search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
textual
[RRG-proxmark3.git] / client / src / cmdhflist.c
blobd46b193aa5b712e02bfa8f5036b9fa595a10383d
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Merlok - 2017
3 // iceman 2018
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // Command: hf mf list. It shows data from arm buffer.
10 //-----------------------------------------------------------------------------
11
12 #include "cmdhflist.h"
13
14 #include <inttypes.h>
15 #include <string.h>
16 #include <stdio.h>
17
18 #include "commonutil.h" // ARRAYLEN
19 #include "mifare/mifarehost.h"
20 #include "parity.h" // oddparity
21 #include "ui.h"
22 #include "crc16.h"
23 #include "crapto1/crapto1.h"
24 #include "protocols.h"
25 #include "cmdhficlass.h"
26
27 enum MifareAuthSeq {
28 masNone,
29 masNt,
30 masNrAr,
31 masAt,
32 masAuthComplete,
33 masFirstData,
34 masData,
35 masError,
36 };
37 static enum MifareAuthSeq MifareAuthState;
38 static TAuthData AuthData;
39
40 void ClearAuthData(void) {
41 AuthData.uid = 0;
42 AuthData.nt = 0;
43 AuthData.first_auth = true;
44 AuthData.ks2 = 0;
45 AuthData.ks3 = 0;
46 }
47
48 /**
49 * @brief iso14443A_CRC_check Checks CRC in command or response
50 * @param isResponse
51 * @param data
52 * @param len
53 * @return 0 : CRC-command, CRC not ok
54 * 1 : CRC-command, CRC ok
55 * 2 : Not crc-command
56 */
57
58 uint8_t iso14443A_CRC_check(bool isResponse, uint8_t *d, uint8_t n) {
59 if (n < 3) return 2;
60 if (isResponse && (n < 6)) return 2;
61 if (d[1] == 0x50 &&
62 d[0] >= ISO14443A_CMD_ANTICOLL_OR_SELECT &&
63 d[0] <= ISO14443A_CMD_ANTICOLL_OR_SELECT_3) {
64 return 2;
65 }
66 return check_crc(CRC_14443_A, d, n);
67 }
68
69 uint8_t mifare_CRC_check(bool isResponse, uint8_t *data, uint8_t len) {
70 switch (MifareAuthState) {
71 case masNone:
72 case masError:
73 return iso14443A_CRC_check(isResponse, data, len);
74 case masNt:
75 case masNrAr:
76 case masAt:
77 case masAuthComplete:
78 case masFirstData:
79 case masData:
80 break;
81 }
82 return 2;
83 }
84
85 /**
86 * @brief iso14443B_CRC_check Checks CRC
87 * @param data
88 * @param len
89 * @return 0 : CRC-command, CRC not ok
90 * 1 : CRC-command, CRC ok
91 * 2 : Not crc-command
92 */
93 uint8_t iso14443B_CRC_check(uint8_t *d, uint8_t n) {
94 return check_crc(CRC_14443_B, d, n);
95 }
96
97 uint8_t iso15693_CRC_check(uint8_t *d, uint8_t n) {
98 return check_crc(CRC_15693, d, n);
99 }
100
101 uint8_t felica_CRC_check(uint8_t *d, uint8_t n) {
102 return check_crc(CRC_FELICA, d, n);
103 }
104
105 /**
106 * @brief iclass_CRC_Ok Checks CRC in command or response
107 * @param isResponse
108 * @param data
109 * @param len
110 * @return 0 : CRC-command, CRC not ok
111 * 1 : CRC-command, CRC ok
112 * 2 : Not crc-command
113 */
114 uint8_t iclass_CRC_check(bool isResponse, uint8_t *d, uint8_t n) {
115 //CRC commands (and responses) are all at least 4 bytes
116 if (n < 4) return 2;
117
118 //Commands to tag
119 //Don't include the command byte
120 if (!isResponse) {
121 /**
122 These commands should have CRC. Total length leftmost
123 4 READ
124 4 READ4
125 12 UPDATE - unsecured, ends with CRC16
126 14 UPDATE - secured, ends with signature instead
127 4 PAGESEL
128 **/
129 //Covers three of them
130 if (n == 4 || n == 12) {
131 return check_crc(CRC_ICLASS, d + 1, n - 1);
132 }
133 return 2;
134 }
135 /**
136 These tag responses should have CRC. Total length leftmost
137
138 10 READ data[8] crc[2]
139 34 READ4 data[32]crc[2]
140 10 UPDATE data[8] crc[2]
141 10 SELECT csn[8] crc[2]
142 10 IDENTIFY asnb[8] crc[2]
143 10 PAGESEL block1[8] crc[2]
144 10 DETECT csn[8] crc[2]
145
146 These should not
147
148 4 CHECK chip_response[4]
149 8 READCHECK data[8]
150 1 ACTALL sof[1]
151 1 ACT sof[1]
152
153 In conclusion, without looking at the command; any response
154 of length 10 or 34 should have CRC
155 **/
156 if (n != 10 && n != 34) return true;
157
158 return check_crc(CRC_ICLASS, d, n);
159 }
160
161 int applyIso14443a(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
162 switch (cmd[0]) {
163 case ISO14443A_CMD_WUPA:
164 snprintf(exp, size, "WUPA");
165 break;
166 case ISO14443A_CMD_ANTICOLL_OR_SELECT: {
167 // 93 20 = Anticollision (usage: 9320 - answer: 4bytes UID+1byte UID-bytes-xor)
168 // 93 50 = Bit oriented anti-collision (usage: 9350+ up to 5bytes, 9350 answer - up to 5bytes UID+BCC)
169 // 93 70 = Select (usage: 9370+5bytes 9370 answer - answer: 1byte SAK)
170 if (cmd[1] == 0x70)
171 snprintf(exp, size, "SELECT_UID");
172 else if (cmd[1] == 0x20 || cmd[1] == 0x50)
173 snprintf(exp, size, "ANTICOLL");
174 else
175 snprintf(exp, size, "SELECT_XXX");
176 break;
177 }
178 case ISO14443A_CMD_ANTICOLL_OR_SELECT_2: {
179 //95 20 = Anticollision of cascade level2
180 //95 50 = Bit oriented anti-collision level2
181 //95 70 = Select of cascade level2
182 if (cmd[1] == 0x70)
183 snprintf(exp, size, "SELECT_UID-2");
184 else if (cmd[1] == 0x20 || cmd[1] == 0x50)
185 snprintf(exp, size, "ANTICOLL-2");
186 else
187 snprintf(exp, size, "SELECT_XXX-2");
188 break;
189 }
190 case ISO14443A_CMD_ANTICOLL_OR_SELECT_3: {
191 //97 20 = Anticollision of cascade level3
192 //97 50 = Bit oriented anti-collision level3
193 //97 70 = Select of cascade level3
194 if (cmd[1] == 0x70)
195 snprintf(exp, size, "SELECT_UID-3");
196 else if (cmd[1] == 0x20 || cmd[1] == 0x50)
197 snprintf(exp, size, "ANTICOLL-3");
198 else
199 snprintf(exp, size, "SELECT_XXX-3");
200 break;
201 }
202 case ISO14443A_CMD_REQA:
203 snprintf(exp, size, "REQA");
204 break;
205 case ISO14443A_CMD_READBLOCK:
206 snprintf(exp, size, "READBLOCK(%d)", cmd[1]);
207 break;
208 case ISO14443A_CMD_WRITEBLOCK:
209 snprintf(exp, size, "WRITEBLOCK(%d)", cmd[1]);
210 break;
211 case ISO14443A_CMD_HALT:
212 snprintf(exp, size, "HALT");
213 MifareAuthState = masNone;
214 break;
215 case ISO14443A_CMD_RATS:
216 snprintf(exp, size, "RATS");
217 break;
218 case ISO14443A_CMD_PPS:
219 snprintf(exp, size, "PPS");
220 break;
221 case ISO14443A_CMD_OPTS:
222 snprintf(exp, size, "OPTIONAL TIMESLOT");
223 break;
224 case MIFARE_CMD_INC:
225 snprintf(exp, size, "INC(%d)", cmd[1]);
226 break;
227 case MIFARE_CMD_DEC:
228 snprintf(exp, size, "DEC(%d)", cmd[1]);
229 break;
230 case MIFARE_CMD_RESTORE:
231 if (cmdsize == 4)
232 snprintf(exp, size, "RESTORE(%d)", cmd[1]);
233 else
234 return 0;
235 break;
236 case MIFARE_CMD_TRANSFER:
237 snprintf(exp, size, "TRANSFER(%d)", cmd[1]);
238 break;
239 case MIFARE_AUTH_KEYA: {
240 if (cmdsize > 3) {
241 snprintf(exp, size, "AUTH-A(%d)", cmd[1]);
242 MifareAuthState = masNt;
243 } else {
244 // case MIFARE_ULEV1_VERSION : both 0x60.
245 snprintf(exp, size, "EV1 VERSION");
246 }
247 break;
248 }
249 case MIFARE_AUTH_KEYB: {
250 MifareAuthState = masNt;
251 snprintf(exp, size, "AUTH-B(%d)", cmd[1]);
252 break;
253 }
254 case MIFARE_MAGICWUPC1:
255 snprintf(exp, size, "MAGIC WUPC1");
256 break;
257 case MIFARE_MAGICWUPC2:
258 snprintf(exp, size, "MAGIC WUPC2");
259 break;
260 case MIFARE_MAGICWIPEC:
261 snprintf(exp, size, "MAGIC WIPEC");
262 break;
263 case MIFARE_ULC_AUTH_1:
264 snprintf(exp, size, "AUTH ");
265 break;
266 case MIFARE_ULC_AUTH_2:
267 snprintf(exp, size, "AUTH_ANSW");
268 break;
269 case MIFARE_ULEV1_AUTH:
270 if (cmdsize == 7)
271 snprintf(exp, size, "PWD-AUTH KEY: " _YELLOW_("0x%02x%02x%02x%02x"), cmd[1], cmd[2], cmd[3], cmd[4]);
272 else
273 snprintf(exp, size, "PWD-AUTH");
274 break;
275 case MIFARE_ULEV1_FASTREAD : {
276 if (cmdsize >= 3 && cmd[2] <= 0xE6)
277 snprintf(exp, size, "READ RANGE (%d-%d)", cmd[1], cmd[2]);
278 else
279 // outside limits, useful for some tags...
280 snprintf(exp, size, "READ RANGE (%d-%d) (?)", cmd[1], cmd[2]);
281 break;
282 }
283 case MIFARE_ULC_WRITE : {
284 if (cmd[1] < 0x21)
285 snprintf(exp, size, "WRITEBLOCK(%d)", cmd[1]);
286 else
287 // outside limits, useful for some tags...
288 snprintf(exp, size, "WRITEBLOCK(%d) (?)", cmd[1]);
289 break;
290 }
291 case MIFARE_ULEV1_READ_CNT : {
292 if (cmd[1] < 5)
293 snprintf(exp, size, "READ CNT(%d)", cmd[1]);
294 else
295 snprintf(exp, size, "?");
296 break;
297 }
298 case MIFARE_ULEV1_INCR_CNT : {
299 if (cmd[1] < 5)
300 snprintf(exp, size, "INCR(%d)", cmd[1]);
301 else
302 snprintf(exp, size, "?");
303 break;
304 }
305 case MIFARE_ULEV1_READSIG:
306 snprintf(exp, size, "READ SIG");
307 break;
308 case MIFARE_ULEV1_CHECKTEAR:
309 snprintf(exp, size, "CHK TEARING(%d)", cmd[1]);
310 break;
311 case MIFARE_ULEV1_VCSL:
312 snprintf(exp, size, "VCSL");
313 break;
314 case MIFARE_ULNANO_WRITESIG:
315 snprintf(exp, size, "WRITE SIG");
316 break;
317 case MIFARE_ULNANO_LOCKSIG: {
318 if (cmd[1] == 0)
319 snprintf(exp, size, "UNLOCK SIG");
320 else if (cmd[1] == 2)
321 snprintf(exp, size, "LOCK SIG");
322 else
323 snprintf(exp, size, "?");
324 break;
325 }
326 default:
327 return 0;
328 }
329 return 1;
330 }
331
332 void annotateIso14443a(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
333 applyIso14443a(exp, size, cmd, cmdsize);
334 }
335
336 void annotateIclass(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize, bool isResponse) {
337
338 enum pico_state {PICO_NONE, PICO_SELECT, PICO_AUTH_EPURSE, PICO_AUTH_MACS };
339 static enum pico_state curr_state = PICO_NONE;
340 static uint8_t csn[8];
341 static uint8_t epurse[8];
342 static uint8_t rmac[4];
343 static uint8_t tmac[4];
344
345 if (isResponse == false) {
346 uint8_t c = cmd[0] & 0x0F;
347 uint8_t parity = 0;
348 for (uint8_t i = 0; i < 7; i++) {
349 parity ^= (cmd[0] >> i) & 1;
350 }
351
352 switch (c) {
353 case ICLASS_CMD_HALT:
354 snprintf(exp, size, "HALT");
355 curr_state = PICO_NONE;
356 break;
357 case ICLASS_CMD_SELECT:
358 snprintf(exp, size, "SELECT");
359 curr_state = PICO_SELECT;
360 break;
361 case ICLASS_CMD_ACTALL:
362 snprintf(exp, size, "ACTALL");
363 curr_state = PICO_NONE;
364 break;
365 case ICLASS_CMD_DETECT:
366 snprintf(exp, size, "DETECT");
367 curr_state = PICO_NONE;
368 break;
369 case ICLASS_CMD_CHECK:
370 snprintf(exp, size, "CHECK");
371 curr_state = PICO_AUTH_MACS;
372 memcpy(rmac, cmd + 1, 4);
373 memcpy(tmac, cmd + 5, 4);
374 break;
375 case ICLASS_CMD_READ4:
376 snprintf(exp, size, "READ4(%d)", cmd[1]);
377 break;
378 case ICLASS_CMD_READ_OR_IDENTIFY: {
379
380 if (cmdsize > 1) {
381 snprintf(exp, size, "READ(%d)", cmd[1]);
382 } else {
383 snprintf(exp, size, "IDENTIFY");
384 }
385 break;
386 }
387 case ICLASS_CMD_PAGESEL:
388 snprintf(exp, size, "PAGESEL(%d)", cmd[1]);
389 curr_state = PICO_NONE;
390 break;
391 case ICLASS_CMD_UPDATE:
392 snprintf(exp, size, "UPDATE(%d)", cmd[1]);
393 curr_state = PICO_NONE;
394 break;
395 case ICLASS_CMD_READCHECK:
396 if (ICLASS_CREDIT(cmd[0])) {
397 snprintf(exp, size, "READCHECK[Kc](%d)", cmd[1]);
398 curr_state = PICO_AUTH_EPURSE;
399 } else {
400 snprintf(exp, size, "READCHECK[Kd](%d)", cmd[1]);
401 curr_state = PICO_AUTH_EPURSE;
402 }
403 break;
404 case ICLASS_CMD_ACT:
405 snprintf(exp, size, "ACT");
406 curr_state = PICO_NONE;
407 break;
408 default:
409 snprintf(exp, size, "?");
410 curr_state = PICO_NONE;
411 break;
412 }
413
414 } else {
415
416 if (curr_state == PICO_SELECT) {
417 memcpy(csn, cmd, 8);
418 curr_state = PICO_NONE;
419 } else if (curr_state == PICO_AUTH_EPURSE) {
420 memcpy(epurse, cmd, 8);
421 } else if (curr_state == PICO_AUTH_MACS) {
422
423 uint8_t key[8];
424 if (check_known_default(csn, epurse, rmac, tmac, key)) {
425 snprintf(exp, size, "( " _GREEN_("%s") " )", sprint_hex_inrow(key, 8));
426 }
427 curr_state = PICO_NONE;
428 }
429 }
430 return;
431 }
432
433 void annotateIso15693(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
434
435 if (cmdsize >= 2) {
436 switch (cmd[1]) {
437 case ISO15693_INVENTORY:
438 snprintf(exp, size, "INVENTORY");
439 return;
440 case ISO15693_STAYQUIET:
441 snprintf(exp, size, "STAY_QUIET");
442 return;
443 case ISO15693_READBLOCK: {
444
445 uint8_t block = 0;
446 if (cmdsize == 13)
447 block = cmd[10];
448 else if (cmdsize == 5)
449 block = cmd[2];
450
451 snprintf(exp, size, "READBLOCK(%d)", block);
452 return;
453 }
454 case ISO15693_WRITEBLOCK: {
455 uint8_t block = 0;
456 if (cmdsize == 9)
457 block = cmd[2];
458 snprintf(exp, size, "WRITEBLOCK(%d)", block);
459 return;
460 }
461 case ISO15693_LOCKBLOCK:
462 snprintf(exp, size, "LOCKBLOCK");
463 return;
464 case ISO15693_READ_MULTI_BLOCK:
465 snprintf(exp, size, "READ_MULTI_BLOCK");
466 return;
467 case ISO15693_WRITE_MULTI_BLOCK:
468 snprintf(exp, size, "WRITE_MULTI_BLOCK");
469 return;
470 case ISO15693_SELECT:
471 snprintf(exp, size, "SELECT");
472 return;
473 case ISO15693_RESET_TO_READY:
474 snprintf(exp, size, "RESET_TO_READY");
475 return;
476 case ISO15693_WRITE_AFI:
477 snprintf(exp, size, "WRITE_AFI");
478 return;
479 case ISO15693_LOCK_AFI:
480 snprintf(exp, size, "LOCK_AFI");
481 return;
482 case ISO15693_WRITE_DSFID:
483 snprintf(exp, size, "WRITE_DSFID");
484 return;
485 case ISO15693_LOCK_DSFID:
486 snprintf(exp, size, "LOCK_DSFID");
487 return;
488 case ISO15693_GET_SYSTEM_INFO:
489 snprintf(exp, size, "GET_SYSTEM_INFO");
490 return;
491 case ISO15693_READ_MULTI_SECSTATUS:
492 snprintf(exp, size, "READ_MULTI_SECSTATUS");
493 return;
494 case ISO15693_INVENTORY_READ:
495 snprintf(exp, size, "INVENTORY_READ");
496 return;
497 case ISO15693_FAST_INVENTORY_READ:
498 snprintf(exp, size, "FAST_INVENTORY_READ");
499 return;
500 case ISO15693_SET_EAS:
501 snprintf(exp, size, "SET_EAS");
502 return;
503 case ISO15693_RESET_EAS:
504 snprintf(exp, size, "RESET_EAS");
505 return;
506 case ISO15693_LOCK_EAS:
507 snprintf(exp, size, "LOCK_EAS");
508 return;
509 case ISO15693_EAS_ALARM:
510 snprintf(exp, size, "EAS_ALARM");
511 return;
512 case ISO15693_PASSWORD_PROTECT_EAS:
513 snprintf(exp, size, "PASSWORD_PROTECT_EAS");
514 return;
515 case ISO15693_WRITE_EAS_ID:
516 snprintf(exp, size, "WRITE_EAS_ID");
517 return;
518 case ISO15693_READ_EPC:
519 snprintf(exp, size, "READ_EPC");
520 return;
521 case ISO15693_GET_NXP_SYSTEM_INFO:
522 snprintf(exp, size, "GET_NXP_SYSTEM_INFO");
523 return;
524 case ISO15693_INVENTORY_PAGE_READ:
525 snprintf(exp, size, "INVENTORY_PAGE_READ");
526 return;
527 case ISO15693_FAST_INVENTORY_PAGE_READ:
528 snprintf(exp, size, "FAST_INVENTORY_PAGE_READ");
529 return;
530 case ISO15693_GET_RANDOM_NUMBER:
531 snprintf(exp, size, "GET_RANDOM_NUMBER");
532 return;
533 case ISO15693_SET_PASSWORD:
534 snprintf(exp, size, "SET_PASSWORD");
535 return;
536 case ISO15693_WRITE_PASSWORD:
537 snprintf(exp, size, "WRITE_PASSWORD");
538 return;
539 case ISO15693_LOCK_PASSWORD:
540 snprintf(exp, size, "LOCK_PASSWORD");
541 return;
542 case ISO15693_PROTECT_PAGE:
543 snprintf(exp, size, "PROTECT_PAGE");
544 return;
545 case ISO15693_LOCK_PAGE_PROTECTION:
546 snprintf(exp, size, "LOCK_PAGE_PROTECTION");
547 return;
548 case ISO15693_GET_MULTI_BLOCK_PROTECTION:
549 snprintf(exp, size, "GET_MULTI_BLOCK_PROTECTION");
550 return;
551 case ISO15693_DESTROY:
552 snprintf(exp, size, "DESTROY");
553 return;
554 case ISO15693_ENABLE_PRIVACY:
555 snprintf(exp, size, "ENABLE_PRIVACY");
556 return;
557 case ISO15693_64BIT_PASSWORD_PROTECTION:
558 snprintf(exp, size, "64BIT_PASSWORD_PROTECTION");
559 return;
560 case ISO15693_STAYQUIET_PERSISTENT:
561 snprintf(exp, size, "STAYQUIET_PERSISTENT");
562 return;
563 case ISO15693_READ_SIGNATURE:
564 snprintf(exp, size, "READ_SIGNATURE");
565 return;
566 default:
567 break;
568 }
569
570 if (cmd[1] > ISO15693_STAYQUIET && cmd[1] < ISO15693_READBLOCK) snprintf(exp, size, "Mandatory RFU");
571 else if (cmd[1] > ISO15693_READ_MULTI_SECSTATUS && cmd[1] <= 0x9F) snprintf(exp, size, "Optional RFU");
572 // else if (cmd[1] >= 0xA0 && cmd[1] <= 0xDF) snprintf(exp, size, "Cust IC MFG dependent");
573 else if (cmd[1] > ISO15693_READ_SIGNATURE && cmd[1] <= 0xDF) snprintf(exp, size, "Cust IC MFG dependent");
574 else if (cmd[1] >= 0xE0) snprintf(exp, size, "Proprietary IC MFG dependent");
575 else
576 snprintf(exp, size, "?");
577 }
578 }
579
580 void annotateTopaz(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
581 switch (cmd[0]) {
582 case TOPAZ_REQA:
583 snprintf(exp, size, "REQA");
584 break;
585 case TOPAZ_WUPA:
586 snprintf(exp, size, "WUPA");
587 break;
588 case TOPAZ_RID:
589 snprintf(exp, size, "RID");
590 break;
591 case TOPAZ_RALL:
592 snprintf(exp, size, "RALL");
593 break;
594 case TOPAZ_READ:
595 snprintf(exp, size, "READ");
596 break;
597 case TOPAZ_WRITE_E:
598 snprintf(exp, size, "WRITE-E");
599 break;
600 case TOPAZ_WRITE_NE:
601 snprintf(exp, size, "WRITE-NE");
602 break;
603 case TOPAZ_RSEG:
604 snprintf(exp, size, "RSEG");
605 break;
606 case TOPAZ_READ8:
607 snprintf(exp, size, "READ8");
608 break;
609 case TOPAZ_WRITE_E8:
610 snprintf(exp, size, "WRITE-E8");
611 break;
612 case TOPAZ_WRITE_NE8:
613 snprintf(exp, size, "WRITE-NE8");
614 break;
615 default:
616 snprintf(exp, size, "?");
617 break;
618 }
619 }
620
621 // iso 7816-3
622 void annotateIso7816(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
623
624 if (cmdsize < 2)
625 return;
626
627 // S-block
628 if ((cmd[0] & 0xC0) && (cmdsize == 3)) {
629 switch ((cmd[0] & 0x3f)) {
630 case 0x00 :
631 snprintf(exp, size, "S-block RESYNCH req");
632 break;
633 case 0x20 :
634 snprintf(exp, size, "S-block RESYNCH resp");
635 break;
636 case 0x01 :
637 snprintf(exp, size, "S-block IFS req");
638 break;
639 case 0x21 :
640 snprintf(exp, size, "S-block IFS resp");
641 break;
642 case 0x02 :
643 snprintf(exp, size, "S-block ABORT req");
644 break;
645 case 0x22 :
646 snprintf(exp, size, "S-block ABORT resp");
647 break;
648 case 0x03 :
649 snprintf(exp, size, "S-block WTX reqt");
650 break;
651 case 0x23 :
652 snprintf(exp, size, "S-block WTX resp");
653 break;
654 default :
655 snprintf(exp, size, "S-block");
656 break;
657 }
658 }
659 // R-block (ack)
660 else if (((cmd[0] & 0xD0) == 0x80) && (cmdsize > 2)) {
661 if ((cmd[0] & 0x10) == 0)
662 snprintf(exp, size, "R-block ACK");
663 else
664 snprintf(exp, size, "R-block NACK");
665 }
666 // I-block
667 else {
668 int pos = 0;
669 switch (cmd[0]) {
670 case 2:
671 case 3:
672 pos = 2;
673 break;
674 case 0:
675 pos = 1;
676 break;
677 default:
678 pos = 3;
679 break;
680 }
681 switch (cmd[pos]) {
682 case ISO7816_READ_BINARY:
683 snprintf(exp, size, "READ BIN");
684 break;
685 case ISO7816_WRITE_BINARY:
686 snprintf(exp, size, "WRITE BIN");
687 break;
688 case ISO7816_UPDATE_BINARY:
689 snprintf(exp, size, "UPDATE BIN");
690 break;
691 case ISO7816_ERASE_BINARY:
692 snprintf(exp, size, "ERASE BIN");
693 break;
694 case ISO7816_READ_RECORDS:
695 snprintf(exp, size, "READ RECORDS");
696 break;
697 case ISO7816_WRITE_RECORDS:
698 snprintf(exp, size, "WRITE RECORDS");
699 break;
700 case ISO7816_APPEND_RECORD:
701 snprintf(exp, size, "APPEND RECORD");
702 break;
703 case ISO7816_UPDATE_RECORD:
704 snprintf(exp, size, "UPDATE RECORD");
705 break;
706 case ISO7816_GET_DATA:
707 snprintf(exp, size, "GET DATA");
708 break;
709 case ISO7816_PUT_DATA:
710 snprintf(exp, size, "PUT DATA");
711 break;
712 case ISO7816_SELECT_FILE:
713 snprintf(exp, size, "SELECT FILE");
714 break;
715 case ISO7816_VERIFY:
716 snprintf(exp, size, "VERIFY");
717 break;
718 case ISO7816_INTERNAL_AUTHENTICATION:
719 snprintf(exp, size, "INTERNAL AUTH");
720 break;
721 case ISO7816_EXTERNAL_AUTHENTICATION:
722 snprintf(exp, size, "EXTERNAL AUTH");
723 break;
724 case ISO7816_GET_CHALLENGE:
725 snprintf(exp, size, "GET CHALLENGE");
726 break;
727 case ISO7816_MANAGE_CHANNEL:
728 snprintf(exp, size, "MANAGE CHANNEL");
729 break;
730 case ISO7816_GET_RESPONSE:
731 snprintf(exp, size, "GET RESPONSE");
732 break;
733 default:
734 //snprintf(exp, size, "?");
735 break;
736 }
737 }
738 }
739
740 // MIFARE DESFire
741 void annotateMfDesfire(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
742
743 // it's basically a ISO14443a tag, so try annotation from there
744 if (applyIso14443a(exp, size, cmd, cmdsize) == 0) {
745
746 // S-block 11xxx010
747 if ((cmd[0] & 0xC0) && (cmdsize == 3)) {
748 switch ((cmd[0] & 0x30)) {
749 case 0x00:
750 snprintf(exp, size, "S-block DESELECT");
751 break;
752 case 0x30:
753 snprintf(exp, size, "S-block WTX");
754 break;
755 default:
756 snprintf(exp, size, "S-block");
757 break;
758 }
759 }
760 // R-block (ack) 101xx01x
761 else if (((cmd[0] & 0xB0) == 0xA0) && (cmdsize > 2)) {
762 if ((cmd[0] & 0x10) == 0)
763 snprintf(exp, size, "R-block ACK(%d)", (cmd[0] & 0x01));
764 else
765 snprintf(exp, size, "R-block NACK(%d)", (cmd[0] & 0x01));
766 }
767 // I-block 000xCN1x
768 else if ((cmd[0] & 0xC0) == 0x00) {
769
770 // PCB [CID] [NAD] [INF] CRC CRC
771 int pos = 1;
772 if ((cmd[0] & 0x08) == 0x08) // cid byte following
773 pos++;
774
775 if ((cmd[0] & 0x04) == 0x04) // nad byte following
776 pos++;
777
778 for (uint8_t i = 0; i < 2; i++, pos++) {
779 bool found_annotation = true;
780
781 switch (cmd[pos]) {
782 case MFDES_CREATE_APPLICATION:
783 snprintf(exp, size, "CREATE APPLICATION");
784 break;
785 case MFDES_DELETE_APPLICATION:
786 snprintf(exp, size, "DELETE APPLICATION");
787 break;
788 case MFDES_GET_APPLICATION_IDS:
789 snprintf(exp, size, "GET APPLICATION IDS");
790 break;
791 case MFDES_SELECT_APPLICATION:
792 snprintf(exp, size, "SELECT APPLICATION");
793 break;
794 case MFDES_FORMAT_PICC:
795 snprintf(exp, size, "FORMAT PICC");
796 break;
797 case MFDES_GET_VERSION:
798 snprintf(exp, size, "GET VERSION");
799 break;
800 case MFDES_READ_DATA:
801 snprintf(exp, size, "READ DATA");
802 break;
803 case MFDES_WRITE_DATA:
804 snprintf(exp, size, "WRITE DATA");
805 break;
806 case MFDES_GET_VALUE:
807 snprintf(exp, size, "GET VALUE");
808 break;
809 case MFDES_CREDIT:
810 snprintf(exp, size, "CREDIT");
811 break;
812 case MFDES_DEBIT:
813 snprintf(exp, size, "DEBIT");
814 break;
815 case MFDES_LIMITED_CREDIT:
816 snprintf(exp, size, "LIMITED CREDIT");
817 break;
818 case MFDES_WRITE_RECORD:
819 snprintf(exp, size, "WRITE RECORD");
820 break;
821 case MFDES_READ_RECORDS:
822 snprintf(exp, size, "READ RECORDS");
823 break;
824 case MFDES_CLEAR_RECORD_FILE:
825 snprintf(exp, size, "CLEAR RECORD FILE");
826 break;
827 case MFDES_COMMIT_TRANSACTION:
828 snprintf(exp, size, "COMMIT TRANSACTION");
829 break;
830 case MFDES_ABORT_TRANSACTION:
831 snprintf(exp, size, "ABORT TRANSACTION");
832 break;
833 case MFDES_GET_FREE_MEMORY:
834 snprintf(exp, size, "GET FREE MEMORY");
835 break;
836 case MFDES_GET_FILE_IDS:
837 snprintf(exp, size, "GET FILE IDS");
838 break;
839 case MFDES_GET_DF_NAMES:
840 snprintf(exp, size, "GET DF NAMES");
841 break;
842 case MFDES_GET_ISOFILE_IDS:
843 snprintf(exp, size, "GET ISOFILE IDS");
844 break;
845 case MFDES_GET_FILE_SETTINGS:
846 snprintf(exp, size, "GET FILE SETTINGS");
847 break;
848 case MFDES_CHANGE_FILE_SETTINGS:
849 snprintf(exp, size, "CHANGE FILE SETTINGS");
850 break;
851 case MFDES_CREATE_STD_DATA_FILE:
852 snprintf(exp, size, "CREATE STD DATA FILE");
853 break;
854 case MFDES_CREATE_BACKUP_DATA_FILE:
855 snprintf(exp, size, "CREATE BACKUP DATA FILE");
856 break;
857 case MFDES_CREATE_VALUE_FILE:
858 snprintf(exp, size, "CREATE VALUE FILE");
859 break;
860 case MFDES_CREATE_LINEAR_RECORD_FILE:
861 snprintf(exp, size, "CREATE LINEAR RECORD FILE");
862 break;
863 case MFDES_CREATE_CYCLIC_RECORD_FILE:
864 snprintf(exp, size, "CREATE CYCLIC RECORD FILE");
865 break;
866 case MFDES_CREATE_TRANS_MAC_FILE:
867 snprintf(exp, size, "CREATE TRANSACTION MAC FILE");
868 break;
869 case MFDES_DELETE_FILE:
870 snprintf(exp, size, "DELETE FILE");
871 break;
872 case MFDES_AUTHENTICATE:
873 snprintf(exp, size, "AUTH NATIVE (keyNo %d)", cmd[pos + 4]);
874 break; // AUTHENTICATE_NATIVE
875 case MFDES_AUTHENTICATE_ISO:
876 snprintf(exp, size, "AUTH ISO (keyNo %d)", cmd[pos + 4]);
877 break; // AUTHENTICATE_STANDARD
878 case MFDES_AUTHENTICATE_AES:
879 snprintf(exp, size, "AUTH AES (keyNo %d)", cmd[pos + 4]);
880 break;
881 case MFDES_AUTHENTICATE_EV2F:
882 snprintf(exp, size, "AUTH EV2 First");
883 break;
884 case MFDES_AUTHENTICATE_EV2NF:
885 snprintf(exp, size, "AUTH EV2 Non First");
886 break;
887 case MFDES_CHANGE_KEY_SETTINGS:
888 snprintf(exp, size, "CHANGE KEY SETTINGS");
889 break;
890 case MFDES_GET_KEY_SETTINGS:
891 snprintf(exp, size, "GET KEY SETTINGS");
892 break;
893 case MFDES_CHANGE_KEY:
894 snprintf(exp, size, "CHANGE KEY");
895 break;
896 case MFDES_GET_KEY_VERSION:
897 snprintf(exp, size, "GET KEY VERSION");
898 break;
899 case MFDES_ADDITIONAL_FRAME:
900 snprintf(exp, size, "AUTH FRAME / NEXT FRAME");
901 break;
902 case MFDES_READSIG:
903 snprintf(exp, size, "READ SIGNATURE");
904 break;
905 case MFDES_ROLL_KEY_SETTINGS:
906 snprintf(exp, size, "ROLL KEY SETTINGS");
907 break;
908 case MFDES_INIT_KEY_SETTINGS:
909 snprintf(exp, size, "INIT KEY SETTINGS");
910 break;
911 case MFDES_FINALIZE_KEY_SETTINGS:
912 snprintf(exp, size, "FINALIZE KEY SETTINGS");
913 break;
914 case MFDES_GET_DELEGATE_INFO:
915 snprintf(exp, size, "GET DELEGATE INFO");
916 break;
917 case MFDES_CHANGE_KEY_EV2:
918 snprintf(exp, size, "CHANGE KEY EV2");
919 break;
920 case MFDES_COMMIT_READER_ID:
921 snprintf(exp, size, "COMMIT READER ID");
922 break;
923 case MFDES_CREATE_DELEGATE_APP:
924 snprintf(exp, size, "CREATE DELEGATE APPLICATION");
925 break;
926 case MFDES_PREPARE_PC:
927 snprintf(exp, size, "PREPARE PROXIMITY CHECK");
928 break;
929 case MFDES_PROXIMITY_CHECK:
930 snprintf(exp, size, "PROXIMITY CHECK");
931 break;
932 case MFDES_VERIFY_PC:
933 snprintf(exp, size, "VERIFY PROXIMITY CHECK");
934 break;
935 default:
936 found_annotation = false;
937 break;
938 }
939
940 if (found_annotation) {
941 break;
942 }
943 }
944 } else {
945 // anything else
946 snprintf(exp, size, "?");
947 }
948 }
949 }
950
951 /**
952 06 00 = INITIATE
953 0E xx = SELECT ID (xx = Chip-ID)
954 0B = Get UID
955 08 yy = Read Block (yy = block number)
956 09 yy dd dd dd dd = Write Block (yy = block number; dd dd dd dd = data to be written)
957 0C = Reset to Inventory
958 0F = Completion
959 0A 11 22 33 44 55 66 = Authenticate (11 22 33 44 55 66 = data to authenticate)
960 **/
961 void annotateIso14443b(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
962 switch (cmd[0]) {
963 case ISO14443B_REQB : {
964
965 switch (cmd[2] & 0x07) {
966 case 0:
967 snprintf(exp, size, "1 slot ");
968 break;
969 case 1:
970 snprintf(exp, size, "2 slots ");
971 break;
972 case 2:
973 snprintf(exp, size, "4 slots ");
974 break;
975 case 3:
976 snprintf(exp, size, "8 slots ");
977 break;
978 default:
979 snprintf(exp, size, "16 slots ");
980 break;
981 }
982 if ((cmd[2] & 0x8))
983 snprintf(exp, size, "WUPB");
984 else
985 snprintf(exp, size, "REQB");
986 break;
987 }
988 case ISO14443B_ATTRIB:
989 snprintf(exp, size, "ATTRIB");
990 break;
991 case ISO14443B_HALT:
992 snprintf(exp, size, "HALT");
993 break;
994 case ISO14443B_INITIATE:
995 snprintf(exp, size, "INITIATE");
996 break;
997 case ISO14443B_SELECT:
998 snprintf(exp, size, "SELECT(%d)", cmd[1]);
999 break;
1000 case ISO14443B_GET_UID:
1001 snprintf(exp, size, "GET UID");
1002 break;
1003 case ISO14443B_READ_BLK:
1004 snprintf(exp, size, "READ_BLK(%d)", cmd[1]);
1005 break;
1006 case ISO14443B_WRITE_BLK:
1007 snprintf(exp, size, "WRITE_BLK(%d)", cmd[1]);
1008 break;
1009 case ISO14443B_RESET:
1010 snprintf(exp, size, "RESET");
1011 break;
1012 case ISO14443B_COMPLETION:
1013 snprintf(exp, size, "COMPLETION");
1014 break;
1015 case ISO14443B_AUTHENTICATE:
1016 snprintf(exp, size, "AUTHENTICATE");
1017 break;
1018 case ISO14443B_PING:
1019 snprintf(exp, size, "PING");
1020 break;
1021 case ISO14443B_PONG:
1022 snprintf(exp, size, "PONG");
1023 break;
1024 default:
1025 snprintf(exp, size, "?");
1026 break;
1027 }
1028 }
1029
1030 // CryptoRF which is based on ISO-14443B
1031 void annotateCryptoRF(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
1032
1033 switch (cmd[0]) {
1034 case CRYPTORF_SET_USER_ZONE:
1035 snprintf(exp, size, "SET USR ZONE");
1036 break;
1037 case CRYPTORF_READ_USER_ZONE:
1038 snprintf(exp, size, "READ USR ZONE");
1039 break;
1040 case CRYPTORF_WRITE_USER_ZONE:
1041 snprintf(exp, size, "WRITE USR ZONE");
1042 break;
1043 case CRYPTORF_WRITE_SYSTEM_ZONE:
1044 snprintf(exp, size, "WRITE SYSTEM ZONE");
1045 break;
1046 case CRYPTORF_READ_SYSTEM_ZONE:
1047 snprintf(exp, size, "READ SYSTEM ZONE");
1048 break;
1049 case CRYPTORF_VERIFY_CRYPTO:
1050 snprintf(exp, size, "VERIFY CRYPTO");
1051 break;
1052 case CRYPTORF_SEND_CHECKSUM:
1053 snprintf(exp, size, "SEND CHKSUM");
1054 break;
1055 case CRYPTORF_DESELECT:
1056 snprintf(exp, size, "DESELECT");
1057 break;
1058 case CRYPTORF_IDLE:
1059 snprintf(exp, size, "IDLE");
1060 break;
1061 case CRYPTORF_CHECK_PASSWORD:
1062 snprintf(exp, size, "CHECK PWD");
1063 break;
1064 default:
1065 snprintf(exp, size, "?");
1066 break;
1067 }
1068 }
1069
1070
1071 // LEGIC
1072 // 1 = read
1073 // 0 = write
1074 // Quite simpel tag
1075 void annotateLegic(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
1076 uint8_t bitsend = cmd[0];
1077 uint8_t cmdBit = (cmd[1] & 1);
1078 switch (bitsend) {
1079 case 7:
1080 snprintf(exp, size, "IV 0x%02X", cmd[1]);
1081 break;
1082 case 6: {
1083 switch (cmd[1]) {
1084 case LEGIC_MIM_22:
1085 snprintf(exp, size, "MIM22");
1086 break;
1087 case LEGIC_MIM_256:
1088 snprintf(exp, size, "MIM256");
1089 break;
1090 case LEGIC_MIM_1024:
1091 snprintf(exp, size, "MIM1024");
1092 break;
1093 case LEGIC_ACK_22:
1094 snprintf(exp, size, "ACK 22");
1095 break;
1096 case LEGIC_ACK_256:
1097 snprintf(exp, size, "ACK 256/1024");
1098 break;
1099 }
1100 break;
1101 }
1102 case 9:
1103 case 11: {
1104
1105 uint16_t address = (cmd[2] << 7) | cmd[1] >> 1;
1106
1107 if (cmdBit == LEGIC_READ)
1108 snprintf(exp, size, "READ Byte(%d)", address);
1109
1110 if (cmdBit == LEGIC_WRITE)
1111 snprintf(exp, size, "WRITE Byte(%d)", address);
1112 break;
1113 }
1114 case 21: {
1115 if (cmdBit == LEGIC_WRITE) {
1116 uint16_t address = ((cmd[2] << 7) | cmd[1] >> 1) & 0xFF;
1117 uint8_t val = (cmd[3] & 1) << 7 | cmd[2] >> 1;
1118 snprintf(exp, size, "WRITE Byte(%d) %02X", address, val);
1119 }
1120 break;
1121 }
1122 case 23: {
1123 if (cmdBit == LEGIC_WRITE) {
1124 uint16_t address = ((cmd[2] << 7) | cmd[1] >> 1) & 0x3FF;
1125 uint8_t val = (cmd[3] & 0x7) << 5 | cmd[2] >> 3;
1126 snprintf(exp, size, "WRITE Byte(%d) %02X", address, val);
1127 }
1128 break;
1129 }
1130 case 12:
1131 default:
1132 break;
1133 }
1134 }
1135
1136 void annotateFelica(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
1137 switch (cmd[3]) {
1138 case FELICA_POLL_REQ:
1139 snprintf(exp, size, "POLLING");
1140 break;
1141 case FELICA_POLL_ACK:
1142 snprintf(exp, size, "POLL ACK");
1143 break;
1144 case FELICA_REQSRV_REQ:
1145 snprintf(exp, size, "REQUEST SERVICE");
1146 break;
1147 case FELICA_REQSRV_ACK:
1148 snprintf(exp, size, "REQ SERV ACK");
1149 break;
1150 case FELICA_REQRESP_REQ:
1151 snprintf(exp, size, "REQUEST RESPONSE");
1152 break;
1153 case FELICA_REQRESP_ACK:
1154 snprintf(exp, size, "REQ RESP ACK");
1155 break;
1156 case FELICA_RDBLK_REQ:
1157 snprintf(exp, size, "READ BLK");
1158 break;
1159 case FELICA_RDBLK_ACK:
1160 snprintf(exp, size, "READ BLK ACK");
1161 break;
1162 case FELICA_WRTBLK_REQ:
1163 snprintf(exp, size, "WRITE BLK");
1164 break;
1165 case FELICA_WRTBLK_ACK:
1166 snprintf(exp, size, "WRITE BLK ACK");
1167 break;
1168 case FELICA_SRCHSYSCODE_REQ:
1169 snprintf(exp, size, "SEARCH SERVICE CODE");
1170 break;
1171 case FELICA_SRCHSYSCODE_ACK:
1172 snprintf(exp, size, "SSC ACK");
1173 break;
1174 case FELICA_REQSYSCODE_REQ:
1175 snprintf(exp, size, "REQUEST SYSTEM CODE");
1176 break;
1177 case FELICA_REQSYSCODE_ACK:
1178 snprintf(exp, size, "RSC ACK");
1179 break;
1180 case FELICA_AUTH1_REQ:
1181 snprintf(exp, size, "AUTH 1");
1182 break;
1183 case FELICA_AUTH1_ACK:
1184 snprintf(exp, size, "AUTH 1 ACK");
1185 break;
1186 case FELICA_AUTH2_REQ:
1187 snprintf(exp, size, "AUTH 2");
1188 break;
1189 case FELICA_AUTH2_ACK:
1190 snprintf(exp, size, "AUTH 2 ACK");
1191 break;
1192 case FELICA_RDSEC_REQ:
1193 snprintf(exp, size, "READ");
1194 break;
1195 case FELICA_RDSEC_ACK:
1196 snprintf(exp, size, "READ ACK");
1197 break;
1198 case FELICA_WRTSEC_REQ:
1199 snprintf(exp, size, "WRITE");
1200 break;
1201 case FELICA_WRTSEC_ACK:
1202 snprintf(exp, size, "WRITE ACK");
1203 break;
1204 case FELICA_REQSRV2_REQ:
1205 snprintf(exp, size, "REQUEST SERVICE v2");
1206 break;
1207 case FELICA_REQSRV2_ACK:
1208 snprintf(exp, size, "REQ SERV v2 ACK");
1209 break;
1210 case FELICA_GETSTATUS_REQ:
1211 snprintf(exp, size, "GET STATUS");
1212 break;
1213 case FELICA_GETSTATUS_ACK:
1214 snprintf(exp, size, "GET STATUS ACK");
1215 break;
1216 case FELICA_OSVER_REQ:
1217 snprintf(exp, size, "REQUEST SPECIFIC VERSION");
1218 break;
1219 case FELICA_OSVER_ACK:
1220 snprintf(exp, size, "RSV ACK");
1221 break;
1222 case FELICA_RESET_MODE_REQ:
1223 snprintf(exp, size, "RESET MODE");
1224 break;
1225 case FELICA_RESET_MODE_ACK:
1226 snprintf(exp, size, "RESET MODE ACK");
1227 break;
1228 case FELICA_AUTH1V2_REQ:
1229 snprintf(exp, size, "AUTH 1 v2");
1230 break;
1231 case FELICA_AUTH1V2_ACK:
1232 snprintf(exp, size, "AUTH 1 v2 ACK");
1233 break;
1234 case FELICA_AUTH2V2_REQ:
1235 snprintf(exp, size, "AUTH 2 v2");
1236 break;
1237 case FELICA_AUTH2V2_ACK:
1238 snprintf(exp, size, "AUTH 2 v2 ACK");
1239 break;
1240 case FELICA_RDSECV2_REQ:
1241 snprintf(exp, size, "READ v2");
1242 break;
1243 case FELICA_RDSECV2_ACK:
1244 snprintf(exp, size, "READ v2 ACK");
1245 break;
1246 case FELICA_WRTSECV2_REQ:
1247 snprintf(exp, size, "WRITE v2");
1248 break;
1249 case FELICA_WRTSECV2_ACK:
1250 snprintf(exp, size, "WRITE v2 ACK");
1251 break;
1252 case FELICA_UPDATE_RNDID_REQ:
1253 snprintf(exp, size, "UPDATE RANDOM ID");
1254 break;
1255 case FELICA_UPDATE_RNDID_ACK:
1256 snprintf(exp, size, "URI ACK");
1257 break;
1258 default :
1259 snprintf(exp, size, "?");
1260 break;
1261 }
1262 }
1263
1264 void annotateLTO(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
1265 switch (cmd[0]) {
1266 case LTO_REQ_STANDARD:
1267 snprintf(exp, size, "REQ Standard");
1268 break;
1269 case LTO_SELECT:
1270 if (cmd[1] == 0x70)
1271 snprintf(exp, size, "SELECT_UID-2");
1272 else if (cmd[1] == 0x20)
1273 snprintf(exp, size, "SELECT");
1274 break;
1275 case LTO_REQ_ALL:
1276 snprintf(exp, size, "REQ All");
1277 break;
1278 case LTO_TEST_CMD_1:
1279 snprintf(exp, size, "TEST CMD 1");
1280 break;
1281 case LTO_TEST_CMD_2:
1282 snprintf(exp, size, "TEST CMD 2");
1283 break;
1284 case LTO_READWORD:
1285 snprintf(exp, size, "READWORD");
1286 break;
1287 case (LTO_READBLOCK & 0xF0):
1288 snprintf(exp, size, "READBLOCK(%d)", cmd[1]);
1289 break;
1290 case LTO_READBLOCK_CONT:
1291 snprintf(exp, size, "READBLOCK CONT");
1292 break;
1293 case LTO_WRITEWORD:
1294 snprintf(exp, size, "WRITEWORD");
1295 break;
1296 case (LTO_WRITEBLOCK & 0xF0):
1297 snprintf(exp, size, "WRITEBLOCK(%d)", cmd[1]);
1298 break;
1299 case LTO_HALT:
1300 snprintf(exp, size, "HALT");
1301 break;
1302 default:
1303 break;
1304 }
1305 }
1306
1307 void annotateMifare(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, uint8_t paritysize, bool isResponse) {
1308 if (!isResponse && cmdsize == 1) {
1309 switch (cmd[0]) {
1310 case ISO14443A_CMD_WUPA:
1311 case ISO14443A_CMD_REQA:
1312 MifareAuthState = masNone;
1313 break;
1314 default:
1315 break;
1316 }
1317 }
1318
1319 // get UID
1320 if (MifareAuthState == masNone) {
1321 if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && cmd[1] == 0x70) {
1322 ClearAuthData();
1323 AuthData.uid = bytes_to_num(&cmd[2], 4);
1324 }
1325 if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && cmd[1] == 0x70) {
1326 ClearAuthData();
1327 AuthData.uid = bytes_to_num(&cmd[2], 4);
1328 }
1329 if (cmdsize == 9 && cmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && cmd[1] == 0x70) {
1330 ClearAuthData();
1331 AuthData.uid = bytes_to_num(&cmd[2], 4);
1332 }
1333 }
1334
1335 switch (MifareAuthState) {
1336 case masNt:
1337 if (cmdsize == 4 && isResponse) {
1338 snprintf(exp, size, "AUTH: nt %s", (AuthData.first_auth) ? "" : "(enc)");
1339 MifareAuthState = masNrAr;
1340 if (AuthData.first_auth) {
1341 AuthData.nt = bytes_to_num(cmd, 4);
1342 AuthData.nt_enc_par = 0;
1343 } else {
1344 AuthData.nt_enc = bytes_to_num(cmd, 4);
1345 AuthData.nt_enc_par = parity[0] & 0xF0;
1346 }
1347 return;
1348 } else {
1349 MifareAuthState = masError;
1350 }
1351 break;
1352 case masNrAr:
1353 if (cmdsize == 8 && !isResponse) {
1354 snprintf(exp, size, "AUTH: nr ar (enc)");
1355 MifareAuthState = masAt;
1356 AuthData.nr_enc = bytes_to_num(cmd, 4);
1357 AuthData.nr_enc_par = parity[0] & 0xF0;
1358 AuthData.ar_enc = bytes_to_num(&cmd[4], 4);
1359 AuthData.ar_enc_par = parity[0] << 4;
1360 return;
1361 } else {
1362 MifareAuthState = masError;
1363 }
1364 break;
1365 case masAt:
1366 if (cmdsize == 4 && isResponse) {
1367 snprintf(exp, size, "AUTH: at (enc)");
1368 MifareAuthState = masAuthComplete;
1369 AuthData.at_enc = bytes_to_num(cmd, 4);
1370 AuthData.at_enc_par = parity[0] & 0xF0;
1371 return;
1372 } else {
1373 MifareAuthState = masError;
1374 }
1375 break;
1376 case masNone:
1377 case masError:
1378 case masAuthComplete:
1379 case masFirstData:
1380 case masData:
1381 break;
1382 }
1383
1384 if (!isResponse && ((MifareAuthState == masNone) || (MifareAuthState == masError)))
1385 annotateIso14443a(exp, size, cmd, cmdsize);
1386
1387 }
1388
1389 static void mf_get_paritybinstr(char *s, uint32_t val, uint8_t par) {
1390 uint8_t foo[4] = {0, 0, 0, 0};
1391 num_to_bytes(val, sizeof(uint32_t), foo);
1392 for (uint8_t i = 0; i < 4; i++) {
1393 if (oddparity8(foo[i]) != ((par >> (7 - (i & 0x0007))) & 0x01))
1394 sprintf(s++, "1");
1395 else
1396 sprintf(s++, "0");
1397 }
1398 }
1399
1400 bool DecodeMifareData(uint8_t *cmd, uint8_t cmdsize, uint8_t *parity, bool isResponse, uint8_t *mfData, size_t *mfDataLen, const uint64_t *dicKeys, uint32_t dicKeysCount) {
1401 static struct Crypto1State *traceCrypto1;
1402
1403 *mfDataLen = 0;
1404
1405 if (MifareAuthState == masAuthComplete) {
1406 if (traceCrypto1) {
1407 crypto1_destroy(traceCrypto1);
1408 traceCrypto1 = NULL;
1409 }
1410
1411 MifareAuthState = masFirstData;
1412 return false;
1413 }
1414
1415 if (cmdsize > 32)
1416 return false;
1417
1418 if (MifareAuthState == masFirstData) {
1419 static uint64_t mfLastKey;
1420 if (AuthData.first_auth) {
1421 AuthData.ks2 = AuthData.ar_enc ^ prng_successor(AuthData.nt, 64);
1422 AuthData.ks3 = AuthData.at_enc ^ prng_successor(AuthData.nt, 96);
1423
1424 mfLastKey = GetCrypto1ProbableKey(&AuthData);
1425 PrintAndLogEx(NORMAL, " | | * |%49s " _GREEN_("%012" PRIX64) " prng %s | |",
1426 "key",
1427 mfLastKey,
1428 validate_prng_nonce(AuthData.nt) ? _GREEN_("WEAK") : _YELLOW_("HARD"));
1429
1430 AuthData.first_auth = false;
1431
1432 traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3);
1433 } else {
1434 if (traceCrypto1) {
1435 crypto1_destroy(traceCrypto1);
1436 traceCrypto1 = NULL;
1437 }
1438
1439 // check last used key
1440 if (mfLastKey) {
1441 if (NestedCheckKey(mfLastKey, &AuthData, cmd, cmdsize, parity)) {
1442 PrintAndLogEx(NORMAL, " | | * |%60s " _GREEN_("%012" PRIX64) "| |", "last used key", mfLastKey);
1443 traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3);
1444 };
1445 }
1446
1447 // check default keys
1448 if (!traceCrypto1 && dicKeys != NULL && dicKeysCount > 0) {
1449 for (int i = 0; i < dicKeysCount; i++) {
1450 if (NestedCheckKey(dicKeys[i], &AuthData, cmd, cmdsize, parity)) {
1451 PrintAndLogEx(NORMAL, " | | * |%60s " _GREEN_("%012" PRIX64) "| |", "key", dicKeys[i]);
1452
1453 mfLastKey = dicKeys[i];
1454 traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3);
1455 break;
1456 };
1457 }
1458 }
1459
1460 // nested
1461 if (!traceCrypto1 && validate_prng_nonce(AuthData.nt)) {
1462 uint32_t ntx = prng_successor(AuthData.nt, 90);
1463 for (int i = 0; i < 16383; i++) {
1464 ntx = prng_successor(ntx, 1);
1465 if (NTParityChk(&AuthData, ntx)) {
1466
1467 uint32_t ks2 = AuthData.ar_enc ^ prng_successor(ntx, 64);
1468 uint32_t ks3 = AuthData.at_enc ^ prng_successor(ntx, 96);
1469 struct Crypto1State *pcs = lfsr_recovery64(ks2, ks3);
1470 memcpy(mfData, cmd, cmdsize);
1471 mf_crypto1_decrypt(pcs, mfData, cmdsize, 0);
1472 crypto1_destroy(pcs);
1473
1474 if (CheckCrypto1Parity(cmd, cmdsize, mfData, parity) && check_crc(CRC_14443_A, mfData, cmdsize)) {
1475 AuthData.ks2 = ks2;
1476 AuthData.ks3 = ks3;
1477 AuthData.nt = ntx;
1478 mfLastKey = GetCrypto1ProbableKey(&AuthData);
1479 PrintAndLogEx(NORMAL, " | | * | nested probable key: " _GREEN_("%012" PRIX64) " ks2:%08x ks3:%08x | |",
1480 mfLastKey,
1481 AuthData.ks2,
1482 AuthData.ks3);
1483
1484 traceCrypto1 = lfsr_recovery64(AuthData.ks2, AuthData.ks3);
1485 break;
1486 }
1487 }
1488 }
1489 }
1490
1491 //hardnested
1492 if (!traceCrypto1) {
1493
1494 //PrintAndLogEx(NORMAL, "hardnested not implemented. uid:%x nt:%x ar_enc:%x at_enc:%x\n", AuthData.uid, AuthData.nt, AuthData.ar_enc, AuthData.at_enc);
1495
1496 char snt[5] = {0, 0, 0, 0, 0};
1497 mf_get_paritybinstr(snt, AuthData.nt_enc, AuthData.nt_enc_par);
1498 char sar[5] = {0, 0, 0, 0, 0};
1499 mf_get_paritybinstr(sar, AuthData.ar_enc, AuthData.ar_enc_par);
1500 char sat[5] = {0, 0, 0, 0, 0};
1501 mf_get_paritybinstr(sat, AuthData.at_enc, AuthData.at_enc_par);
1502
1503 PrintAndLogEx(NORMAL, "Nested authentication detected. ");
1504 PrintAndLogEx(NORMAL, "tools/mf_nonce_brute/mf_nonce_brute %x %x %s %x %x %s %x %s %s\n"
1505 , AuthData.uid
1506 , AuthData.nt_enc
1507 , snt
1508 , AuthData.nr_enc
1509 , AuthData.ar_enc
1510 , sar
1511 , AuthData.at_enc
1512 , sat
1513 , sprint_hex_inrow(cmd, cmdsize)
1514 );
1515
1516 MifareAuthState = masError;
1517
1518 /* TOO SLOW( needs to have more strong filter. with this filter - aprox 4 mln tests
1519 uint32_t t = msclock();
1520 uint32_t t1 = t;
1521 int n = 0;
1522 for (uint32_t i = 0; i < 0xFFFFFFFF; i++) {
1523 if (NTParityChk(&AuthData, i)){
1524
1525 uint32_t ks2 = AuthData.ar_enc ^ prng_successor(i, 64);
1526 uint32_t ks3 = AuthData.at_enc ^ prng_successor(i, 96);
1527 struct Crypto1State *pcs = lfsr_recovery64(ks2, ks3);
1528
1529 n++;
1530
1531 if (!(n % 100000)) {
1532 PrintAndLogEx(NORMAL, "delta=%d n=%d ks2=%x ks3=%x \n", msclock() - t1 , n, ks2, ks3);
1533 t1 = msclock();
1534 }
1535
1536 }
1537 }
1538 PrintAndLogEx(NORMAL, "delta=%d n=%d\n", msclock() - t, n);
1539 */
1540 }
1541 }
1542 MifareAuthState = masData;
1543 }
1544
1545 if (MifareAuthState == masData && traceCrypto1) {
1546 memcpy(mfData, cmd, cmdsize);
1547 mf_crypto1_decrypt(traceCrypto1, mfData, cmdsize, 0);
1548 *mfDataLen = cmdsize;
1549 }
1550
1551 return *mfDataLen > 0;
1552 }
1553
1554 bool NTParityChk(TAuthData *ad, uint32_t ntx) {
1555 if (
1556 (oddparity8(ntx >> 8 & 0xff) ^ (ntx & 0x01) ^ ((ad->nt_enc_par >> 5) & 0x01) ^ (ad->nt_enc & 0x01)) ||
1557 (oddparity8(ntx >> 16 & 0xff) ^ (ntx >> 8 & 0x01) ^ ((ad->nt_enc_par >> 6) & 0x01) ^ (ad->nt_enc >> 8 & 0x01)) ||
1558 (oddparity8(ntx >> 24 & 0xff) ^ (ntx >> 16 & 0x01) ^ ((ad->nt_enc_par >> 7) & 0x01) ^ (ad->nt_enc >> 16 & 0x01))
1559 )
1560 return false;
1561
1562 uint32_t ar = prng_successor(ntx, 64);
1563 if (
1564 (oddparity8(ar >> 8 & 0xff) ^ (ar & 0x01) ^ ((ad->ar_enc_par >> 5) & 0x01) ^ (ad->ar_enc & 0x01)) ||
1565 (oddparity8(ar >> 16 & 0xff) ^ (ar >> 8 & 0x01) ^ ((ad->ar_enc_par >> 6) & 0x01) ^ (ad->ar_enc >> 8 & 0x01)) ||
1566 (oddparity8(ar >> 24 & 0xff) ^ (ar >> 16 & 0x01) ^ ((ad->ar_enc_par >> 7) & 0x01) ^ (ad->ar_enc >> 16 & 0x01))
1567 )
1568 return false;
1569
1570 uint32_t at = prng_successor(ntx, 96);
1571 if (
1572 (oddparity8(ar & 0xff) ^ (at >> 24 & 0x01) ^ ((ad->ar_enc_par >> 4) & 0x01) ^ (ad->at_enc >> 24 & 0x01)) ||
1573 (oddparity8(at >> 8 & 0xff) ^ (at & 0x01) ^ ((ad->at_enc_par >> 5) & 0x01) ^ (ad->at_enc & 0x01)) ||
1574 (oddparity8(at >> 16 & 0xff) ^ (at >> 8 & 0x01) ^ ((ad->at_enc_par >> 6) & 0x01) ^ (ad->at_enc >> 8 & 0x01)) ||
1575 (oddparity8(at >> 24 & 0xff) ^ (at >> 16 & 0x01) ^ ((ad->at_enc_par >> 7) & 0x01) ^ (ad->at_enc >> 16 & 0x01))
1576 )
1577 return false;
1578
1579 return true;
1580 }
1581
1582 bool NestedCheckKey(uint64_t key, TAuthData *ad, uint8_t *cmd, uint8_t cmdsize, uint8_t *parity) {
1583 uint8_t buf[32] = {0};
1584 struct Crypto1State *pcs;
1585
1586 AuthData.ks2 = 0;
1587 AuthData.ks3 = 0;
1588
1589 pcs = crypto1_create(key);
1590 uint32_t nt1 = crypto1_word(pcs, ad->nt_enc ^ ad->uid, 1) ^ ad->nt_enc;
1591 uint32_t ar = prng_successor(nt1, 64);
1592 uint32_t at = prng_successor(nt1, 96);
1593
1594 crypto1_word(pcs, ad->nr_enc, 1);
1595 // uint32_t nr1 = crypto1_word(pcs, ad->nr_enc, 1) ^ ad->nr_enc; // if needs deciphered nr
1596 uint32_t ar1 = crypto1_word(pcs, 0, 0) ^ ad->ar_enc;
1597 uint32_t at1 = crypto1_word(pcs, 0, 0) ^ ad->at_enc;
1598
1599 if (!(ar == ar1 && at == at1 && NTParityChk(ad, nt1))) {
1600 crypto1_destroy(pcs);
1601 return false;
1602 }
1603
1604 memcpy(buf, cmd, cmdsize);
1605 mf_crypto1_decrypt(pcs, buf, cmdsize, 0);
1606 crypto1_destroy(pcs);
1607
1608 if (!CheckCrypto1Parity(cmd, cmdsize, buf, parity))
1609 return false;
1610
1611 if (!check_crc(CRC_14443_A, buf, cmdsize))
1612 return false;
1613
1614 AuthData.nt = nt1;
1615 AuthData.ks2 = AuthData.ar_enc ^ ar;
1616 AuthData.ks3 = AuthData.at_enc ^ at;
1617 return true;
1618 }
1619
1620 bool CheckCrypto1Parity(uint8_t *cmd_enc, uint8_t cmdsize, uint8_t *cmd, uint8_t *parity_enc) {
1621 for (int i = 0; i < cmdsize - 1; i++) {
1622 if (oddparity8(cmd[i]) ^ (cmd[i + 1] & 0x01) ^ ((parity_enc[i / 8] >> (7 - i % 8)) & 0x01) ^ (cmd_enc[i + 1] & 0x01))
1623 return false;
1624 }
1625 return true;
1626 }
1627
1628 // Another implementation of mfkey64 attack, more "valid" than "probable"
1629 //
1630 uint64_t GetCrypto1ProbableKey(TAuthData *ad) {
1631 struct Crypto1State *revstate = lfsr_recovery64(ad->ks2, ad->ks3);
1632 lfsr_rollback_word(revstate, 0, 0);
1633 lfsr_rollback_word(revstate, 0, 0);
1634 lfsr_rollback_word(revstate, ad->nr_enc, 1);
1635 lfsr_rollback_word(revstate, ad->uid ^ ad->nt, 0);
1636 uint64_t key = 0;
1637 crypto1_get_lfsr(revstate, &key);
1638 crypto1_destroy(revstate);
1639 return key;
1640 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware