },
{ 0x1D, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
{ 0x1E, "Magellan Technology Pty Limited Australia" },
{ 0x1F, "Melexis NV BO Switzerland" },
{ 0x20, "Renesas Technology Corp. Japan" },
{ 0x21, "TAGSYS France" },
{ 0x22, "Transcore USA" },
{ 0x23, "Shanghai belling corp., ltd. China" },
{ 0x24, "Masktech Germany Gmbh Germany" },
{ 0x25, "Innovision Research and Technology Plc UK" },
{ 0x26, "Hitachi ULSI Systems Co., Ltd. Japan" },
{ 0x27, "Cypak AB Sweden" },
{ 0x28, "Ricoh Japan" },
{ 0x29, "ASK France" },
{ 0x2A, "Unicore Microsystems, LLC Russian Federation" },
{ 0x2B, "Dallas Semiconductor/Maxim USA" },
{ 0x2C, "Impinj, Inc. USA" },
{ 0x2D, "RightPlug Alliance USA" },
{ 0x2E, "Broadcom Corporation USA" },
{ 0x2F, "MStar Semiconductor, Inc Taiwan, ROC" },
{ 0x30, "BeeDar Technology Inc. USA" },
{ 0x31, "RFIDsec Denmark" },
{ 0x32, "Schweizer Electronic AG Germany" },
{ 0x33, "AMIC Technology Corp Taiwan" },
{ 0x34, "Mikron JSC Russia" },
{ 0x35, "Fraunhofer Institute for Photonic Microsystems Germany" },
{ 0x36, "IDS Microchip AG Switzerland" },
{ 0x37, "Kovio USA" },
{ 0x38, "HMT Microelectronic Ltd Switzerland Identifier Company Country" },
{ 0x39, "Silicon Craft Technology Thailand" },
{ 0x3A, "Advanced Film Device Inc. Japan" },
{ 0x3B, "Nitecrest Ltd UK" },
{ 0x3C, "Verayo Inc. USA" },
{ 0x3D, "HID Global USA" },
{ 0x3E, "Productivity Engineering Gmbh Germany" },
{ 0x3F, "Austriamicrosystems AG (reserved) Austria" },
{ 0x40, "Gemalto SA France" },
{ 0x41, "Renesas Electronics Corporation Japan" },
{ 0x42, "3Alogics Inc Korea" },
{ 0x43, "Top TroniQ Asia Limited Hong Kong" },
{ 0x44, "Gentag Inc (USA) USA" },
{ 0x00, "no tag-info available" } // must be the last entry
};
// get a product description based on the UID
// uid[8] tag uid
// returns description of the best match
static char* getTagInfo(uint8_t uid) {
int i, best = -1;
int len = sizeof(manufactureMapping) / sizeof(manufactureName);
for ( i = 0; i < len; ++i ) {
if ( uid == manufactureMapping[i].uid) {
if (best == -1) {
best = i;
}
}
}
if (best>=0) return manufactureMapping[best].desc;
return manufactureMapping[i].desc;
}
int CmdHF14AList(const char *Cmd)
{
PrintAndLog("Deprecated command, use 'hf list 14a' instead");
@ -65,8 +167,14 @@ int CmdHF14AReader(const char *Cmd)
PrintAndLog(" UID : %s", sprint_hex(card.uid, card.uidlen));
PrintAndLog(" SAK : %02x [%d]", card.sak, resp.arg[0]);
// Double & triple sized UID, can be mapped to a manufacturer.
if ( card.uidlen > 4 ) {
PrintAndLog("MANUFACTURER : %s", getTagInfo(card.uid[0]));
}
switch (card.sak) {
case 0x00: PrintAndLog("TYPE : NXP MIFARE Ultralight | Ultralight C"); break;
case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break;
case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break;
case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break;
case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break;
@ -82,7 +190,6 @@ int CmdHF14AReader(const char *Cmd)
default: ;
}
// try to request ATS even if tag claims not to support it
if (select_status == 2) {
uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
@ -97,13 +204,6 @@ int CmdHF14AReader(const char *Cmd)
card.ats_len = resp.arg[0]; // note: ats_len includes CRC Bytes
}
// disconnect
c.arg[0] = 0;
c.arg[1] = 0;
c.arg[2] = 0;
SendCommand(&c);
if(card.ats_len >= 3) { // a valid ATS consists of at least the length byte (TL) and 2 CRC bytes
bool ta1 = 0, tb1 = 0, tc1 = 0;
int pos;
@ -242,6 +342,24 @@ int CmdHF14AReader(const char *Cmd)
PrintAndLog("proprietary non iso14443-4 card found, RATS not supported");
}
// try to see if card responses to "chinese magic backdoor" commands.
c.cmd = CMD_MIFARE_CIDENT;
c.arg[0] = 0;
c.arg[1] = 0;
c.arg[2] = 0;
SendCommand(&c);
WaitForResponse(CMD_ACK,&resp);
uint8_t isOK = resp.arg[0] & 0xff;
PrintAndLog(" Answers to chinese magic backdoor commands: %s", (isOK ? "YES" : "NO") );
// disconnect
c.cmd = CMD_READER_ISO_14443a;
c.arg[0] = 0;
c.arg[1] = 0;
c.arg[2] = 0;
SendCommand(&c);
return select_status;
}
@ -301,6 +419,7 @@ int CmdHF14ASim(const char *Cmd)
PrintAndLog(" 2 = MIFARE Ultralight");
PrintAndLog(" 3 = MIFARE DESFIRE");
PrintAndLog(" 4 = ISO/IEC 14443-4");
PrintAndLog(" 5 = MIFARE TNP3XXX");
PrintAndLog("");
return 1;
}
@ -328,10 +447,6 @@ int CmdHF14ASim(const char *Cmd)
// At lease save the mandatory first part of the UID
c.arg[0] = long_uid & 0xffffffff;
// At lease save the mandatory first part of the UID
c.arg[0] = long_uid & 0xffffffff;
if (c.arg[1] == 0) {
PrintAndLog("Emulating ISO/IEC 14443 type A tag with UID %01d %08x %08x",c.arg[0],c.arg[1],c.arg[2]);
}

1
client/cmdhf14a.h
View file

@ -20,4 +20,5 @@ int CmdHF14AReader(const char *Cmd);
int CmdHF14ASim(const char *Cmd);
int CmdHF14ASnoop(const char *Cmd);
#endif

64
client/cmdhf14b.c
View file

@ -14,15 +14,16 @@
#include <string.h>
#include <stdint.h>
#include "iso14443crc.h"
//#include "proxusb.h"
#include "proxmark3.h"
#include "data.h"
#include "graph.h"
#include "util.h"
#include "ui.h"
#include "cmdparser.h"
#include "cmdhf14b.h"
#include "cmdmain.h"
static int CmdHelp(const char *Cmd);
int CmdHF14BDemod(const char *Cmd)
@ -387,6 +388,66 @@ int CmdHF14BCmdRaw (const char *cmd) {
return 0;
}
int CmdHF14BWrite( const char *Cmd){
/*
* For SRIX4K blocks 00 - 7F
* hf 14b raw -c -p 09 $srix4kwblock $srix4kwdata
*
* For SR512 blocks 00 - 0F
* hf 14b raw -c -p 09 $sr512wblock $sr512wdata
*
* Special block FF = otp_lock_reg block.
* Data len 4 bytes-
*/
char cmdp = param_getchar(Cmd, 0);
uint8_t blockno = -1;
uint8_t data[4] = {0x00};
bool isSrix4k = true;
char str[20];
if (cmdp == 'h' || cmdp == 'H') {
PrintAndLog("Usage: hf 14b write <1|2> <BLOCK> <DATA>");
PrintAndLog("");
PrintAndLog(" sample: hf 14b write 1 127 11223344");
PrintAndLog(" sample: hf 14b write 1 255 11223344");
PrintAndLog(" sample: hf 14b write 2 15 11223344");
PrintAndLog(" sample: hf 14b write 2 255 11223344");
return 0;
}
if ( param_getchar(Cmd, 0) == '2' )
isSrix4k = false;
blockno = param_get8(Cmd, 1);
if ( isSrix4k ){
if ( blockno > 0x7f && blockno != 0xff ){
PrintAndLog("Block number out of range");
return 0;
}
} else {
if ( blockno > 0x0f && blockno != 0xff ){
PrintAndLog("Block number out of range");
return 0;
}
}
if (param_gethex(Cmd, 2, data, 8)) {
PrintAndLog("Data must include 8 HEX symbols");
return 0;
}
if ( blockno == 0xff)
PrintAndLog("Writing to special block %02X [ %s]", blockno, sprint_hex(data,4) );
else
PrintAndLog("Writing to block %02X [ %s]", blockno, sprint_hex(data,4) );
sprintf(str, "-c -p 09 %02x %02x%02x%02x%02x", blockno, data[0], data[1], data[2], data[3]);
CmdHF14BCmdRaw(str);
return 0;
}
static command_t CommandTable[] =
{
{"help", CmdHelp, 1, "This help"},
@ -399,6 +460,7 @@ static command_t CommandTable[] =
{"sri512read", CmdSri512Read, 0, "Read contents of a SRI512 tag"},
{"srix4kread", CmdSrix4kRead, 0, "Read contents of a SRIX4K tag"},
{"raw", CmdHF14BCmdRaw, 0, "Send raw hex data to tag"},
{"write", CmdHF14BWrite, 0, "Write data to a SRI512 | SRIX4K tag"},
{NULL, NULL, 0, NULL}
};

1
client/cmdhf14b.h
View file

@ -21,5 +21,6 @@ int CmdHFSimlisten(const char *Cmd);
int CmdHF14BSnoop(const char *Cmd);
int CmdSri512Read(const char *Cmd);
int CmdSrix4kRead(const char *Cmd);
int CmdHF14BWrite( const char *cmd);
#endif

172
client/cmdhf15.c
View file

@ -26,11 +26,12 @@
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
//#include "proxusb.h"
#include "proxmark3.h"
#include "data.h"
#include "graph.h"
#include "ui.h"
#include "util.h"
#include "cmdparser.h"
#include "cmdhf15.h"
#include "iso15693tools.h"
@ -54,36 +55,135 @@ typedef struct {
const productName uidmapping[] = {
// UID, #significant Bits, "Vendor(+Product)"
{ 0xE001000000000000LL, 16, "Motorola" },
{ 0xE002000000000000LL, 16, "ST Microelectronics" },
{ 0xE003000000000000LL, 16, "Hitachi" },
{ 0xE004000000000000LL, 16, "Philips" },
{ 0xE004010000000000LL, 24, "Philips; IC SL2 ICS20" },
{ 0xE005000000000000LL, 16, "Infineon" },
{ 0xE005400000000000LL, 24, "Infineon; 56x32bit" },
{ 0xE006000000000000LL, 16, "Cylinc" },
{ 0xE007000000000000LL, 16, "Texas Instrument; " },
{ 0xE001000000000000LL, 16, "Motorola UK" },
// E0 02 xx
// 02 = ST Microelectronics
// XX = IC id (Chip ID Family)
{ 0xE002000000000000LL, 16, "ST Microelectronics SA France" },
{ 0xE002050000000000LL, 24, "ST Microelectronics; LRI64 [IC id = 05]"},
{ 0xE002080000000000LL, 24, "ST Microelectronics; LRI2K [IC id = 08]"},
{ 0xE0020A0000000000LL, 24, "ST Microelectronics; LRIS2K [IC id = 10]"},
{ 0xE002440000000000LL, 24, "ST Microelectronics; LRIS64K [IC id = 68]"},
{ 0xE003000000000000LL, 16, "Hitachi, Ltd Japan" },
// E0 04 xx
// 04 = Manufacturer code (Philips/NXP)
// XX = IC id (Chip ID Family)
//I-Code SLI SL2 ICS20 [IC id = 01]
//I-Code SLI-S [IC id = 02]
//I-Code SLI-L [IC id = 03]
//I-Code SLIX [IC id = 01 + bit36 set to 1 (starting from bit0 - different from normal SLI)]
//I-Code SLIX-S [IC id = 02 + bit36 set to 1]
//I-Code SLIX-L [IC id = 03 + bit36 set to 1]
{ 0xE004000000000000LL, 16, "NXP Semiconductors Germany (Philips)" },
{ 0xE004010000000000LL, 24, "NXP(Philips); IC SL2 ICS20/ICS21(SLI) ICS2002/ICS2102(SLIX)" },
{ 0xE004020000000000LL, 24, "NXP(Philips); IC SL2 ICS53/ICS54(SLI-S) ICS5302/ICS5402(SLIX-S)" },
{ 0xE004030000000000LL, 24, "NXP(Philips); IC SL2 ICS50/ICS51(SLI-L) ICS5002/ICS5102(SLIX-L)" },
// E0 05 XX .. .. ..
// 05 = Manufacturer code (Infineon)
// XX = IC id (Chip ID Family)
{ 0xE005000000000000LL, 16, "Infineon Technologies AG Germany" },
{ 0xE005A10000000000LL, 24, "Infineon; SRF55V01P [IC id = 161] plain mode 1kBit"},
{ 0xE005A80000000000LL, 24, "Infineon; SRF55V01P [IC id = 168] pilot series 1kBit"},
{ 0xE005400000000000LL, 24, "Infineon; SRF55V02P [IC id = 64] plain mode 2kBit"},
{ 0xE005000000000000LL, 24, "Infineon; SRF55V10P [IC id = 00] plain mode 10KBit"},
{ 0xE005500000000000LL, 24, "Infineon; SRF55V02S [IC id = 80] secure mode 2kBit"},
{ 0xE005100000000000LL, 24, "Infineon; SRF55V10S [IC id = 16] secure mode 10KBit"},
{ 0xE0051E0000000000LL, 23, "Infineon; SLE66r01P [IC id = 3x = My-d Move or My-d move NFC]"},
{ 0xE005200000000000LL, 21, "Infineon; SLE66r01P [IC id = 3x = My-d Move or My-d move NFC]"},
{ 0xE006000000000000LL, 16, "Cylink USA" },
// E0 07 xx
// 07 = Texas Instruments
// XX = from bit 41 to bit 43 = product configuration - from bit 44 to bit 47 IC id (Chip ID Family)
//Tag IT RFIDType-I Plus, 2kBit, TI Inlay
//Tag-it HF-I Plus Inlay [IC id = 00] -> b'0000 000 2kBit
//Tag-it HF-I Plus Chip [IC id = 64] -> b'1000 000 2kBit
//Tag-it HF-I Standard Chip / Inlays [IC id = 96] -> b'1100 000 256Bit
//Tag-it HF-I Pro Chip / Inlays [IC id = 98] -> b'1100 010 256Bit, Password protection
{ 0xE007000000000000LL, 16, "Texas Instrument France" },
{ 0xE007000000000000LL, 20, "Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit" },
{ 0xE007100000000000LL, 20, "Texas Instrument; Tag-it HF-I Plus Chip; 64x32bit" },
{ 0xE007800000000000LL, 23, "Texas Instrument; Tag-it HF-I Plus (RF-HDT-DVBB tag or Third Party Products)" },
{ 0xE007C00000000000LL, 23, "Texas Instrument; Tag-it HF-I Standard; 8x32bit" },
{ 0xE007C40000000000LL, 23, "Texas Instrument; Tag-it HF-I Pro; 8x23bit; password" },
{ 0xE008000000000000LL, 16, "Fujitsu" },
{ 0xE009000000000000LL, 16, "Matsushita" },
{ 0xE00A000000000000LL, 16, "NEC" },
{ 0xE00B000000000000LL, 16, "Oki Electric" },
{ 0xE00C000000000000LL, 16, "Toshiba" },
{ 0xE00D000000000000LL, 16, "Mitsubishi" },
{ 0xE00E000000000000LL, 16, "Samsung" },
{ 0xE00F000000000000LL, 16, "Hyundai" },
{ 0xE010000000000000LL, 16, "LG-Semiconductors" },
{ 0xE008000000000000LL, 16, "Fujitsu Limited Japan" },
{ 0xE009000000000000LL, 16, "Matsushita Electronics Corporation, Semiconductor Company Japan" },
{ 0xE00A000000000000LL, 16, "NEC Japan" },
{ 0xE00B000000000000LL, 16, "Oki Electric Industry Co. Ltd Japan" },
{ 0xE00C000000000000LL, 16, "Toshiba Corp. Japan" },
{ 0xE00D000000000000LL, 16, "Mitsubishi Electric Corp. Japan" },
{ 0xE00E000000000000LL, 16, "Samsung Electronics Co. Ltd Korea" },
{ 0xE00F000000000000LL, 16, "Hynix / Hyundai, Korea" },
{ 0xE010000000000000LL, 16, "LG-Semiconductors Co. Ltd Korea" },
{ 0xE011000000000000LL, 16, "Emosyn-EM Microelectronics USA" },
{ 0xE012000000000000LL, 16, "HID Corporation" },
{ 0xE016000000000000LL, 16, "EM-Marin SA (Skidata)" },
{ 0xE012000000000000LL, 16, "INSIDE Technology France" },
{ 0xE013000000000000LL, 16, "ORGA Kartensysteme GmbH Germany" },
{ 0xE014000000000000LL, 16, "SHARP Corporation Japan" },
{ 0xE015000000000000LL, 16, "ATMEL France" },
{ 0xE016000000000000LL, 16, "EM Microelectronic-Marin SA Switzerland (Skidata)" },
{ 0xE016040000000000LL, 24, "EM-Marin SA (Skidata Keycard-eco); EM4034? no 'read', just 'readmulti'" },
{ 0xE0160c0000000000LL, 24, "EM-Marin SA; EM4035?" },
{ 0xE016100000000000LL, 24, "EM-Marin SA (Skidata); EM4135; 36x64bit start page 13" },
{ 0xE016940000000000LL, 24, "EM-Marin SA (Skidata); 51x64bit" },
{ 0xE017000000000000LL, 16, "KSW Microtec GmbH Germany" },
{ 0xE018000000000000LL, 16, "ZMD AG Germany" },
{ 0xE019000000000000LL, 16, "XICOR, Inc. USA" },
{ 0xE01A000000000000LL, 16, "Sony Corporation Japan Identifier Company Country" },
{ 0xE01B000000000000LL, 16, "Malaysia Microelectronic Solutions Sdn. Bhd Malaysia" },
{ 0xE01C000000000000LL, 16, "Emosyn USA" },
{ 0xE01D000000000000LL, 16, "Shanghai Fudan Microelectronics Co. Ltd. P.R. China" },
{ 0xE01E000000000000LL, 16, "Magellan Technology Pty Limited Australia" },
{ 0xE01F000000000000LL, 16, "Melexis NV BO Switzerland" },
{ 0xE020000000000000LL, 16, "Renesas Technology Corp. Japan" },
{ 0xE021000000000000LL, 16, "TAGSYS France" },
{ 0xE022000000000000LL, 16, "Transcore USA" },
{ 0xE023000000000000LL, 16, "Shanghai belling corp., ltd. China" },
{ 0xE024000000000000LL, 16, "Masktech Germany Gmbh Germany" },
{ 0xE025000000000000LL, 16, "Innovision Research and Technology Plc UK" },
{ 0xE026000000000000LL, 16, "Hitachi ULSI Systems Co., Ltd. Japan" },
{ 0xE027000000000000LL, 16, "Cypak AB Sweden" },
{ 0xE028000000000000LL, 16, "Ricoh Japan" },
{ 0xE029000000000000LL, 16, "ASK France" },
{ 0xE02A000000000000LL, 16, "Unicore Microsystems, LLC Russian Federation" },
{ 0xE02B000000000000LL, 16, "Dallas Semiconductor/Maxim USA" },
{ 0xE02C000000000000LL, 16, "Impinj, Inc. USA" },
{ 0xE02D000000000000LL, 16, "RightPlug Alliance USA" },
{ 0xE02E000000000000LL, 16, "Broadcom Corporation USA" },
{ 0xE02F000000000000LL, 16, "MStar Semiconductor, Inc Taiwan, ROC" },
{ 0xE030000000000000LL, 16, "BeeDar Technology Inc. USA" },
{ 0xE031000000000000LL, 16, " RFIDsec Denmark" },
{ 0xE032000000000000LL, 16, " Schweizer Electronic AG Germany" },
{ 0xE033000000000000LL, 16, " AMIC Technology Corp Taiwan" },
{ 0xE034000000000000LL, 16, "Mikron JSC Russia" },
{ 0xE035000000000000LL, 16, "Fraunhofer Institute for Photonic Microsystems Germany" },
{ 0xE036000000000000LL, 16, "IDS Microchip AG Switzerland" },
{ 0xE037000000000000LL, 16, "Kovio USA" },
{ 0xE038000000000000LL, 16, "HMT Microelectronic Ltd Switzerland Identifier Company Country" },
{ 0xE039000000000000LL, 16, "Silicon Craft Technology Thailand" },
{ 0xE03A000000000000LL, 16, "Advanced Film Device Inc. Japan" },
{ 0xE03B000000000000LL, 16, "Nitecrest Ltd UK" },
{ 0xE03C000000000000LL, 16, "Verayo Inc. USA" },
{ 0xE03D000000000000LL, 16, "HID Global USA" },
{ 0xE03E000000000000LL, 16, "Productivity Engineering Gmbh Germany" },
{ 0xE03F000000000000LL, 16, "Austriamicrosystems AG (reserved) Austria" },
{ 0xE040000000000000LL, 16, "Gemalto SA France" },
{ 0xE041000000000000LL, 16, "Renesas Electronics Corporation Japan" },
{ 0xE042000000000000LL, 16, "3Alogics Inc Korea" },
{ 0xE043000000000000LL, 16, "Top TroniQ Asia Limited Hong Kong" },
{ 0xE044000000000000LL, 16, "Gentag Inc (USA) USA" },
{ 0,0,"no tag-info available" } // must be the last entry
};
@ -273,7 +373,28 @@ int CmdHF15Reader(const char *Cmd)
// Simulation is still not working very good
int CmdHF15Sim(const char *Cmd)
{
UsbCommand c = {CMD_SIMTAG_ISO_15693, {strtol(Cmd, NULL, 0), 0, 0}};
char cmdp = param_getchar(Cmd, 0);
uint8_t uid[8] = {0x00};
//E0 16 24 00 00 00 00 00
if (cmdp == 'h' || cmdp == 'H') {
PrintAndLog("Usage: hf 15 sim <UID>");
PrintAndLog("");
PrintAndLog(" sample: hf 15 sim E016240000000000");
return 0;
}
if (param_gethex(Cmd, 0, uid, 16)) {
PrintAndLog("UID must include 16 HEX symbols");
return 0;
}
PrintAndLog("Starting simulating UID %02X %02X %02X %02X %02X %02X %02X %02X",
uid[0],uid[1],uid[2],uid[3],uid[4], uid[5], uid[6], uid[7]);
UsbCommand c = {CMD_SIMTAG_ISO_15693, {0, 0, 0}};
memcpy(c.d.asBytes,uid,8);
SendCommand(&c);
return 0;
}
@ -324,7 +445,7 @@ int CmdHF15DumpMem(const char*Cmd) {
if (!(recv[0] & ISO15_RES_ERROR)) {
retry=0;
*output=0; // reset outputstring
sprintf(output, "Block %2i ",blocknum);
sprintf(output, "Block %02x ",blocknum);
for ( int i=1; i<resp.arg[0]-2; i++) { // data in hex
sprintf(output+strlen(output),"%02X ",recv[i]);
}
@ -421,8 +542,9 @@ int CmdHF15CmdInquiry(const char *Cmd)
int CmdHF15CmdDebug( const char *cmd) {
int debug=atoi(cmd);
if (strlen(cmd)<1) {
PrintAndLog("Usage: hf 15 cmd debug <0/1>");
PrintAndLog(" 0..no debugging output 1..turn debugging on");
PrintAndLog("Usage: hf 15 cmd debug <0|1>");
PrintAndLog(" 0 no debugging");
PrintAndLog(" 1 turn debugging on");
return 0;
}
@ -536,7 +658,7 @@ int CmdHF15CmdRaw (const char *cmd) {
int prepareHF15Cmd(char **cmd, UsbCommand *c, uint8_t iso15cmd[], int iso15cmdlen) {
int temp;
uint8_t *req=c->d.asBytes;
uint8_t uid[8] = {0};
uint8_t uid[8] = {0x00};
uint32_t reqlen=0;
// strip

2
client/cmdhfepa.c
View file

@ -45,7 +45,7 @@ int CmdHFEPACollectPACENonces(const char *Cmd)
SendCommand(&c);
UsbCommand resp;
WaitForResponse(CMD_ACK,&resp);
WaitForResponse(CMD_ACK,&resp);
// check if command failed
if (resp.arg[0] != 0) {

1
client/cmdhficlass.c
View file

@ -16,7 +16,6 @@
#include <sys/stat.h>
#include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type
#include "data.h"
//#include "proxusb.h"
#include "proxmark3.h"
#include "ui.h"
#include "cmdparser.h"

2
client/cmdhflegic.c
View file

@ -10,7 +10,6 @@
#include <stdio.h>
#include <string.h>
//#include "proxusb.h"
#include "proxmark3.h"
#include "data.h"
#include "ui.h"
@ -266,7 +265,6 @@ int CmdLegicSave(const char *Cmd)
int remainder = requested % 8;
requested = requested + 8 - remainder;
}
if (offset + requested > sizeof(got)) {
PrintAndLog("Tried to read past end of buffer, <bytes> + <offset> > 1024");
return 0;

60
client/cmdhfmf.c
View file

@ -36,7 +36,6 @@ start:
//flush queue
while (ukbhit()) getchar();
// wait cycle
while (true) {
printf(".");
@ -78,6 +77,7 @@ start:
num_to_bytes(r_key, 6, keyBlock);
isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);
}
if (!isOK)
PrintAndLog("Found valid key:%012"llx, r_key);
else
@ -88,6 +88,7 @@ start:
goto start;
}
PrintAndLog("");
return 0;
}
@ -437,7 +438,6 @@ int CmdHF14AMfRdSc(const char *Cmd)
return 0;
}
uint8_t FirstBlockOfSector(uint8_t sectorNo)
{
if (sectorNo < 32) {
@ -447,7 +447,6 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo)
}
}
uint8_t NumBlocksPerSector(uint8_t sectorNo)
{
if (sectorNo < 32) {
@ -457,7 +456,6 @@ uint8_t NumBlocksPerSector(uint8_t sectorNo)
}
}
int CmdHF14AMfDump(const char *Cmd)
{
uint8_t sectorNo, blockNo;
@ -497,8 +495,7 @@ int CmdHF14AMfDump(const char *Cmd)
return 1;
}
// Read key file
// Read keys A from file
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {
PrintAndLog("File reading error.");
@ -507,6 +504,7 @@ int CmdHF14AMfDump(const char *Cmd)
}
}
// Read keys B from file
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {
PrintAndLog("File reading error.");
@ -556,6 +554,7 @@ int CmdHF14AMfDump(const char *Cmd)
for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
bool received = false;
if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A.
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
memcpy(c.d.asBytes, keyA[sectorNo], 6);
@ -610,7 +609,6 @@ int CmdHF14AMfDump(const char *Cmd)
break;
}
}
}
if (isOK) {
@ -627,10 +625,8 @@ int CmdHF14AMfDump(const char *Cmd)
return 0;
}
int CmdHF14AMfRestore(const char *Cmd)
{
uint8_t sectorNo,blockNo;
uint8_t keyType = 0;
uint8_t key[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
@ -737,7 +733,6 @@ int CmdHF14AMfRestore(const char *Cmd)
return 0;
}
int CmdHF14AMfNested(const char *Cmd)
{
int i, j, res, iterations;
@ -886,6 +881,7 @@ int CmdHF14AMfNested(const char *Cmd)
PrintAndLog("-----------------------------------------------");
if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {
PrintAndLog("Nested error.\n");
free(e_sector);
return 2;
}
else {
@ -960,11 +956,9 @@ int CmdHF14AMfNested(const char *Cmd)
free(e_sector);
}
return 0;
}
int CmdHF14AMfChk(const char *Cmd)
{
if (strlen(Cmd)<3) {
@ -1021,7 +1015,6 @@ int CmdHF14AMfChk(const char *Cmd)
num_to_bytes(defaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));
}
if (param_getchar(Cmd, 0)=='*') {
blockNo = 3;
switch(param_getchar(Cmd+1, 0)) {
@ -1114,6 +1107,7 @@ int CmdHF14AMfChk(const char *Cmd)
PrintAndLog("File: %s: not found or locked.", filename);
free(keyBlock);
return 1;
}
}
}
@ -1191,11 +1185,10 @@ int CmdHF14AMfChk(const char *Cmd)
}
free(keyBlock);
PrintAndLog("");
return 0;
}
int CmdHF14AMf1kSim(const char *Cmd)
{
uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};
@ -1261,7 +1254,6 @@ int CmdHF14AMf1kSim(const char *Cmd)
return 0;
}
int CmdHF14AMfDbg(const char *Cmd)
{
int dbgMode = param_get32ex(Cmd, 0, 0, 10);
@ -1286,7 +1278,6 @@ int CmdHF14AMfDbg(const char *Cmd)
return 0;
}
int CmdHF14AMfEGet(const char *Cmd)
{
uint8_t blockNo = 0;
@ -1310,7 +1301,6 @@ int CmdHF14AMfEGet(const char *Cmd)
return 0;
}
int CmdHF14AMfEClear(const char *Cmd)
{
if (param_getchar(Cmd, 0) == 'h') {
@ -1383,7 +1373,7 @@ int CmdHF14AMfELoad(const char *Cmd)
// open file
f = fopen(filename, "r");
if (f == NULL) {
PrintAndLog("File not found or locked.");
PrintAndLog("File %s not found or locked", filename);
return 1;
}
@ -1407,8 +1397,8 @@ int CmdHF14AMfELoad(const char *Cmd)
}
for (i = 0; i < 32; i += 2) {
sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);
// PrintAndLog("data[%02d]:%s", blockNum, sprint_hex(buf8, 16));
}
if (mfEmlSetMem(buf8, blockNum, 1)) {
PrintAndLog("Cant set emul block: %3d", blockNum);
fclose(f);
@ -1476,7 +1466,7 @@ int CmdHF14AMfESave(const char *Cmd)
break;
}
for (j = 0; j < 16; j++)
fprintf(f, "%02x", buf[j]);
fprintf(f, "%02X", buf[j]);
fprintf(f,"\n");
}
fclose(f);
@ -1554,8 +1544,8 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
int CmdHF14AMfCSetUID(const char *Cmd)
{
uint8_t wipeCard = 0;
uint8_t uid[8] = {0};
uint8_t oldUid[8]= {0};
uint8_t uid[8] = {0x00};
uint8_t oldUid[8] = {0x00};
int res;
if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
@ -1583,10 +1573,10 @@ int CmdHF14AMfCSetUID(const char *Cmd)
}
PrintAndLog("old UID:%s", sprint_hex(oldUid, 4));
PrintAndLog("new UID:%s", sprint_hex(uid, 4));
return 0;
}
int CmdHF14AMfCSetBlk(const char *Cmd)
{
uint8_t uid[8];
@ -1721,7 +1711,6 @@ int CmdHF14AMfCLoad(const char *Cmd)
}
}
int CmdHF14AMfCGetBlk(const char *Cmd) {
uint8_t memBlock[16];
uint8_t blockNo = 0;
@ -1877,7 +1866,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
int CmdHF14AMfSniff(const char *Cmd){
// params
bool wantLogToFile = 0;
bool wantDecrypt = 0;
//bool wantSaveToEml = 0; TODO
@ -1904,8 +1893,8 @@ int CmdHF14AMfSniff(const char *Cmd){
PrintAndLog(" l - save encrypted sequence to logfile `uid.log`");
PrintAndLog(" d - decrypt sequence and put it to log file `uid.log`");
PrintAndLog(" n/a e - decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory");
PrintAndLog(" r - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`");
PrintAndLog("Usage: hf mf sniff [l][d][e][r]");
PrintAndLog(" f - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`");
PrintAndLog("Usage: hf mf sniff [l][d][e][f]");
PrintAndLog(" sample: hf mf sniff l d e");
return 0;
}
@ -1961,8 +1950,9 @@ int CmdHF14AMfSniff(const char *Cmd){
PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum);
num = 0;
while (bufPtr - buf < blockLen) {
bufPtr += 6; // ignore void timing information
bufPtr += 6;
len = *((uint16_t *)bufPtr);
if(len & 0x8000) {
isTag = true;
len &= 0x7fff;
@ -1971,6 +1961,7 @@ int CmdHF14AMfSniff(const char *Cmd){
}
bufPtr += 2;
if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {
memcpy(uid, bufPtr + 2, 7);
memcpy(atqa, bufPtr + 2 + 7, 2);
uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;
@ -1985,18 +1976,21 @@ int CmdHF14AMfSniff(const char *Cmd){
FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len);
AddLogCurrentDT(logHexFileName);
}
if (wantDecrypt) mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);
if (wantDecrypt)
mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);
} else {
PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));
if (wantLogToFile) AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);
if (wantDecrypt) mfTraceDecode(bufPtr, len, wantSaveToEmlFile);
if (wantLogToFile)
AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);
if (wantDecrypt)
mfTraceDecode(bufPtr, len, wantSaveToEmlFile);
}
bufPtr += len;
bufPtr += ((len-1)/8+1); // ignore parity
num++;
}
}
} // resp not NILL
} // resp not NULL
} // while (true)
return 0;

1
client/cmdhfmf.h
View file

@ -18,7 +18,6 @@
#include "proxmark3.h"
#include "iso14443crc.h"
#include "data.h"
//#include "proxusb.h"
#include "ui.h"
#include "cmdparser.h"
#include "common.h"

4
client/cmdhw.c
View file

@ -13,9 +13,9 @@
#include <string.h>
#include <limits.h>
#include "ui.h"
//#include "proxusb.h"
#include "proxmark3.h"
#include "cmdparser.h"
#include "cmddata.h"
#include "cmdhw.h"
#include "cmdmain.h"
#include "cmddata.h"
@ -418,7 +418,7 @@ static command_t CommandTable[] =
{"setlfdivisor", CmdSetDivisor, 0, "<19 - 255> -- Drive LF antenna at 12Mhz/(divisor+1)"},
{"setmux", CmdSetMux, 0, "<loraw|hiraw|lopkd|hipkd> -- Set the ADC mux to a specific value"},
{"tune", CmdTune, 0, "Measure antenna tuning"},
{"version", CmdVersion, 0, "Show version inforation about the connected Proxmark"},
{"version", CmdVersion, 0, "Show version information about the connected Proxmark"},
{NULL, NULL, 0, NULL}
};

127
client/cmdlf.c
View file

@ -12,7 +12,6 @@
#include <stdlib.h>
#include <string.h>
#include <limits.h>
//#include "proxusb.h"
#include "proxmark3.h"
#include "data.h"
#include "graph.h"
@ -71,28 +70,24 @@ int CmdFlexdemod(const char *Cmd)
}
}
if (start == GraphTraceLen - LONG_WAIT) {
PrintAndLog("nothing to wait for");
//PrintAndLog("nothing to wait for");
return 0;
}
GraphBuffer[start] = 2;
GraphBuffer[start+1] = -2;
uint8_t bits[64] = {0x00};
uint8_t bits[64];
int bit;
int bit, sum;
i = start;
for (bit = 0; bit < 64; bit++) {
int j;
int sum = 0;
for (j = 0; j < 16; j++) {
sum = 0;
for (int j = 0; j < 16; j++) {
sum += GraphBuffer[i++];
}
if (sum > 0) {
bits[bit] = 1;
} else {
bits[bit] = 0;
}
bits[bit] = (sum > 0) ? 1 : 0;
PrintAndLog("bit %d sum %d", bit, sum);
}
@ -110,15 +105,14 @@ int CmdFlexdemod(const char *Cmd)
}
}
// HACK writing back to graphbuffer.
GraphTraceLen = 32*64;
i = 0;
int phase = 0;
for (bit = 0; bit < 64; bit++) {
if (bits[bit] == 0) {
phase = 0;
} else {
phase = 1;
}
phase = (bits[bit] == 0) ? 0 : 1;
int j;
for (j = 0; j < 32; j++) {
GraphBuffer[i++] = phase;
@ -137,8 +131,10 @@ int CmdIndalaDemod(const char *Cmd)
int state = -1;
int count = 0;
int i, j;
// worst case with GraphTraceLen=64000 is < 4096
// under normal conditions it's < 2048
uint8_t rawbits[4096];
int rawbit = 0;
int worst = 0, worstPos = 0;
@ -171,10 +167,14 @@ int CmdIndalaDemod(const char *Cmd)
count = 0;
}
}
if (rawbit>0){
PrintAndLog("Recovered %d raw bits, expected: %d", rawbit, GraphTraceLen/32);
PrintAndLog("worst metric (0=best..7=worst): %d at pos %d", worst, worstPos);
} else return 0;
} else {
return 0;
}
// Finding the start of a UID
int uidlen, long_wait;
if (strcmp(Cmd, "224") == 0) {
@ -184,6 +184,7 @@ int CmdIndalaDemod(const char *Cmd)
uidlen = 64;
long_wait = 29;
}
int start;
int first = 0;
for (start = 0; start <= rawbit - uidlen; start++) {
@ -197,8 +198,9 @@ int CmdIndalaDemod(const char *Cmd)
break;
}
}
if (start == rawbit - uidlen + 1) {
PrintAndLog("nothing to wait for");
//PrintAndLog("nothing to wait for");
return 0;
}
@ -210,12 +212,12 @@ int CmdIndalaDemod(const char *Cmd)
}
// Dumping UID
uint8_t bits[224];
char showbits[225];
showbits[uidlen]='\0';
uint8_t bits[224] = {0x00};
char showbits[225] = {0x00};
int bit;
i = start;
int times = 0;
if (uidlen > rawbit) {
PrintAndLog("Warning: not enough raw bits to get a full UID");
for (bit = 0; bit < rawbit; bit++) {
@ -237,8 +239,8 @@ int CmdIndalaDemod(const char *Cmd)
//convert UID to HEX
uint32_t uid1, uid2, uid3, uid4, uid5, uid6, uid7;
int idx;
uid1=0;
uid2=0;
uid1 = uid2 = 0;
if (uidlen==64){
for( idx=0; idx<64; idx++) {
if (showbits[idx] == '0') {
@ -252,11 +254,8 @@ int CmdIndalaDemod(const char *Cmd)
PrintAndLog("UID=%s (%x%08x)", showbits, uid1, uid2);
}
else {
uid3=0;
uid4=0;
uid5=0;
uid6=0;
uid7=0;
uid3 = uid4 = uid5 = uid6 = uid7 = 0;
for( idx=0; idx<224; idx++) {
uid1=(uid1<<1)|(uid2>>31);
uid2=(uid2<<1)|(uid3>>31);
@ -264,15 +263,19 @@ int CmdIndalaDemod(const char *Cmd)
uid4=(uid4<<1)|(uid5>>31);
uid5=(uid5<<1)|(uid6>>31);
uid6=(uid6<<1)|(uid7>>31);
if (showbits[idx] == '0') uid7=(uid7<<1)|0;
else uid7=(uid7<<1)|1;
if (showbits[idx] == '0')
uid7 = (uid7<<1) | 0;
else
uid7 = (uid7<<1) | 1;
}
PrintAndLog("UID=%s (%x%08x%08x%08x%08x%08x%08x)", showbits, uid1, uid2, uid3, uid4, uid5, uid6, uid7);
}
// Checking UID against next occurrences
for (; i + uidlen <= rawbit;) {
int failed = 0;
for (; i + uidlen <= rawbit;) {
failed = 0;
for (bit = 0; bit < uidlen; bit++) {
if (bits[bit] != rawbits[i++]) {
failed = 1;
@ -284,9 +287,12 @@ int CmdIndalaDemod(const char *Cmd)
}
times += 1;
}
PrintAndLog("Occurrences: %d (expected %d)", times, (rawbit - start) / uidlen);
// Remodulating for tag cloning
// HACK: 2015-01-04 this will have an impact on our new way of seening lf commands (demod)
// since this changes graphbuffer data.
GraphTraceLen = 32*uidlen;
i = 0;
int phase = 0;
@ -309,15 +315,10 @@ int CmdIndalaDemod(const char *Cmd)
int CmdIndalaClone(const char *Cmd)
{
unsigned int uid1, uid2, uid3, uid4, uid5, uid6, uid7;
UsbCommand c;
uid1=0;
uid2=0;
uid3=0;
uid4=0;
uid5=0;
uid6=0;
uid7=0;
unsigned int uid1, uid2, uid3, uid4, uid5, uid6, uid7;
uid1 = uid2 = uid3 = uid4 = uid5 = uid6 = uid7 = 0;
int n = 0, i = 0;
if (strchr(Cmd,'l') != 0) {
@ -339,9 +340,7 @@ int CmdIndalaClone(const char *Cmd)
c.d.asDwords[4] = uid5;
c.d.asDwords[5] = uid6;
c.d.asDwords[6] = uid7;
}
else
{
} else {
while (sscanf(&Cmd[i++], "%1x", &n ) == 1) {
uid1 = (uid1 << 4) | (uid2 >> 28);
uid2 = (uid2 << 4) | (n & 0xf);
@ -359,13 +358,16 @@ int CmdIndalaClone(const char *Cmd)
int CmdLFRead(const char *Cmd)
{
UsbCommand c = {CMD_ACQUIRE_RAW_ADC_SAMPLES_125K};
// 'h' means higher-low-frequency, 134 kHz
if(*Cmd == 'h') {
c.arg[0] = 1;
} else if (*Cmd == '\0') {
c.arg[0] = 0;
} else if (sscanf(Cmd, "%"lli, &c.arg[0]) != 1) {
PrintAndLog("use 'read' or 'read h', or 'read <divisor>'");
PrintAndLog("Samples 1: 'lf read'");
PrintAndLog(" 2: 'lf read h'");
PrintAndLog(" 3: 'lf read <divisor>'");
return 0;
}
SendCommand(&c);
@ -390,7 +392,7 @@ static void ChkBitstream(const char *str)
int CmdLFSim(const char *Cmd)
{
int i;
int i,j;
static int gap;
sscanf(Cmd, "%i", &gap);
@ -398,18 +400,20 @@ int CmdLFSim(const char *Cmd)
/* convert to bitstream if necessary */
ChkBitstream(Cmd);
PrintAndLog("Sending data, please wait...");
for (i = 0; i < GraphTraceLen; i += 48) {
printf("Sending [%d bytes]", GraphTraceLen);
for (i = 0; i < GraphTraceLen; i += USB_CMD_DATA_SIZE) {
UsbCommand c={CMD_DOWNLOADED_SIM_SAMPLES_125K, {i, 0, 0}};
int j;
for (j = 0; j < 48; j++) {
for (j = 0; j < USB_CMD_DATA_SIZE; j++) {
c.d.asBytes[j] = GraphBuffer[i+j];
}
SendCommand(&c);
WaitForResponse(CMD_ACK,NULL);
printf(".");
}
PrintAndLog("Starting simulator...");
printf("\n");
PrintAndLog("Starting to simulate");
UsbCommand c = {CMD_SIMULATE_TAG_125K, {GraphTraceLen, gap, 0}};
SendCommand(&c);
return 0;
@ -417,7 +421,9 @@ int CmdLFSim(const char *Cmd)
int CmdLFSimBidir(const char *Cmd)
{
/* Set ADC to twice the carrier for a slight supersampling */
// Set ADC to twice the carrier for a slight supersampling
// HACK: not implemented in ARMSRC.
PrintAndLog("Not implemented yet.");
UsbCommand c = {CMD_LF_SIMULATE_BIDIR, {47, 384, 0}};
SendCommand(&c);
return 0;
@ -429,23 +435,17 @@ int CmdLFSimManchester(const char *Cmd)
static int clock, gap;
static char data[1024], gapstring[8];
/* get settings/bits */
sscanf(Cmd, "%i %s %i", &clock, &data[0], &gap);
/* clear our graph */
ClearGraph(0);
/* fill it with our bitstream */
for (int i = 0; i < strlen(data) ; ++i)
AppendGraph(0, clock, data[i]- '0');
/* modulate */
CmdManchesterMod("");
/* show what we've done */
RepaintGraphWindow();
/* simulate */
sprintf(&gapstring[0], "%i", gap);
CmdLFSim(gapstring);
return 0;
@ -454,20 +454,23 @@ int CmdLFSimManchester(const char *Cmd)
int CmdLFSnoop(const char *Cmd)
{
UsbCommand c = {CMD_LF_SNOOP_RAW_ADC_SAMPLES};
// 'h' means higher-low-frequency, 134 kHz
c.arg[0] = 0;
c.arg[1] = -1;
if (*Cmd == 0) {
// empty
} else if (*Cmd == 'l') {
if (*Cmd == 'l') {
sscanf(Cmd, "l %"lli, &c.arg[1]);
} else if(*Cmd == 'h') {
c.arg[0] = 1;
sscanf(Cmd, "h %"lli, &c.arg[1]);
} else if (sscanf(Cmd, "%"lli" %"lli, &c.arg[0], &c.arg[1]) < 1) {
PrintAndLog("use 'snoop' or 'snoop {l,h} [trigger threshold]', or 'snoop <divisor> [trigger threshold]'");
PrintAndLog("usage 1: snoop");
PrintAndLog(" 2: snoop {l,h} [trigger threshold]");
PrintAndLog(" 3: snoop <divisor> [trigger threshold]");
return 0;
}
SendCommand(&c);
WaitForResponse(CMD_ACK,NULL);
return 0;

99
client/cmdlfem4x.c
View file

@ -11,31 +11,31 @@
#include <stdio.h>
#include <string.h>
#include <inttypes.h>
//#include "proxusb.h"
#include "proxmark3.h"
#include "ui.h"
#include "graph.h"
#include "cmdmain.h"
#include "cmdparser.h"
#include "cmddata.h"
#include "cmdlf.h"
#include "cmdlfem4x.h"
#include "util.h"
#include "data.h"
#define LF_TRACE_BUFF_SIZE 12000
#define LF_BITSSTREAM_LEN 1000
static int CmdHelp(const char *Cmd);
int CmdEMdemodASK(const char *Cmd)
{
int findone=0;
char cmdp = param_getchar(Cmd, 0);
int findone = (cmdp == '1') ? 1 : 0;
UsbCommand c={CMD_EM410X_DEMOD};
if(Cmd[0]=='1') findone=1;
c.arg[0]=findone;
SendCommand(&c);
return 0;
}
/* Read the ID of an EM410x tag.
* Format:
* 1111 1111 1 <-- standard non-repeatable header
@ -48,8 +48,8 @@ int CmdEM410xRead(const char *Cmd)
{
int i, j, clock, header, rows, bit, hithigh, hitlow, first, bit2idx, high, low;
int parity[4];
char id[11];
char id2[11];
char id[11] = {0x00};
char id2[11] = {0x00};
int retested = 0;
uint8_t BitStream[MAX_GRAPH_TRACE_LEN];
high = low = 0;
@ -81,9 +81,9 @@ int CmdEM410xRead(const char *Cmd)
/* Find out if we hit both high and low peaks */
for (j = 0; j < clock; j++)
{
if (GraphBuffer[(i * clock) + j] == high)
if (GraphBuffer[(i * clock) + j] >= high)
hithigh = 1;
else if (GraphBuffer[(i * clock) + j] == low)
else if (GraphBuffer[(i * clock) + j] <= low)
hitlow = 1;
/* it doesn't count if it's the first part of our read
@ -181,8 +181,10 @@ retest:
}
/* if we've already retested after flipping bits, return */
if (retested++)
if (retested++){
PrintAndLog("Failed to decode");
return 0;
}
/* if this didn't work, try flipping bits */
for (i = 0; i < bit2idx; i++)
@ -201,7 +203,25 @@ retest:
*/
int CmdEM410xSim(const char *Cmd)
{
int i, n, j, h, binary[4], parity[4];
int i, n, j, binary[4], parity[4];
char cmdp = param_getchar(Cmd, 0);
uint8_t uid[5] = {0x00};
if (cmdp == 'h' || cmdp == 'H') {
PrintAndLog("Usage: lf em4x 410xsim <UID>");
PrintAndLog("");
PrintAndLog(" sample: lf em4x 410xsim 0F0368568B");
return 0;
}
if (param_gethex(Cmd, 0, uid, 10)) {
PrintAndLog("UID must include 10 HEX symbols");
return 0;
}
PrintAndLog("Starting simulating UID %02X%02X%02X%02X%02X", uid[0],uid[1],uid[2],uid[3],uid[4]);
PrintAndLog("Press pm3-button to about simulation");
/* clock is 64 in EM410x tags */
int clock = 64;
@ -209,9 +229,6 @@ int CmdEM410xSim(const char *Cmd)
/* clear our graph */
ClearGraph(0);
/* write it out a few times */
for (h = 0; h < 4; h++)
{
/* write 9 start bits */
for (i = 0; i < 9; i++)
AppendGraph(0, clock, 1);
@ -248,38 +265,38 @@ int CmdEM410xSim(const char *Cmd)
AppendGraph(0, clock, parity[3]);
/* stop bit */
AppendGraph(0, clock, 0);
}
AppendGraph(1, clock, 0);
/* modulate that biatch */
CmdManchesterMod("");
/* booyah! */
RepaintGraphWindow();
CmdLFSim("");
CmdLFSim("240"); //240 start_gap.
return 0;
}
/* Function is equivalent of loread + losamples + em410xread
* looped until an EM410x tag is detected */
/* Function is equivalent of lf read + data samples + em410xread
* looped until an EM410x tag is detected
*
* Why is CmdSamples("16000")?
* TBD: Auto-grow sample size based on detected sample rate. IE: If the
* rate gets lower, then grow the number of samples
* Changed by martin, 4000 x 4 = 16000,
* see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
*/
int CmdEM410xWatch(const char *Cmd)
{
int read_h = (*Cmd == 'h');
do
{
CmdLFRead(read_h ? "h" : "");
// 2000 samples is OK for clock=64, but not clock=32. Probably want
// 8000 for clock=16. Don't want to go too high since old HID driver
// is very slow
// TBD: Auto-grow sample size based on detected sample rate. IE: If the
// rate gets lower, then grow the number of samples
char cmdp = param_getchar(Cmd, 0);
int read_h = (cmdp == 'h');
do {
if (ukbhit()) {
printf("\naborted via keyboard!\n");
break;
}
// Changed by martin, 4000 x 4 = 16000,
// see http://www.proxmark.org/forum/viewtopic.php?pid=7235#p7235
CmdSamples("16000");
} while ( ! CmdEM410xRead(""));
return 0;
CmdLFRead(read_h ? "h" : "");
CmdSamples("6000");
} while (
!CmdEM410xRead("")
);
return 0;
}
/* Read the transmitted data of an EM4x50 tag

4
client/cmdlfhid.c
View file

@ -10,7 +10,6 @@
#include <stdio.h>
#include <string.h>
//#include "proxusb.h"
#include "proxmark3.h"
#include "ui.h"
#include "graph.h"
@ -41,8 +40,8 @@ int CmdHIDDemod(const char *Cmd)
int CmdHIDDemodFSK(const char *Cmd)
{
int findone=0;
if(Cmd[0]=='1') findone=1;
UsbCommand c={CMD_HID_DEMOD_FSK};
if(Cmd[0]=='1') findone=1;
c.arg[0]=findone;
SendCommand(&c);
return 0;
@ -59,6 +58,7 @@ int CmdHIDSim(const char *Cmd)
}
PrintAndLog("Emulating tag with ID %x%16x", hi, lo);
PrintAndLog("Press pm3-button to abort simulation");
UsbCommand c = {CMD_HID_SIM_TAG, {hi, lo, 0}};
SendCommand(&c);

7
client/cmdlfhitag.c
View file

@ -12,7 +12,6 @@
#include <stdlib.h>
#include <string.h>
#include "data.h"
//#include "proxusb.h"
#include "proxmark3.h"
#include "ui.h"
#include "cmdparser.h"
@ -225,7 +224,7 @@ int CmdLFHitagReader(const char *Cmd) {
return 0;
}
static command_t CommandTableHitag[] =
static command_t CommandTable[] =
{
{"help", CmdHelp, 1, "This help"},
{"list", CmdLFHitagList, 1, "List Hitag trace history"},
@ -237,12 +236,12 @@ static command_t CommandTableHitag[] =
int CmdLFHitag(const char *Cmd)
{
CmdsParse(CommandTableHitag, Cmd);
CmdsParse(CommandTable, Cmd);
return 0;
}
int CmdHelp(const char *Cmd)
{
CmdsHelp(CommandTableHitag);
CmdsHelp(CommandTable);
return 0;
}

12
client/cmdlfio.c
View file

@ -3,7 +3,6 @@
#include <string.h>
#include <inttypes.h>
#include <limits.h>
//#include "proxusb.h"
#include "proxmark3.h"
#include "data.h"
#include "graph.h"
@ -19,26 +18,21 @@ int CmdIODemodFSK(const char *Cmd)
{
int findone=0;
if(Cmd[0]=='1') findone=1;
UsbCommand c={CMD_IO_DEMOD_FSK};
c.arg[0]=findone;
SendCommand(&c);
return 0;
}
int CmdIOProxDemod(const char *Cmd){
if (GraphTraceLen < 4800) {
PrintAndLog("too short; need at least 4800 samples");
return 0;
}
GraphTraceLen = 4800;
for (int i = 0; i < GraphTraceLen; ++i) {
if (GraphBuffer[i] < 0) {
GraphBuffer[i] = 0;
} else {
GraphBuffer[i] = 1;
}
GraphBuffer[i] = (GraphBuffer[i] < 0) ? 0 : 1;
}
RepaintGraphWindow();
return 0;
@ -61,7 +55,7 @@ int CmdIOClone(const char *Cmd)
}
PrintAndLog("Cloning tag with ID %08x %08x", hi, lo);
PrintAndLog("Press pm3-button to abort simulation");
c.cmd = CMD_IO_CLONE_TAG;
c.arg[0] = hi;
c.arg[1] = lo;

1
client/cmdlfpcf7931.c
View file

@ -10,7 +10,6 @@
#include <stdio.h>
#include <string.h>
//#include "proxusb.h"
#include "proxmark3.h"
#include "ui.h"
#include "graph.h"

1
client/cmdlft55xx.c
View file

@ -10,7 +10,6 @@
#include <stdio.h>
#include <string.h>
#include <inttypes.h>
//#include "proxusb.h"
#include "proxmark3.h"
#include "ui.h"
#include "graph.h"

1
client/cmdlfti.c
View file

@ -11,7 +11,6 @@
#include <stdio.h>
#include <stdlib.h>
#include "crc16.h"
//#include "proxusb.h"
#include "proxmark3.h"
#include "data.h"
#include "ui.h"

93
client/cmdmain.c
View file

@ -28,9 +28,6 @@
unsigned int current_command = CMD_UNKNOWN;
//unsigned int received_command = CMD_UNKNOWN;
//UsbCommand current_response;
//UsbCommand current_response_user;
static int CmdHelp(const char *Cmd);
static int CmdQuit(const char *Cmd);
@ -47,9 +44,9 @@ static command_t CommandTable[] =
{
{"help", CmdHelp, 1, "This help. Use '<command> help' for details of a particular command."},
{"data", CmdData, 1, "{ Plot window / data buffer manipulation... }"},
{"hf", CmdHF, 1, "{ HF commands... }"},
{"hf", CmdHF, 1, "{ High Frequency commands... }"},
{"hw", CmdHW, 1, "{ Hardware commands... }"},
{"lf", CmdLF, 1, "{ LF commands... }"},
{"lf", CmdLF, 1, "{ Low Frequency commands... }"},
{"script", CmdScript, 1,"{ Scripting commands }"},
{"quit", CmdQuit, 1, "Exit program"},
{"exit", CmdQuit, 1, "Exit program"},
@ -134,22 +131,17 @@ int getCommand(UsbCommand* response)
*/
bool WaitForResponseTimeout(uint32_t cmd, UsbCommand* response, size_t ms_timeout) {
UsbCommand resp;
UsbCommand resp;
if (response == NULL)
response = &resp;
if (response == NULL) {
response = &resp;
}
// Wait until the command is received
for(size_t dm_seconds=0; dm_seconds < ms_timeout/10; dm_seconds++) {
// Wait until the command is received
for(size_t dm_seconds=0; dm_seconds < ms_timeout/10; dm_seconds++) {
while(getCommand(response))
{
while(getCommand(response)) {
if(response->cmd == cmd){
//We got what we expected
return true;
}
}
msleep(10); // XXX ugh
if (dm_seconds == 200) { // Two seconds elapsed
@ -178,25 +170,12 @@ void CommandReceived(char *Cmd) {
//-----------------------------------------------------------------------------
void UsbCommandReceived(UsbCommand *UC)
{
/*
// Debug
printf("UsbCommand length[len=%zd]\n",sizeof(UsbCommand));
printf(" cmd[len=%zd]: %"llx"\n",sizeof(UC->cmd),UC->cmd);
printf(" arg0[len=%zd]: %"llx"\n",sizeof(UC->arg[0]),UC->arg[0]);
printf(" arg1[len=%zd]: %"llx"\n",sizeof(UC->arg[1]),UC->arg[1]);
printf(" arg2[len=%zd]: %"llx"\n",sizeof(UC->arg[2]),UC->arg[2]);
printf(" data[len=%zd]: %02x%02x%02x...\n",sizeof(UC->d.asBytes),UC->d.asBytes[0],UC->d.asBytes[1],UC->d.asBytes[2]);
*/
// printf("%s(%x) current cmd = %x\n", __FUNCTION__, c->cmd, current_command);
// If we recognize a response, return to avoid further processing
switch(UC->cmd) {
// First check if we are handling a debug message
case CMD_DEBUG_PRINT_STRING: {
char s[USB_CMD_DATA_SIZE+1];
char s[USB_CMD_DATA_SIZE+1] = {0x00};
size_t len = MIN(UC->arg[0],USB_CMD_DATA_SIZE);
memcpy(s,UC->d.asBytes,len);
s[len] = 0x00;
PrintAndLog("#db# %s ", s);
return;
} break;
@ -206,67 +185,15 @@ void UsbCommandReceived(UsbCommand *UC)
return;
} break;
// case CMD_MEASURED_ANTENNA_TUNING: {
// int peakv, peakf;
// int vLf125, vLf134, vHf;
// vLf125 = UC->arg[0] & 0xffff;
// vLf134 = UC->arg[0] >> 16;
// vHf = UC->arg[1] & 0xffff;;
// peakf = UC->arg[2] & 0xffff;
// peakv = UC->arg[2] >> 16;
// PrintAndLog("");
// PrintAndLog("# LF antenna: %5.2f V @ 125.00 kHz", vLf125/1000.0);
// PrintAndLog("# LF antenna: %5.2f V @ 134.00 kHz", vLf134/1000.0);
// PrintAndLog("# LF optimal: %5.2f V @%9.2f kHz", peakv/1000.0, 12000.0/(peakf+1));
// PrintAndLog("# HF antenna: %5.2f V @ 13.56 MHz", vHf/1000.0);
// if (peakv<2000)
// PrintAndLog("# Your LF antenna is unusable.");
// else if (peakv<10000)
// PrintAndLog("# Your LF antenna is marginal.");
// if (vHf<2000)
// PrintAndLog("# Your HF antenna is unusable.");
// else if (vHf<5000)
// PrintAndLog("# Your HF antenna is marginal.");
// } break;
case CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K: {
// printf("received samples: ");
// print_hex(UC->d.asBytes,512);
sample_buf_len += UC->arg[1];
// printf("samples: %zd offset: %d\n",sample_buf_len,UC->arg[0]);
memcpy(sample_buf+(UC->arg[0]),UC->d.asBytes,UC->arg[1]);
} break;
// case CMD_ACK: {
// PrintAndLog("Receive ACK\n");
// } break;
default: {
// Maybe it's a response
/*
switch(current_command) {
case CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K: {
if (UC->cmd != CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K) {
PrintAndLog("unrecognized command %08x\n", UC->cmd);
break;
}
// int i;
PrintAndLog("received samples %d\n",UC->arg[0]);
memcpy(sample_buf+UC->arg[0],UC->d.asBytes,48);
sample_buf_len += 48;
// for(i=0; i<48; i++) sample_buf[i] = UC->d.asBytes[i];
//received_command = UC->cmd;
} break;
default: {
} break;
}*/
}
default:
break;
}
storeCommand(UC);
}

17
client/data.c
View file

@ -12,7 +12,6 @@
#include <stdint.h>
#include "data.h"
#include "ui.h"
//#include "proxusb.h"
#include "proxmark3.h"
#include "cmdmain.h"
@ -23,22 +22,6 @@ void GetFromBigBuf(uint8_t *dest, int bytes, int start_index)
{
sample_buf_len = 0;
sample_buf = dest;
// start_index = ((start_index/12)*12);
// int n = start_index + bytes;
/*
if (n % 48 != 0) {
PrintAndLog("bad len in GetFromBigBuf");
return;
}
*/
UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {start_index, bytes, 0}};
SendCommand(&c);
/*
for (int i = start_index; i < n; i += 48) {
UsbCommand c = {CMD_DOWNLOAD_RAW_ADC_SAMPLES_125K, {i, 0, 0}};
SendCommand(&c);
// WaitForResponse(CMD_DOWNLOADED_RAW_ADC_SAMPLES_125K);
// memcpy(dest+(i*4), sample_buf, 48);
}
*/
}

3
client/data.h
View file

@ -13,6 +13,9 @@
#include <stdint.h>
//trace buffer size as defined in armsrc/apps.h TRACE_SIZE
#define TRACE_BUFFER_SIZE 4096
#define FILE_PATH_SIZE 1000
#define SAMPLE_BUFFER_SIZE 64
extern uint8_t* sample_buf;

18
client/flash.c
View file

@ -13,7 +13,6 @@
#include <stdlib.h>
#include "proxmark3.h"
#include "sleep.h"
//#include "proxusb.h"
#include "flash.h"
#include "elf.h"
#include "proxendian.h"
@ -276,7 +275,6 @@ static int get_proxmark_state(uint32_t *state)
{
UsbCommand c;
c.cmd = CMD_DEVICE_INFO;
// SendCommand_(&c);
SendCommand(&c);
UsbCommand resp;
ReceiveCommand(&resp);
@ -391,7 +389,6 @@ int flash_start_flashing(int enable_bl_writes,char *serial_port_name)
c.arg[2] = 0;
}
SendCommand(&c);
// SendCommand_(&c);
return wait_for_ack();
} else {
fprintf(stderr, "Note: Your bootloader does not understand the new START_FLASH command\n");
@ -408,22 +405,8 @@ static int write_block(uint32_t address, uint8_t *data, uint32_t length)
memset(block_buf, 0xFF, BLOCK_SIZE);
memcpy(block_buf, data, length);
UsbCommand c;
/*
c.cmd = {CMD_SETUP_WRITE};
for (int i = 0; i < 240; i += 48) {
memcpy(c.d.asBytes, block_buf + i, 48);
c.arg[0] = i / 4;
SendCommand(&c);
// SendCommand_(&c);
if (wait_for_ack() < 0) {
return -1;
}
}
*/
c.cmd = CMD_FINISH_WRITE;
c.arg[0] = address;
// memcpy(c.d.asBytes, block_buf+240, 16);
// SendCommand_(&c);
memcpy(c.d.asBytes, block_buf, length);
SendCommand(&c);
return wait_for_ack();
@ -486,7 +469,6 @@ void flash_free(flash_file_t *ctx)
// just reset the unit
int flash_stop_flashing(void) {
UsbCommand c = {CMD_HARDWARE_RESET};
// SendCommand_(&c);
SendCommand(&c);
msleep(100);
return 0;

2
client/graph.c
View file

@ -36,6 +36,8 @@ void AppendGraph(int redraw, int clock, int bit)
int ClearGraph(int redraw)
{
int gtl = GraphTraceLen;
memset(GraphBuffer, 0x00, GraphTraceLen);
GraphTraceLen = 0;
if (redraw)

1
client/loclass/elite_crack.c
View file

@ -514,7 +514,6 @@ int bruteforceDump(uint8_t dump[], size_t dumpsize, uint16_t keytable[])
*/
int bruteforceFile(const char *filename, uint16_t keytable[])
{
FILE *f = fopen(filename, "rb");
if(!f) {
prnlog("Failed to read from file '%s'", filename);

6
client/loclass/fileutils.c
View file

@ -11,8 +11,14 @@
* @return
*/
int fileExists(const char *filename) {
#ifdef _WIN32
struct _stat st;
int result = _stat(filename, &st);
#else
struct stat st;
int result = stat(filename, &st);
#endif
return result == 0;
}

BIN
client/loclass/iclass_dump.bin
View file

Binary file not shown.

2
client/loclass/ikeys.c
View file

@ -725,7 +725,6 @@ int doTestsWithKnownInputs()
int readKeyFile(uint8_t key[8])
{
FILE *f;
int retval = 1;
f = fopen("iclass_key.bin", "rb");
@ -738,7 +737,6 @@ int readKeyFile(uint8_t key[8])
fclose(f);
}
return retval;
}

33
client/lualibs/commands.lua
View file

@ -64,6 +64,7 @@ local _commands = {
CMD_ISO_15693_COMMAND_DONE = 0x0314,
CMD_ISO_15693_FIND_AFI = 0x0315,
CMD_ISO_15693_DEBUG = 0x0316,
CMD_LF_SNOOP_RAW_ADC_SAMPLES = 0x0317,
--// For Hitag2 transponders
CMD_SNOOP_HITAG = 0x0370,
@ -80,10 +81,13 @@ local _commands = {
CMD_READER_LEGIC_RF = 0x0388,
CMD_WRITER_LEGIC_RF = 0x0389,
CMD_EPA_PACE_COLLECT_NONCE = 0x038A,
--//CMD_EPA_ = 0x038B,
CMD_SNOOP_ICLASS = 0x0392,
CMD_SIMULATE_TAG_ICLASS = 0x0393,
CMD_READER_ICLASS = 0x0394,
CMD_READER_ICLASS_REPLAY = 0x0395,
CMD_ICLASS_ISO14443A_WRITE = 0x0397,
--// For measurements of the antenna tuning
CMD_MEASURE_ANTENNA_TUNING = 0x0400,
@ -100,8 +104,11 @@ local _commands = {
CMD_MIFARE_EML_MEMSET = 0x0602,
CMD_MIFARE_EML_MEMGET = 0x0603,
CMD_MIFARE_EML_CARDLOAD = 0x0604,
CMD_MIFARE_EML_CSETBLOCK = 0x0605,
CMD_MIFARE_EML_CGETBLOCK = 0x0606,
--// magic chinese card commands
CMD_MIFARE_CSETBLOCK = 0x0605,
CMD_MIFARE_CGETBLOCK = 0x0606,
CMD_MIFARE_CIDENT = 0x0607,
CMD_SIMULATE_MIFARE_CARD = 0x0610,
@ -109,12 +116,33 @@ local _commands = {
CMD_MIFARE_NESTED = 0x0612,
CMD_MIFARE_READBL = 0x0620,
CMD_MIFAREU_READBL = 0x0720,
CMD_MIFARE_READSC = 0x0621,
CMD_MIFAREU_READCARD = 0x0721,
CMD_MIFARE_WRITEBL = 0x0622,
CMD_MIFAREU_WRITEBL = 0x0722,
CMD_MIFAREU_WRITEBL_COMPAT = 0x0723,
CMD_MIFARE_CHKKEYS = 0x0623,
CMD_MIFARE_SNIFFER = 0x0630,
--//ultralightC
CMD_MIFAREUC_AUTH1 = 0x0724,
CMD_MIFAREUC_AUTH2 = 0x0725,
CMD_MIFAREUC_READCARD = 0x0726,
--// mifare desfire
CMD_MIFARE_DESFIRE_READBL = 0x0728,
CMD_MIFARE_DESFIRE_WRITEBL = 0x0729,
CMD_MIFARE_DESFIRE_AUTH1 = 0x072a,
CMD_MIFARE_DESFIRE_AUTH2 = 0x072b,
CMD_MIFARE_DES_READER = 0x072c,
CMD_MIFARE_DESFIRE_INFO = 0x072d,
CMD_MIFARE_DESFIRE = 0x072e,
CMD_UNKNOWN = 0xFFFF,
}
@ -185,7 +213,6 @@ function Command:getBytes()
local cmd = self.cmd
local arg1, arg2, arg3 = self.arg1, self.arg2, self.arg3
return bin.pack("LLLLH",cmd, arg1, arg2, arg3,data);
end
return _commands

14
client/lualibs/html_dumplib.lua
View file

@ -47,6 +47,18 @@ local function save_HTML(javascript, filename)
end
local function save_TEXT(data,filename)
-- Open the output file
local outfile = io.open(filename, "wb")
if outfile == nil then
return oops(string.format("Could not write to file %s",tostring(filename)))
end
outfile:write(data)
io.close(outfile)
return filename
end
local function save_BIN(data, filename)
-- Open the output file
@ -181,4 +193,6 @@ return {
convert_bin_to_html = convert_bin_to_html,
convert_eml_to_html = convert_eml_to_html,
convert_eml_to_bin = convert_eml_to_bin,
SaveAsBinary = save_BIN,
SaveAsText = save_TEXT,
}

1
client/lualibs/htmlskel.lua
View file

@ -55,6 +55,7 @@ local skel_1 = [[
return "UNKNOWN"
}
add("04,,,Mifare TNP3xxx Activision 1K,0f01,01");
add("04,,,Mifare Mini,0004,09");
add("04,,,Mifare Classic 1k/Mifare Plus(4 byte UID) 2K SL1,0004,08");
add("04,,,Mifare Plus (4 byte UID) 2K SL2,0004,10");

18
client/lualibs/mf_default_keys.lua
View file

@ -141,6 +141,24 @@ local _keys = {
'200000000000',
'a00000000000',
'b00000000000',
--[[
Should be for Mifare TNP3xxx tags A KEY.
--]]
'4b0b20107ccb',
--[[
Kiev metro cards
--]]
'8fe644038790',
'f14ee7cae863',
'632193be1c3c',
'569369c5a0e5',
'9de89e070277',
'eff603e1efe9',
'644672bd4afe',
'b5ff67cba951',
}
---

1
client/lualibs/read14a.lua
View file

@ -25,6 +25,7 @@ local ISO14A_COMMAND = {
local ISO14443a_TYPES = {}
ISO14443a_TYPES[0x00] = "NXP MIFARE Ultralight | Ultralight C"
ISO14443a_TYPES[0x01] = "NXP MIFARE TNP3xxx Activision Game Appliance"
ISO14443a_TYPES[0x04] = "NXP MIFARE (various !DESFire !DESFire EV1)"
ISO14443a_TYPES[0x08] = "NXP MIFARE CLASSIC 1k | Plus 2k"
ISO14443a_TYPES[0x09] = "NXP MIFARE Mini 0.3k"

22
client/mifarehost.c
View file

@ -26,8 +26,6 @@ int compar_int(const void * a, const void * b) {
else return -1;
}
// Compare 16 Bits out of cryptostate
int Compare16Bits(const void * a, const void * b) {
if ((*(uint64_t*)b & 0x00ff000000ff0000) == (*(uint64_t*)a & 0x00ff000000ff0000)) return 0;
@ -35,7 +33,6 @@ int Compare16Bits(const void * a, const void * b) {
else return -1;
}
typedef
struct {
union {
@ -70,16 +67,12 @@ void* nested_worker_thread(void *arg)
return statelist->head.slhead;
}
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate)
{
uint16_t i, len;
uint32_t uid;
UsbCommand resp;
StateList_t statelists[2];
struct Crypto1State *p1, *p2, *p3, *p4;
@ -239,12 +232,11 @@ int mfEmlSetMem(uint8_t *data, int blockNum, int blocksCount) {
// "MAGIC" CARD
int mfCSetUID(uint8_t *uid, uint8_t *oldUID, bool wantWipe) {
uint8_t block0[16];
memset(block0, 0, 16);
uint8_t block0[16] = {0x00};
memcpy(block0, uid, 4);
block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // Mifare UID BCC
// mifare classic SAK(byte 5) and ATQA(byte 6 and 7)
block0[5] = 0x88;
block0[5] = 0x08;
block0[6] = 0x04;
block0[7] = 0x00;
@ -252,9 +244,9 @@ int mfCSetUID(uint8_t *uid, uint8_t *oldUID, bool wantWipe) {
}
int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uint8_t params) {
uint8_t isOK = 0;
UsbCommand c = {CMD_MIFARE_EML_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
uint8_t isOK = 0;
UsbCommand c = {CMD_MIFARE_CSETBLOCK, {wantWipe, params & (0xFE | (uid == NULL ? 0:1)), blockNo}};
memcpy(c.d.asBytes, data, 16);
SendCommand(&c);
@ -273,7 +265,7 @@ int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, bool wantWipe, uin
int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params) {
uint8_t isOK = 0;
UsbCommand c = {CMD_MIFARE_EML_CGETBLOCK, {params, 0, blockNo}};
UsbCommand c = {CMD_MIFARE_CGETBLOCK, {params, 0, blockNo}};
SendCommand(&c);
UsbCommand resp;
@ -296,7 +288,7 @@ static uint8_t trailerAccessBytes[4] = {0x08, 0x77, 0x8F, 0x00};
// variables
char logHexFileName[200] = {0x00};
static uint8_t traceCard[4096] = {0x00};
static char traceFileName[200] = {0};
static char traceFileName[200] = {0x00};
static int traceState = TRACE_IDLE;
static uint8_t traceCurBlock = 0;
static uint8_t traceCurKey = 0;
@ -522,7 +514,6 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
case TRACE_AUTH1:
if (len == 4) {
traceState = TRACE_AUTH2;
nt = bytes_to_num(data, 4);
return 0;
} else {
@ -558,6 +549,7 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
lfsr_rollback_word(revstate, 0, 0);
lfsr_rollback_word(revstate, nr_enc, 1);
lfsr_rollback_word(revstate, uid ^ nt, 0);
crypto1_get_lfsr(revstate, &lfsr);
printf("key> %x%x\n", (unsigned int)((lfsr & 0xFFFFFFFF00000000) >> 32), (unsigned int)(lfsr & 0xFFFFFFFF));
AddLogUint64(logHexFileName, "key> ", lfsr);

1
client/mifarehost.h
View file

@ -15,7 +15,6 @@
#include "cmdmain.h"
#include "ui.h"
#include "data.h"
//#include "proxusb.h"
#include "util.h"
#include "nonce2key/nonce2key.h"
#include "nonce2key/crapto1.h"

1
client/nonce2key/crapto1.c
View file

@ -549,7 +549,6 @@ lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8],
free(odd);
free(even);
return 0;
}
s = statelist;

40
client/proxmark3.c
View file

@ -66,21 +66,6 @@ struct main_loop_arg {
char *script_cmds_file;
};
//static void *usb_receiver(void *targ) {
// struct receiver_arg *arg = (struct receiver_arg*)targ;
// UsbCommand cmdbuf;
//
// while (arg->run) {
// if (ReceiveCommandPoll(&cmdbuf)) {
// UsbCommandReceived(&cmdbuf);
// fflush(NULL);
// }
// }
//
// pthread_exit(NULL);
// return NULL;
//}
byte_t rx[0x1000000];
byte_t* prx = rx;
@ -129,7 +114,7 @@ static void *main_loop(void *targ) {
}
FILE *script_file = NULL;
char script_cmd_buf[256];
char script_cmd_buf[256]; // iceman, needs lua script the same file_path_buffer as the rest
if (arg->script_cmds_file)
{
@ -211,14 +196,6 @@ static void *main_loop(void *targ) {
return NULL;
}
//static void dumpHelp(char *parent, ...)
//{
// printf("## %s\n\n", parent);
// CommandReceived(parent);
//
// printf("\n");
//}
static void dumpAllHelp(int markdown)
{
printf("\n%sProxmark3 command dump%s\n\n",markdown?"# ":"",markdown?"":"\n======================");
@ -258,17 +235,6 @@ int main(int argc, char* argv[]) {
};
pthread_t main_loop_t;
/*
usb_init();
if (!OpenProxmark(1)) {
fprintf(stderr,"PROXMARK3: NOT FOUND!\n");
marg.usb_present = 0;
offline = 1;
} else {
marg.usb_present = 1;
offline = 0;
}
*/
sp = uart_open(argv[1]);
if (sp == INVALID_SERIAL_PORT) {
@ -309,10 +275,6 @@ int main(int argc, char* argv[]) {
pthread_join(main_loop_t, NULL);
// if (marg.usb_present == 1) {
// CloseProxmark();
// }
// Clean up the port
uart_close(sp);

4
client/scripts/formatMifare.lua
View file

@ -90,8 +90,10 @@ function GetCardInfo()
elseif 0x09 == result.sak then -- NXP MIFARE Mini 0.3k
-- MIFARE Classic mini offers 320 bytes split into five sectors.
numSectors = 5
elseif 0x10 == result.sak then-- "NXP MIFARE Plus 2k"
elseif 0x10 == result.sak then -- NXP MIFARE Plus 2k
numSectors = 32
elseif 0x01 == sak then -- NXP MIFARE TNP3xxx 1K
numSectors = 16
else
print("I don't know how many sectors there are on this type of card, defaulting to 16")
end

2
client/scripts/mifare_autopwn.lua
View file

@ -133,6 +133,8 @@ function nested(key,sak)
typ = 0
elseif 0x10 == sak then-- "NXP MIFARE Plus 2k"
typ = 2
elseif 0x01 == sak then-- "NXP MIFARE TNP3xxx 1K"
typ = 1
else
print("I don't know how many sectors there are on this type of card, defaulting to 16")
end

10
client/scripts/test.lua
View file

@ -1,10 +0,0 @@
local foo = "This shows how to use some standard libraries"
print(foo)
local answer
repeat
io.write("Continue with this operation (y/n)? ")
io.flush()
answer=io.read()
until answer=="y" or answer=="n"
local x = "Ok then, %s"
print (x:format("whatever"))

135
client/util.c
View file

@ -13,6 +13,7 @@
#ifndef _WIN32
#include <termios.h>
#include <sys/ioctl.h>
int ukbhit(void)
{
int cnt = 0;
@ -112,6 +113,19 @@ char * sprint_hex(const uint8_t * data, const size_t len) {
return buf;
}
char * sprint_bin(const uint8_t * data, const size_t len) {
int maxLen = ( len > 1024) ? 1024 : len;
static char buf[1024];
char * tmp = buf;
size_t i;
for (i=0; i < maxLen; ++i, ++tmp)
sprintf(tmp, "%u", data[i]);
return buf;
}
void num_to_bytes(uint64_t n, size_t len, uint8_t* dest)
{
while (len--) {
@ -131,6 +145,28 @@ uint64_t bytes_to_num(uint8_t* src, size_t len)
return num;
}
//assumes little endian
char * printBits(size_t const size, void const * const ptr)
{
unsigned char *b = (unsigned char*) ptr;
unsigned char byte;
static char buf[1024];
char * tmp = buf;
int i, j;
for (i=size-1;i>=0;i--)
{
for (j=7;j>=0;j--)
{
byte = b[i] & (1<<j);
byte >>= j;
sprintf(tmp, "%u", byte);
tmp++;
}
}
return buf;
}
// -------------------------------------------------------------------------
// string parameters lib
// -------------------------------------------------------------------------
@ -248,3 +284,102 @@ int param_getstr(const char *line, int paramnum, char * str)
return en - bg + 1;
}
/*
The following methods comes from Rfidler sourcecode.
https://github.com/ApertureLabsLtd/RFIDler/blob/master/firmware/Pic32/RFIDler.X/src/
*/
// convert hex to sequence of 0/1 bit values
// returns number of bits converted
int hextobinarray(char *target, char *source)
{
int length, i, count= 0;
char x;
length = strlen(source);
// process 4 bits (1 hex digit) at a time
while(length--)
{
x= *(source++);
// capitalize
if (x >= 'a' && x <= 'f')
x -= 32;
// convert to numeric value
if (x >= '0' && x <= '9')
x -= '0';
else if (x >= 'A' && x <= 'F')
x -= 'A' - 10;
else
return 0;
// output
for(i= 0 ; i < 4 ; ++i, ++count)
*(target++)= (x >> (3 - i)) & 1;
}
return count;
}
// convert hex to human readable binary string
int hextobinstring(char *target, char *source)
{
int length;
if(!(length= hextobinarray(target, source)))
return 0;
binarraytobinstring(target, target, length);
return length;
}
// convert binary array of 0x00/0x01 values to hex (safe to do in place as target will always be shorter than source)
// return number of bits converted
int binarraytohex(char *target, char *source, int length)
{
unsigned char i, x;
int j = length;
if(j % 4)
return 0;
while(j)
{
for(i= x= 0 ; i < 4 ; ++i)
x += ( source[i] << (3 - i));
sprintf(target,"%X", x);
++target;
source += 4;
j -= 4;
}
return length;
}
// convert binary array to human readable binary
void binarraytobinstring(char *target, char *source, int length)
{
int i;
for(i= 0 ; i < length ; ++i)
*(target++)= *(source++) + '0';
*target= '\0';
}
// return parity bit required to match type
uint8_t GetParity( char *bits, uint8_t type, int length)
{
int x;
for(x= 0 ; length > 0 ; --length)
x += bits[length - 1];
x %= 2;
return x ^ type;
}
// add HID parity to binary array: EVEN prefix for 1st half of ID, ODD suffix for 2nd half
void wiegand_add_parity(char *target, char *source, char length)
{
*(target++)= GetParity(source, EVEN, length / 2);
memcpy(target, source, length);
target += length;
*(target)= GetParity(source + length / 2, ODD, length / 2);
}

14
client/util.h
View file

@ -15,6 +15,7 @@
#include <string.h>
#include <ctype.h>
#include <time.h>
#include "data.h"
#ifndef MIN
# define MIN(a, b) (((a) < (b)) ? (a) : (b))
@ -22,6 +23,10 @@
#ifndef MAX
# define MAX(a, b) (((a) > (b)) ? (a) : (b))
#endif
#define TRUE 1
#define FALSE 0
#define EVEN 0
#define ODD 1
int ukbhit(void);
@ -33,9 +38,11 @@ void FillFileNameByUID(char *fileName, uint8_t * uid, char *ext, int byteCount);
void print_hex(const uint8_t * data, const size_t len);
char * sprint_hex(const uint8_t * data, const size_t len);
char * sprint_bin(const uint8_t * data, const size_t len);
void num_to_bytes(uint64_t n, size_t len, uint8_t* dest);
uint64_t bytes_to_num(uint8_t* src, size_t len);
char * printBits(size_t const size, void const * const ptr);
char param_getchar(const char *line, int paramnum);
uint8_t param_get8(const char *line, int paramnum);
@ -45,3 +52,10 @@ uint64_t param_get64ex(const char *line, int paramnum, int deflt, int base);
int param_gethex(const char *line, int paramnum, uint8_t * data, int hexcnt);
int param_getstr(const char *line, int paramnum, char * str);
int hextobinarray( char *target, char *source);
int hextobinstring( char *target, char *source);
int binarraytohex( char *target, char *source, int length);
void binarraytobinstring(char *target, char *source, int length);
uint8_t GetParity( char *string, uint8_t type, int length);
void wiegand_add_parity(char *target, char *source, char length);

4
common/Makefile.common
View file

@ -54,7 +54,8 @@ DELETE=del /q
MOVE=ren
COPY=copy
PATHSEP=\\#
FLASH_TOOL=winsrc\\prox.exe
#FLASH_TOOL=winsrc\\prox.exe
FLASH_TOOL=winsrc\\flash.exe
DETECTED_OS=Windows
endif
@ -67,6 +68,7 @@ INCLUDES = ../include/proxmark3.h ../include/at91sam7s512.h ../include/config_gp
CFLAGS = -c $(INCLUDE) -Wall -Werror -pedantic -std=c99 $(APP_CFLAGS) -Os
LDFLAGS = -nostartfiles -nodefaultlibs -Wl,-gc-sections -n
LIBS = -lgcc
THUMBOBJ = $(patsubst %.c,$(OBJDIR)/%.o,$(THUMBSRC))

2
common/cmd.c
View file

@ -34,8 +34,6 @@
#include "string.h"
#include "proxmark3.h"
//static UsbCommand txcmd;
bool cmd_receive(UsbCommand* cmd) {
// Check if there is a usb packet available

23
common/crc16.c
View file

@ -8,6 +8,7 @@
#include "crc16.h"
unsigned short update_crc16( unsigned short crc, unsigned char c )
{
unsigned short i, v, tcrc = 0;
@ -20,3 +21,25 @@ unsigned short update_crc16( unsigned short crc, unsigned char c )
return ((crc >> 8) ^ tcrc)&0xffff;
}
uint16_t crc16(uint8_t const *message, int length, uint16_t remainder, uint16_t polynomial) {
if (length == 0)
return (~remainder);
for (int byte = 0; byte < length; ++byte) {
remainder ^= (message[byte] << 8);
for (uint8_t bit = 8; bit > 0; --bit) {
if (remainder & 0x8000) {
remainder = (remainder << 1) ^ polynomial;
} else {
remainder = (remainder << 1);
}
}
}
return remainder;
}
uint16_t crc16_ccitt(uint8_t const *message, int length) {
return crc16(message, length, 0xffff, 0x1021);
}

5
common/crc16.h
View file

@ -5,10 +5,11 @@
//-----------------------------------------------------------------------------
// CRC16
//-----------------------------------------------------------------------------
#include <stdint.h>
#ifndef __CRC16_H
#define __CRC16_H
unsigned short update_crc16(unsigned short crc, unsigned char c);
uint16_t crc16(uint8_t const *message, int length, uint16_t remainder, uint16_t polynomial);
uint16_t crc16_ccitt(uint8_t const *message, int length);
#endif

8
common/usb_cdc.c
View file

@ -223,7 +223,6 @@ byte_t btReceiveBank = AT91C_UDP_RX_DATA_BK0;
void usb_disable() {
// Disconnect the USB device
AT91C_BASE_PIOA->PIO_ODR = GPIO_USB_PU;
// SpinDelay(100);
// Clear all lingering interrupts
if(pUdp->UDP_ISR & AT91C_UDP_ENDBUSRES) {
@ -257,7 +256,6 @@ void usb_enable() {
// Wait for a short while
for (volatile size_t i=0; i<0x100000; i++);
// SpinDelay(100);
// Reconnect USB reconnect
AT91C_BASE_PIOA->PIO_SODR = GPIO_USB_PU;
@ -304,8 +302,7 @@ uint32_t usb_read(byte_t* data, size_t len) {
uint32_t packetSize, nbBytesRcv = 0;
uint32_t time_out = 0;
while (len)
{
while (len) {
if (!usb_check()) break;
if ( pUdp->UDP_CSR[AT91C_EP_OUT] & bank ) {
@ -314,8 +311,7 @@ uint32_t usb_read(byte_t* data, size_t len) {
while(packetSize--)
data[nbBytesRcv++] = pUdp->UDP_FDR[AT91C_EP_OUT];
pUdp->UDP_CSR[AT91C_EP_OUT] &= ~(bank);
if (bank == AT91C_UDP_RX_DATA_BK0)
{
if (bank == AT91C_UDP_RX_DATA_BK0) {
bank = AT91C_UDP_RX_DATA_BK1;
} else {
bank = AT91C_UDP_RX_DATA_BK0;

2
include/at91sam7s512.h
View file

@ -428,7 +428,7 @@ typedef struct _AT91S_PIO {
#define PIO_PDR (AT91_CAST(AT91_REG *) 0x00000004) // (PIO_PDR) PIO Disable Register
#define PIO_PSR (AT91_CAST(AT91_REG *) 0x00000008) // (PIO_PSR) PIO Status Register
#define PIO_OER (AT91_CAST(AT91_REG *) 0x00000010) // (PIO_OER) Output Enable Register
#define PIO_ODR (AT91_CAST(AT91_REG *) 0x00000014) // (PIO_ODR) Output Disable Registerr
#define PIO_ODR (AT91_CAST(AT91_REG *) 0x00000014) // (PIO_ODR) Output Disable Register
#define PIO_OSR (AT91_CAST(AT91_REG *) 0x00000018) // (PIO_OSR) Output Status Register
#define PIO_IFER (AT91_CAST(AT91_REG *) 0x00000020) // (PIO_IFER) Input Filter Enable Register
#define PIO_IFDR (AT91_CAST(AT91_REG *) 0x00000024) // (PIO_IFDR) Input Filter Disable Register

48
include/crc.h
View file

@ -1,48 +0,0 @@
//-----------------------------------------------------------------------------
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Generic CRC calculation code.
//-----------------------------------------------------------------------------
#ifndef __CRC_H
#define __CRC_H
#include <stdint.h>
typedef struct crc {
uint32_t state;
int order;
uint32_t polynom;
uint32_t initial_value;
uint32_t final_xor;
uint32_t mask;
} crc_t;
/* Initialize a crc structure. order is the order of the polynom, e.g. 32 for a CRC-32
* polynom is the CRC polynom. initial_value is the initial value of a clean state.
* final_xor is XORed onto the state before returning it from crc_result(). */
extern void crc_init(crc_t *crc, int order, uint32_t polynom, uint32_t initial_value, uint32_t final_xor);
/* Update the crc state. data is the data of length data_width bits (only the the
* data_width lower-most bits are used).
*/
extern void crc_update(crc_t *crc, uint32_t data, int data_width);
/* Clean the crc state, e.g. reset it to initial_value */
extern void crc_clear(crc_t *crc);
/* Get the result of the crc calculation */
extern uint32_t crc_finish(crc_t *crc);
/* Static initialization of a crc structure */
#define CRC_INITIALIZER(_order, _polynom, _initial_value, _final_xor) { \
.state = ((_initial_value) & ((1L<<(_order))-1)), \
.order = (_order), \
.polynom = (_polynom), \
.initial_value = (_initial_value), \
.final_xor = (_final_xor), \
.mask = ((1L<<(_order))-1) }
#endif /* __CRC_H */

3
include/proxmark3.h
View file

@ -14,6 +14,7 @@
// Might as well have the hardware-specific defines everywhere.
#include "at91sam7s512.h"
#include "config_gpio.h"
#include "usb_cmd.h"
#define WDT_HIT() AT91C_BASE_WDTC->WDTC_WDCR = 0xa5000001
@ -67,8 +68,6 @@
#define TRUE 1
#define FALSE 0
#include <usb_cmd.h>
//#define PACKED __attribute__((__packed__))
#define LED_A_ON() HIGH(GPIO_LED_A)

29
include/usb_cmd.h
View file

@ -81,7 +81,7 @@ typedef struct {
#define CMD_EM4X_WRITE_WORD 0x0219
#define CMD_IO_DEMOD_FSK 0x021A
#define CMD_IO_CLONE_TAG 0x021B
#define CMD_EM410X_DEMOD 0x021C
#define CMD_EM410X_DEMOD 0x021c
/* CMD_SET_ADC_MUX: ext1 is 0 for lopkd, 1 for loraw, 2 for hipkd, 3 for hiraw */
@ -137,8 +137,11 @@ typedef struct {
#define CMD_MIFARE_EML_MEMSET 0x0602
#define CMD_MIFARE_EML_MEMGET 0x0603
#define CMD_MIFARE_EML_CARDLOAD 0x0604
#define CMD_MIFARE_EML_CSETBLOCK 0x0605
#define CMD_MIFARE_EML_CGETBLOCK 0x0606
// magic chinese card commands
#define CMD_MIFARE_CSETBLOCK 0x0605
#define CMD_MIFARE_CGETBLOCK 0x0606
#define CMD_MIFARE_CIDENT 0x0607
#define CMD_SIMULATE_MIFARE_CARD 0x0610
@ -147,14 +150,30 @@ typedef struct {
#define CMD_MIFARE_READBL 0x0620
#define CMD_MIFAREU_READBL 0x0720
#define CMD_MIFARE_READSC 0x0621
#define CMD_MIFAREU_READCARD 0x0721
#define CMD_MIFARE_WRITEBL 0x0622
#define CMD_MIFAREU_WRITEBL_COMPAT 0x0722
#define CMD_MIFAREU_WRITEBL 0x0723
#define CMD_MIFAREU_WRITEBL 0x0722
#define CMD_MIFAREU_WRITEBL_COMPAT 0x0723
#define CMD_MIFARE_CHKKEYS 0x0623
#define CMD_MIFARE_SNIFFER 0x0630
//ultralightC
#define CMD_MIFAREUC_AUTH1 0x0724
#define CMD_MIFAREUC_AUTH2 0x0725
#define CMD_MIFAREUC_READCARD 0x0726
// mifare desfire
#define CMD_MIFARE_DESFIRE_READBL 0x0728
#define CMD_MIFARE_DESFIRE_WRITEBL 0x0729
#define CMD_MIFARE_DESFIRE_AUTH1 0x072a
#define CMD_MIFARE_DESFIRE_AUTH2 0x072b
#define CMD_MIFARE_DES_READER 0x072c
#define CMD_MIFARE_DESFIRE_INFO 0x072d
#define CMD_MIFARE_DESFIRE 0x072e
#define CMD_UNKNOWN 0xFFFF