search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #2741 from Donny-Guo/hidbrute
[RRG-proxmark3.git] / armsrc / Standalone / hf_young.c
blob62d215dbad9fd159d74929c599113bfc52d96c79
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Craig Young, 2014
3 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
4 //
5 // This program is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, either version 3 of the License, or
8 // (at your option) any later version.
9 //
10 // This program is distributed in the hope that it will be useful,
11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 // GNU General Public License for more details.
14 //
15 // See LICENSE.txt for the text of the license.
16 //-----------------------------------------------------------------------------
17 // main code for HF standalone mode Mifare /sniff/emulation by Craig Young
18 //-----------------------------------------------------------------------------
19
20 #include "standalone.h" // standalone definitions
21 #include <inttypes.h>
22 #include "proxmark3_arm.h"
23 #include "appmain.h"
24 #include "fpgaloader.h"
25 #include "util.h"
26 #include "dbprint.h"
27 #include "ticks.h"
28 #include "string.h"
29 #include "commonutil.h"
30 #include "mifarecmd.h"
31 #include "iso14443a.h"
32 #include "protocols.h"
33
34 #define OPTS 2
35
36 typedef struct {
37 uint8_t uid[10];
38 uint8_t uidlen;
39 uint8_t atqa[2];
40 uint8_t sak;
41 } PACKED card_clone_t;
42
43
44 void ModInfo(void) {
45 DbpString(" HF Mifare sniff/simulation - (Craig Young)");
46 }
47
48 void RunMod(void) {
49 StandAloneMode();
50 Dbprintf(">> Craig Young Mifare sniff UID/clone uid 2 magic/sim a.k.a YoungRun Started <<");
51 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
52
53 int selected = 0, playing = 0, iGotoRecord = 0, iGotoClone = 0;
54 int cardRead[OPTS] = {0};
55
56 card_clone_t uids[OPTS];
57 iso14a_card_select_t card[OPTS];
58 uint8_t params = (MAGIC_SINGLE | MAGIC_WUPC | MAGIC_DATAIN);
59
60 LED(selected + 1, 0);
61
62 for (;;) {
63 WDT_HIT();
64 // exit from Standalone Mode, send a usbcommand.
65 if (data_available()) break;
66
67 SpinDelay(300);
68
69 if (iGotoRecord == 1 || cardRead[selected] == 0) {
70 iGotoRecord = 0;
71 LEDsoff();
72 LED(selected + 1, 0);
73 LED(LED_D, 0);
74
75 // record
76 Dbprintf("Enabling iso14443a reader mode for [Bank: %d]...", selected);
77 /* need this delay to prevent catching some weird data */
78 SpinDelay(500);
79 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
80
81 for (;;) {
82 // exit from Standalone Mode, send a usbcommand.
83 if (data_available()) break;
84
85 if (BUTTON_PRESS()) {
86 if (cardRead[selected]) {
87 Dbprintf("Button press detected -- replaying card in bank[%d]", selected);
88 break;
89 } else if (cardRead[(selected + 1) % OPTS]) {
90 Dbprintf("Button press detected but no card in bank[%d] so playing from bank[%d]", selected, (selected + 1) % OPTS);
91 selected = (selected + 1) % OPTS;
92 break; // playing = 1;
93 } else {
94 Dbprintf("Button press detected but no stored tag to play. (Ignoring button)");
95 SpinDelay(300);
96 }
97 }
98
99 if (!iso14443a_select_card(NULL, &card[selected], NULL, true, 0, true)) {
100 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
101 LED_D_OFF();
102 SpinDelay(500);
103 continue;
104 } else {
105 Dbprintf("Read UID:");
106 Dbhexdump(card[selected].uidlen, card[selected].uid, 0);
107
108 if (memcmp(uids[(selected + 1) % OPTS].uid, card[selected].uid, card[selected].uidlen) == 0) {
109 Dbprintf("Card selected has same UID as what is stored in the other bank. Skipping.");
110 } else {
111 uids[selected].sak = card[selected].sak;
112 uids[selected].uidlen = card[selected].uidlen;
113 memcpy(uids[selected].uid, card[selected].uid, uids[selected].uidlen);
114 memcpy(uids[selected].atqa, card[selected].atqa, 2);
115
116 if (uids[selected].uidlen > 4)
117 Dbprintf("Bank[%d] received a 7-byte UID", selected);
118 else
119 Dbprintf("Bank[%d] received a 4-byte UID", selected);
120 break;
121 }
122 }
123 }
124
125 Dbprintf("ATQA = %02X%02X", uids[selected].atqa[0], uids[selected].atqa[1]);
126 Dbprintf("SAK = %02X", uids[selected].sak);
127 LEDsoff();
128 LED(LED_B, 200);
129 LED(LED_A, 200);
130 LED(LED_B, 200);
131 LED(LED_A, 200);
132
133 LEDsoff();
134 LED(selected + 1, 0);
135
136 // Next state is replay:
137 playing = 1;
138
139 cardRead[selected] = 1;
140 }
141
142 /* MF Classic UID clone */
143 else if (iGotoClone == 1) {
144 iGotoClone = 0;
145 LEDsoff();
146 LED(selected + 1, 0);
147 LED(LED_A, 250);
148
149 // magiccards holds 4bytes uid. *usually*
150 uint32_t tmpuid = bytes_to_num(uids[selected].uid, 4);
151
152 // record
153 Dbprintf("Preparing to Clone card [Bank: %d]; uid: %08x", selected, tmpuid);
154
155 // wait for button to be released
156 // Delay cloning until card is in place
157 while (BUTTON_PRESS())
158 WDT_HIT();
159
160 Dbprintf("Starting clone. [Bank: %d]", selected);
161 // need this delay to prevent catching some weird data
162 SpinDelay(500);
163 // Begin clone function here:
164 /* Example from client/mifarehost.c for commanding a block write for "magic Chinese" cards:
165 SendCommandMIX(CMD_HF_MIFARE_CSETBL, params & (0xFE | (uid == NULL ? 0:1)), blockNo, 0, data, 16);
166
167 Block read is similar:
168 SendCommandMIX(CMD_HF_MIFARE_CGETBL, params, blockNo, 0,...};
169 We need to imitate that call with blockNo 0 to set a uid.
170
171 The get and set commands are handled in this file:
172 // Work with "magic Chinese" card
173 case CMD_HF_MIFARE_CSETBL:
174 MifareCSetBlock(c->arg[0], c->arg[1], c->d.asBytes);
175 break;
176 case CMD_HF_MIFARE_CGETBL:
177 MifareCGetBlock(c->arg[0], c->arg[1], c->d.asBytes);
178 break;
179
180 mf_chinese_set_uid provides example logic for UID set workflow:
181 -Read block0 from card in field with MifareCGetBlock()
182 -Configure new values without replacing reserved bytes
183 memcpy(block0, uid, 4); // Copy UID bytes from byte array
184 // Mifare UID BCC
185 block0[4] = block0[0]^block0[1]^block0[2]^block0[3]; // BCC on byte 5
186 Bytes 5-7 are reserved SAK and ATQA for mifare classic
187 -Use mf_chinese_set_block(0, block0, oldUID, wantWipe, MAGIC_SINGLE | MAGIC_WUPC) to write it
188 */
189 uint8_t oldBlock0[16] = {0}, newBlock0[16] = {0};
190 // arg0 = Flags, arg1=blockNo
191 MifareCGetBlock(params, 0, oldBlock0);
192 if (oldBlock0[0] == 0 && oldBlock0[0] == oldBlock0[1] && oldBlock0[1] == oldBlock0[2] && oldBlock0[2] == oldBlock0[3]) {
193 Dbprintf("No changeable tag detected. Returning to replay mode for bank[%d]", selected);
194 playing = 1;
195 } else {
196 uint8_t testBlock0[16] = {0};
197 Dbprintf("UID from target tag: %02X%02X%02X%02X", oldBlock0[0], oldBlock0[1], oldBlock0[2], oldBlock0[3]);
198 memcpy(newBlock0 + 5, oldBlock0 + 5, 11);
199
200 // Copy uid for bank (2nd is for longer UIDs not supported if classic)
201 memcpy(newBlock0, uids[selected].uid, 4);
202 newBlock0[4] = newBlock0[0] ^ newBlock0[1] ^ newBlock0[2] ^ newBlock0[3];
203
204 // arg0 = workFlags, arg1 = blockNo, datain
205 MifareCSetBlock(params, 0, newBlock0);
206 MifareCGetBlock(params, 0, testBlock0);
207
208 if (memcmp(testBlock0, newBlock0, 16) == 0) {
209 DbpString("Cloned successful!");
210 cardRead[selected] = 0; // Only if the card was cloned successfully should we clear it
211 playing = 0;
212 iGotoRecord = 1;
213 selected = (selected + 1) % OPTS;
214 } else {
215 Dbprintf("Clone failed. Back to replay mode on bank[%d]", selected);
216 playing = 1;
217 }
218 }
219 LEDsoff();
220 LED(selected + 1, 0);
221 }
222
223 // Change where to record (or begin playing)
224 // button_pressed == BUTTON_SINGLE_CLICK && cardRead[selected])
225 else if (playing == 1) {
226 LEDsoff();
227 LED(selected + 1, 0);
228
229 // Begin transmitting
230 LED(LED_B, 0);
231 DbpString("Playing");
232 for (; ;) {
233 // exit from Standalone Mode, send a usbcommand.
234 if (data_available()) break;
235
236 int button_pressed = BUTTON_HELD(1000);
237 if (button_pressed == BUTTON_NO_CLICK) { // No button action, proceed with sim
238
239 uint16_t flags = 0;
240 FLAG_SET_UID_IN_DATA(flags, 4);
241 uint8_t data[PM3_CMD_DATA_SIZE] = {0}; // in case there is a read command received we shouldn't break
242
243 memcpy(data, uids[selected].uid, uids[selected].uidlen);
244
245 uint64_t tmpuid = bytes_to_num(uids[selected].uid, uids[selected].uidlen);
246
247 if (uids[selected].uidlen == 7) {
248 FLAG_SET_UID_IN_DATA(flags, 7);
249 Dbprintf("Simulating ISO14443a tag with uid: %014" PRIx64 " [Bank: %d]", tmpuid, selected);
250 } else {
251 Dbprintf("Simulating ISO14443a tag with uid: %08" PRIx64 " [Bank: %d]", tmpuid, selected);
252 }
253
254 if (uids[selected].sak == 0x08 && uids[selected].atqa[0] == 0x04 && uids[selected].atqa[1] == 0) {
255 DbpString("Mifare Classic 1k");
256 SimulateIso14443aTag(1, flags, data, 0, NULL, 0);
257 } else if (uids[selected].sak == 0x18 && uids[selected].atqa[0] == 0x02 && uids[selected].atqa[1] == 0) {
258 DbpString("Mifare Classic 4k (4b uid)");
259 SimulateIso14443aTag(8, flags, data, 0, NULL, 0);
260 } else if (uids[selected].sak == 0x08 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0) {
261 DbpString("Mifare Classic 4k (7b uid)");
262 SimulateIso14443aTag(8, flags, data, 0, NULL, 0);
263 } else if (uids[selected].sak == 0x00 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0) {
264 DbpString("Mifare Ultralight");
265 SimulateIso14443aTag(2, flags, data, 0, NULL, 0);
266 } else if (uids[selected].sak == 0x20 && uids[selected].atqa[0] == 0x04 && uids[selected].atqa[1] == 0x03) {
267 DbpString("Mifare DESFire");
268 SimulateIso14443aTag(3, flags, data, 0, NULL, 0);
269 } else if (uids[selected].sak == 0x20 && uids[selected].atqa[0] == 0x44 && uids[selected].atqa[1] == 0x03) {
270 DbpString("Mifare DESFire Ev1/Plus/JCOP");
271 SimulateIso14443aTag(3, flags, data, 0, NULL, 0);
272 } else {
273 Dbprintf("Unrecognized tag type -- defaulting to Mifare Classic emulation");
274 SimulateIso14443aTag(1, flags, data, 0, NULL, 0);
275 }
276
277 } else if (button_pressed == BUTTON_SINGLE_CLICK) {
278 selected = (selected + 1) % OPTS;
279 Dbprintf("Done playing. Switching to record mode on bank %d", selected);
280 iGotoRecord = 1;
281 break;
282 } else if (button_pressed == BUTTON_HOLD) {
283 Dbprintf("Playtime over. Begin cloning...");
284 iGotoClone = 1;
285 break;
286 }
287 }
288
289 /* We pressed a button so ignore it here with a delay */
290 SpinDelay(300);
291 LEDsoff();
292 LED(selected + 1, 0);
293 }
294 }
295 DbpString(_YELLOW_("[=]") "exiting");
296 LEDsoff();
297 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware