search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix hf iclass config - now uses a default config card data if no config card present...
[RRG-proxmark3.git] / include / pm3_cmd.h
blob53343c5e15d1b159143cab6437dfae1643a9b0b5
1 //-----------------------------------------------------------------------------
2 // Jonathan Westhues, Mar 2006
3 // Edits by Gerhard de Koning Gans, Sep 2007
4 //
5 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
6 // at your option, any later version. See the LICENSE.txt file for the text of
7 // the license.
8 //-----------------------------------------------------------------------------
9 // Definitions for all the types of commands that may be sent over USB; our
10 // own protocol.
11 //-----------------------------------------------------------------------------
12
13 #ifndef __PM3_CMD_H
14 #define __PM3_CMD_H
15
16 #include "common.h"
17
18 // Use it e.g. when using slow links such as BT
19 #define USART_SLOW_LINK
20
21 #define PM3_CMD_DATA_SIZE 512
22 #define PM3_CMD_DATA_SIZE_MIX ( PM3_CMD_DATA_SIZE - 3 * sizeof(uint64_t) )
23
24 typedef struct {
25 uint64_t cmd;
26 uint64_t arg[3];
27 union {
28 uint8_t asBytes[PM3_CMD_DATA_SIZE];
29 uint32_t asDwords[PM3_CMD_DATA_SIZE / 4];
30 } d;
31 } PACKED PacketCommandOLD;
32
33 typedef struct {
34 uint32_t magic;
35 uint16_t length : 15; // length of the variable part, 0 if none.
36 bool ng : 1;
37 uint16_t cmd;
38 } PACKED PacketCommandNGPreamble;
39
40 #define COMMANDNG_PREAMBLE_MAGIC 0x61334d50 // PM3a
41 #define COMMANDNG_POSTAMBLE_MAGIC 0x3361 // a3
42
43 typedef struct {
44 uint16_t crc;
45 } PACKED PacketCommandNGPostamble;
46
47 // For internal usage
48 typedef struct {
49 uint16_t cmd;
50 uint16_t length;
51 uint32_t magic; // NG
52 uint16_t crc; // NG
53 uint64_t oldarg[3]; // OLD
54 union {
55 uint8_t asBytes[PM3_CMD_DATA_SIZE];
56 uint32_t asDwords[PM3_CMD_DATA_SIZE / 4];
57 } data;
58 bool ng; // does it store NG data or OLD data?
59 } PacketCommandNG;
60
61 // For reception and CRC check
62 typedef struct {
63 PacketCommandNGPreamble pre;
64 uint8_t data[PM3_CMD_DATA_SIZE];
65 PacketCommandNGPostamble foopost; // Probably not at that offset!
66 } PACKED PacketCommandNGRaw;
67
68 typedef struct {
69 uint64_t cmd;
70 uint64_t arg[3];
71 union {
72 uint8_t asBytes[PM3_CMD_DATA_SIZE];
73 uint32_t asDwords[PM3_CMD_DATA_SIZE / 4];
74 } d;
75 } PACKED PacketResponseOLD;
76
77 typedef struct {
78 uint32_t magic;
79 uint16_t length : 15; // length of the variable part, 0 if none.
80 bool ng : 1;
81 int16_t status;
82 uint16_t cmd;
83 } PACKED PacketResponseNGPreamble;
84
85 #define RESPONSENG_PREAMBLE_MAGIC 0x62334d50 // PM3b
86 #define RESPONSENG_POSTAMBLE_MAGIC 0x3362 // b3
87
88 typedef struct {
89 uint16_t crc;
90 } PACKED PacketResponseNGPostamble;
91
92 // For internal usage
93 typedef struct {
94 uint16_t cmd;
95 uint16_t length;
96 uint32_t magic; // NG
97 int16_t status; // NG
98 uint16_t crc; // NG
99 uint64_t oldarg[3]; // OLD
100 union {
101 uint8_t asBytes[PM3_CMD_DATA_SIZE];
102 uint32_t asDwords[PM3_CMD_DATA_SIZE / 4];
103 } data;
104 bool ng; // does it store NG data or OLD data?
105 } PacketResponseNG;
106
107 // For reception and CRC check
108 typedef struct {
109 PacketResponseNGPreamble pre;
110 uint8_t data[PM3_CMD_DATA_SIZE];
111 PacketResponseNGPostamble foopost; // Probably not at that offset!
112 } PACKED PacketResponseNGRaw;
113
114 // A struct used to send sample-configs over USB
115 typedef struct {
116 int8_t decimation;
117 int8_t bits_per_sample;
118 int8_t averaging;
119 int16_t divisor;
120 int16_t trigger_threshold;
121 int32_t samples_to_skip;
122 bool verbose;
123 } PACKED sample_config;
124
125 // A struct used to send hf14a-configs over USB
126 typedef struct {
127 int8_t forceanticol; // 0:auto 1:force executing anticol 2:force skipping anticol
128 int8_t forcebcc; // 0:expect valid BCC 1:force using computed BCC 2:force using card BCC
129 int8_t forcecl2; // 0:auto 1:force executing CL2 2:force skipping CL2
130 int8_t forcecl3; // 0:auto 1:force executing CL3 2:force skipping CL3
131 int8_t forcerats; // 0:auto 1:force executing RATS 2:force skipping RATS
132 } PACKED hf14a_config;
133
134 // Tracelog Header struct
135 typedef struct {
136 uint32_t timestamp;
137 uint16_t duration;
138 uint16_t data_len : 15;
139 bool isResponse : 1;
140 uint8_t frame[];
141 // data_len bytes of data
142 // ceil(data_len/8) bytes of parity
143 } PACKED tracelog_hdr_t;
144
145 #define TRACELOG_HDR_LEN sizeof(tracelog_hdr_t)
146 #define TRACELOG_PARITY_LEN(x) (((x)->data_len - 1) / 8 + 1)
147
148 // T55XX - Extended to support 1 of 4 timing
149 typedef struct {
150 uint16_t start_gap;
151 uint16_t write_gap;
152 uint16_t write_0;
153 uint16_t write_1;
154 uint16_t read_gap;
155 uint16_t write_2;
156 uint16_t write_3;
157 } t55xx_config_t;
158
159 // T55XX - This setup will allow for the 4 downlink modes "m" as well as other items if needed.
160 // Given the one struct we can then read/write to flash/client in one go.
161 typedef struct {
162 t55xx_config_t m[4]; // mode
163 } t55xx_configurations_t;
164
165
166 // Capabilities struct to keep track of what functions was compiled in the device firmware
167 typedef struct {
168 uint8_t version;
169 uint32_t baudrate;
170 uint32_t bigbuf_size;
171 bool via_fpc : 1;
172 bool via_usb : 1;
173 // rdv4
174 bool compiled_with_flash : 1;
175 bool compiled_with_smartcard : 1;
176 bool compiled_with_fpc_usart : 1;
177 bool compiled_with_fpc_usart_dev : 1;
178 bool compiled_with_fpc_usart_host : 1;
179 // lf
180 bool compiled_with_lf : 1;
181 bool compiled_with_hitag : 1;
182 bool compiled_with_em4x50 : 1;
183 bool compiled_with_em4x70 : 1;
184 // hf
185 bool compiled_with_hfsniff : 1;
186 bool compiled_with_hfplot : 1;
187 bool compiled_with_iso14443a : 1;
188 bool compiled_with_iso14443b : 1;
189 bool compiled_with_iso15693 : 1;
190 bool compiled_with_felica : 1;
191 bool compiled_with_legicrf : 1;
192 bool compiled_with_iclass : 1;
193 bool compiled_with_nfcbarcode : 1;
194 // misc
195 bool compiled_with_lcd : 1;
196
197 // rdv4
198 bool hw_available_flash : 1;
199 bool hw_available_smartcard : 1;
200 } PACKED capabilities_t;
201 #define CAPABILITIES_VERSION 5
202 extern capabilities_t pm3_capabilities;
203
204 // For CMD_LF_T55XX_WRITEBL
205 typedef struct {
206 uint32_t data;
207 uint32_t pwd;
208 uint8_t blockno;
209 uint8_t flags;
210 } PACKED t55xx_write_block_t;
211
212 typedef struct {
213 uint8_t data[128];
214 uint8_t bitlen;
215 uint32_t time;
216 } PACKED t55xx_test_block_t;
217
218 // For CMD_LF_HID_SIMULATE (FSK)
219 typedef struct {
220 uint32_t hi2;
221 uint32_t hi;
222 uint32_t lo;
223 uint8_t longFMT;
224 bool Q5;
225 bool EM;
226 } PACKED lf_hidsim_t;
227
228 // For CMD_LF_FSK_SIMULATE (FSK)
229 typedef struct {
230 uint8_t fchigh;
231 uint8_t fclow;
232 uint8_t separator;
233 uint8_t clock;
234 uint8_t data[];
235 } PACKED lf_fsksim_t;
236
237 // For CMD_LF_ASK_SIMULATE (ASK)
238 typedef struct {
239 uint8_t encoding;
240 uint8_t invert;
241 uint8_t separator;
242 uint8_t clock;
243 uint8_t data[];
244 } PACKED lf_asksim_t;
245
246 // For CMD_LF_PSK_SIMULATE (PSK)
247 typedef struct {
248 uint8_t carrier;
249 uint8_t invert;
250 uint8_t clock;
251 uint8_t data[];
252 } PACKED lf_psksim_t;
253
254 // For CMD_LF_NRZ_SIMULATE (NRZ)
255 typedef struct {
256 uint8_t invert;
257 uint8_t separator;
258 uint8_t clock;
259 uint8_t data[];
260 } PACKED lf_nrzsim_t;
261
262 typedef struct {
263 uint8_t type;
264 uint16_t len;
265 uint8_t *data;
266 } PACKED lf_hitag_t;
267
268 typedef struct {
269 uint8_t blockno;
270 uint8_t keytype;
271 uint8_t key[6];
272 } PACKED mf_readblock_t;
273
274 typedef struct {
275 uint8_t sectorcnt;
276 uint8_t keytype;
277 } PACKED mfc_eload_t;
278
279 typedef struct {
280 uint8_t status;
281 uint8_t CSN[8];
282 uint8_t CONFIG[8];
283 uint8_t CC[8];
284 uint8_t AIA[8];
285 } PACKED iclass_reader_t;
286
287 typedef struct {
288 const char *desc;
289 const char *value;
290 } PACKED ecdsa_publickey_t;
291
292
293 // iCLASS auth request data structure
294 // used with read block, dump, write block
295 typedef struct {
296 uint8_t key[8];
297 bool use_raw;
298 bool use_elite;
299 bool use_credit_key;
300 bool use_replay;
301 bool send_reply;
302 bool do_auth;
303 uint8_t blockno;
304 } PACKED iclass_auth_req_t;
305
306 // iCLASS read block response data structure
307 typedef struct {
308 bool isOK;
309 uint8_t div_key[8];
310 uint8_t mac[4];
311 uint8_t data[8];
312 } PACKED iclass_readblock_resp_t;
313
314 // iCLASS dump data structure
315 typedef struct {
316 iclass_auth_req_t req;
317 uint8_t start_block;
318 uint8_t end_block;
319 } PACKED iclass_dump_req_t;
320
321 // iCLASS write block request data structure
322 typedef struct {
323 iclass_auth_req_t req;
324 uint8_t data[8];
325 } PACKED iclass_writeblock_req_t;
326
327 // iCLASS dump data structure
328 typedef struct {
329 uint8_t blockno;
330 uint8_t data[8];
331 } PACKED iclass_restore_item_t;
332
333 typedef struct {
334 iclass_auth_req_t req;
335 uint8_t item_cnt;
336 iclass_restore_item_t blocks[];
337 } PACKED iclass_restore_req_t;
338
339 typedef struct iclass_premac {
340 uint8_t mac[4];
341 } PACKED iclass_premac_t;
342
343 typedef struct {
344 bool use_credit_key;
345 uint8_t count;
346 iclass_premac_t items[];
347 } PACKED iclass_chk_t;
348
349
350 // iclass / picopass chip config structures and shared routines
351 typedef struct {
352 uint8_t app_limit; //[8]
353 uint8_t otp[2]; //[9-10]
354 uint8_t block_writelock;//[11]
355 uint8_t chip_config; //[12]
356 uint8_t mem_config; //[13]
357 uint8_t eas; //[14]
358 uint8_t fuses; //[15]
359 } PACKED picopass_conf_block_t;
360
361 // iCLASS secure mode memory mapping
362 typedef struct {
363 uint8_t csn[8];
364 picopass_conf_block_t conf;
365 uint8_t epurse[8];
366 uint8_t key_d[8];
367 uint8_t key_c[8];
368 uint8_t app_issuer_area[8];
369 } PACKED picopass_hdr_t;
370
371 // iCLASS non-secure mode memory mapping
372 typedef struct {
373 uint8_t csn[8];
374 picopass_conf_block_t conf;
375 uint8_t app_issuer_area[8];
376 } PACKED picopass_ns_hdr_t;
377
378
379 typedef struct {
380 uint16_t delay_us;
381 bool on;
382 bool off;
383 } PACKED tearoff_params_t;
384
385 // when writing to SPIFFS
386 typedef struct {
387 bool append : 1;
388 uint16_t bytes_in_packet : 15;
389 uint8_t fnlen;
390 uint8_t fn[32];
391 uint8_t data[];
392 } PACKED flashmem_write_t;
393
394 // when CMD_FLASHMEM_WRITE old flashmem commands
395 typedef struct {
396 uint32_t startidx;
397 uint16_t len;
398 uint8_t data[PM3_CMD_DATA_SIZE - sizeof(uint32_t) - sizeof(uint16_t)];
399 } PACKED flashmem_old_write_t;
400
401
402 //-----------------------------------------------------------------------------
403 // ISO 7618 Smart Card
404 //-----------------------------------------------------------------------------
405 typedef struct {
406 uint8_t atr_len;
407 uint8_t atr[50];
408 } PACKED smart_card_atr_t;
409
410 typedef enum SMARTCARD_COMMAND {
411 SC_CONNECT = (1 << 0),
412 SC_NO_DISCONNECT = (1 << 1),
413 SC_RAW = (1 << 2),
414 SC_SELECT = (1 << 3),
415 SC_RAW_T0 = (1 << 4),
416 SC_CLEARLOG = (1 << 5),
417 SC_LOG = (1 << 6),
418 } smartcard_command_t;
419
420 typedef struct {
421 uint8_t flags;
422 uint16_t len;
423 uint8_t data[];
424 } PACKED smart_card_raw_t;
425
426
427 // For the bootloader
428 #define CMD_DEVICE_INFO 0x0000
429 //#define CMD_SETUP_WRITE 0x0001
430 #define CMD_FINISH_WRITE 0x0003
431 #define CMD_HARDWARE_RESET 0x0004
432 #define CMD_START_FLASH 0x0005
433 #define CMD_CHIP_INFO 0x0006
434 #define CMD_BL_VERSION 0x0007
435 #define CMD_NACK 0x00fe
436 #define CMD_ACK 0x00ff
437
438 // For general mucking around
439 #define CMD_DEBUG_PRINT_STRING 0x0100
440 #define CMD_DEBUG_PRINT_INTEGERS 0x0101
441 #define CMD_DEBUG_PRINT_BYTES 0x0102
442 #define CMD_LCD_RESET 0x0103
443 #define CMD_LCD 0x0104
444 #define CMD_BUFF_CLEAR 0x0105
445 #define CMD_READ_MEM 0x0106
446 #define CMD_VERSION 0x0107
447 #define CMD_STATUS 0x0108
448 #define CMD_PING 0x0109
449 #define CMD_DOWNLOAD_EML_BIGBUF 0x0110
450 #define CMD_DOWNLOADED_EML_BIGBUF 0x0111
451 #define CMD_CAPABILITIES 0x0112
452 #define CMD_QUIT_SESSION 0x0113
453 #define CMD_SET_DBGMODE 0x0114
454 #define CMD_STANDALONE 0x0115
455 #define CMD_WTX 0x0116
456 #define CMD_TIA 0x0117
457 #define CMD_BREAK_LOOP 0x0118
458 #define CMD_SET_TEAROFF 0x0119
459
460 // RDV40, Flash memory operations
461 #define CMD_FLASHMEM_WRITE 0x0121
462 #define CMD_FLASHMEM_WIPE 0x0122
463 #define CMD_FLASHMEM_DOWNLOAD 0x0123
464 #define CMD_FLASHMEM_DOWNLOADED 0x0124
465 #define CMD_FLASHMEM_INFO 0x0125
466 #define CMD_FLASHMEM_SET_SPIBAUDRATE 0x0126
467
468 // RDV40, High level flashmem SPIFFS Manipulation
469 // ALL function will have a lazy or Safe version
470 // that will be handled as argument of safety level [0..2] respectiveley normal / lazy / safe
471 // However as how design is, MOUNT and UNMOUNT only need/have lazy as safest level so a safe level will still execute a lazy version
472 // see spiffs.c for more about the normal/lazy/safety information)
473 #define CMD_SPIFFS_MOUNT 0x0130
474 #define CMD_SPIFFS_UNMOUNT 0x0131
475 #define CMD_SPIFFS_WRITE 0x0132
476
477 // We take +0x1000 when having a variant of similar function (todo : make it an argument!)
478 #define CMD_SPIFFS_APPEND 0x1132
479
480 #define CMD_SPIFFS_READ 0x0133
481 //We use no open/close instruction, as they are handled internally.
482 #define CMD_SPIFFS_REMOVE 0x0134
483 #define CMD_SPIFFS_RM CMD_SPIFFS_REMOVE
484 #define CMD_SPIFFS_RENAME 0x0135
485 #define CMD_SPIFFS_MV CMD_SPIFFS_RENAME
486 #define CMD_SPIFFS_COPY 0x0136
487 #define CMD_SPIFFS_CP CMD_SPIFFS_COPY
488 #define CMD_SPIFFS_STAT 0x0137
489 #define CMD_SPIFFS_FSTAT 0x0138
490 #define CMD_SPIFFS_INFO 0x0139
491 #define CMD_SPIFFS_FORMAT CMD_FLASHMEM_WIPE
492
493 #define CMD_SPIFFS_WIPE 0x013A
494
495 // This take a +0x2000 as they are high level helper and special functions
496 // As the others, they may have safety level argument if it makkes sense
497 #define CMD_SPIFFS_PRINT_TREE 0x2130
498 #define CMD_SPIFFS_GET_TREE 0x2131
499 #define CMD_SPIFFS_TEST 0x2132
500 #define CMD_SPIFFS_PRINT_FSINFO 0x2133
501 #define CMD_SPIFFS_DOWNLOAD 0x2134
502 #define CMD_SPIFFS_DOWNLOADED 0x2135
503 #define CMD_SPIFFS_CHECK 0x3000
504 // more ?
505
506
507 // RDV40, Smart card operations
508 #define CMD_SMART_RAW 0x0140
509 #define CMD_SMART_UPGRADE 0x0141
510 #define CMD_SMART_UPLOAD 0x0142
511 #define CMD_SMART_ATR 0x0143
512 #define CMD_SMART_SETBAUD 0x0144
513 #define CMD_SMART_SETCLOCK 0x0145
514
515 // RDV40, FPC USART
516 #define CMD_USART_RX 0x0160
517 #define CMD_USART_TX 0x0161
518 #define CMD_USART_TXRX 0x0162
519 #define CMD_USART_CONFIG 0x0163
520
521 // For low-frequency tags
522 #define CMD_LF_TI_READ 0x0202
523 #define CMD_LF_TI_WRITE 0x0203
524 #define CMD_LF_ACQ_RAW_ADC 0x0205
525 #define CMD_LF_MOD_THEN_ACQ_RAW_ADC 0x0206
526 #define CMD_DOWNLOAD_BIGBUF 0x0207
527 #define CMD_DOWNLOADED_BIGBUF 0x0208
528 #define CMD_LF_UPLOAD_SIM_SAMPLES 0x0209
529 #define CMD_LF_SIMULATE 0x020A
530 #define CMD_LF_HID_WATCH 0x020B
531 #define CMD_LF_HID_SIMULATE 0x020C
532 #define CMD_LF_SET_DIVISOR 0x020D
533 #define CMD_LF_SIMULATE_BIDIR 0x020E
534 #define CMD_SET_ADC_MUX 0x020F
535 #define CMD_LF_HID_CLONE 0x0210
536 #define CMD_LF_EM410X_WRITE 0x0211
537 #define CMD_LF_T55XX_READBL 0x0214
538 #define CMD_LF_T55XX_WRITEBL 0x0215
539 #define CMD_LF_T55XX_RESET_READ 0x0216
540 #define CMD_LF_PCF7931_READ 0x0217
541 #define CMD_LF_PCF7931_WRITE 0x0223
542 #define CMD_LF_EM4X_LOGIN 0x0229
543 #define CMD_LF_EM4X_READWORD 0x0218
544 #define CMD_LF_EM4X_WRITEWORD 0x0219
545 #define CMD_LF_EM4X_PROTECTWORD 0x021B
546 #define CMD_LF_EM4X_BF 0x022A
547 #define CMD_LF_IO_WATCH 0x021A
548 #define CMD_LF_EM410X_WATCH 0x021C
549 #define CMD_LF_EM4X50_INFO 0x0240
550 #define CMD_LF_EM4X50_WRITE 0x0241
551 #define CMD_LF_EM4X50_WRITEPWD 0x0242
552 #define CMD_LF_EM4X50_READ 0x0243
553 #define CMD_LF_EM4X50_BRUTE 0x0245
554 #define CMD_LF_EM4X50_LOGIN 0x0246
555 #define CMD_LF_EM4X50_SIM 0x0250
556 #define CMD_LF_EM4X50_READER 0x0251
557 #define CMD_LF_EM4X50_ESET 0x0252
558 #define CMD_LF_EM4X50_CHK 0x0253
559 #define CMD_LF_EM4X70_INFO 0x0260
560 #define CMD_LF_EM4X70_WRITE 0x0261
561 #define CMD_LF_EM4X70_UNLOCK 0x0262
562 #define CMD_LF_EM4X70_AUTH 0x0263
563 #define CMD_LF_EM4X70_WRITEPIN 0x0264
564 #define CMD_LF_EM4X70_WRITEKEY 0x0265
565 // Sampling configuration for LF reader/sniffer
566 #define CMD_LF_SAMPLING_SET_CONFIG 0x021D
567 #define CMD_LF_FSK_SIMULATE 0x021E
568 #define CMD_LF_ASK_SIMULATE 0x021F
569 #define CMD_LF_PSK_SIMULATE 0x0220
570 #define CMD_LF_NRZ_SIMULATE 0x0232
571 #define CMD_LF_AWID_WATCH 0x0221
572 #define CMD_LF_VIKING_CLONE 0x0222
573 #define CMD_LF_T55XX_WAKEUP 0x0224
574 #define CMD_LF_COTAG_READ 0x0225
575 #define CMD_LF_T55XX_SET_CONFIG 0x0226
576 #define CMD_LF_SAMPLING_PRINT_CONFIG 0x0227
577 #define CMD_LF_SAMPLING_GET_CONFIG 0x0228
578
579 #define CMD_LF_T55XX_CHK_PWDS 0x0230
580 #define CMD_LF_T55XX_DANGERRAW 0x0231
581
582 /* CMD_SET_ADC_MUX: ext1 is 0 for lopkd, 1 for loraw, 2 for hipkd, 3 for hiraw */
583
584 // For the 13.56 MHz tags
585 #define CMD_HF_ISO15693_ACQ_RAW_ADC 0x0300
586 #define CMD_HF_SRI_READ 0x0303
587 #define CMD_HF_ISO14443B_COMMAND 0x0305
588 #define CMD_HF_ISO15693_READER 0x0310
589 #define CMD_HF_ISO15693_SIMULATE 0x0311
590 #define CMD_HF_ISO15693_SNIFF 0x0312
591 #define CMD_HF_ISO15693_COMMAND 0x0313
592 #define CMD_HF_ISO15693_FINDAFI 0x0315
593 #define CMD_HF_ISO15693_CSETUID 0x0316
594 #define CMD_HF_ISO15693_SLIX_L_DISABLE_PRIVACY 0x0317
595
596 #define CMD_LF_SNIFF_RAW_ADC 0x0360
597
598 // For Hitag2 transponders
599 #define CMD_LF_HITAG_SNIFF 0x0370
600 #define CMD_LF_HITAG_SIMULATE 0x0371
601 #define CMD_LF_HITAG_READER 0x0372
602
603 // For HitagS
604 #define CMD_LF_HITAGS_TEST_TRACES 0x0367
605 #define CMD_LF_HITAGS_SIMULATE 0x0368
606 #define CMD_LF_HITAGS_READ 0x0373
607 #define CMD_LF_HITAGS_WRITE 0x0375
608
609 #define CMD_LF_HITAG_ELOAD 0x0376
610
611 #define CMD_HF_ISO14443A_ANTIFUZZ 0x0380
612 #define CMD_HF_ISO14443B_SIMULATE 0x0381
613 #define CMD_HF_ISO14443B_SNIFF 0x0382
614
615 #define CMD_HF_ISO14443A_SNIFF 0x0383
616 #define CMD_HF_ISO14443A_SIMULATE 0x0384
617
618 #define CMD_HF_ISO14443A_READER 0x0385
619
620 #define CMD_HF_LEGIC_SIMULATE 0x0387
621 #define CMD_HF_LEGIC_READER 0x0388
622 #define CMD_HF_LEGIC_WRITER 0x0389
623
624 #define CMD_HF_EPA_COLLECT_NONCE 0x038A
625 #define CMD_HF_EPA_REPLAY 0x038B
626
627 #define CMD_HF_LEGIC_INFO 0x03BC
628 #define CMD_HF_LEGIC_ESET 0x03BD
629
630 // iCLASS / Picopass
631 #define CMD_HF_ICLASS_READCHECK 0x038F
632 #define CMD_HF_ICLASS_DUMP 0x0391
633 #define CMD_HF_ICLASS_SNIFF 0x0392
634 #define CMD_HF_ICLASS_SIMULATE 0x0393
635 #define CMD_HF_ICLASS_READER 0x0394
636 #define CMD_HF_ICLASS_READBL 0x0396
637 #define CMD_HF_ICLASS_WRITEBL 0x0397
638 #define CMD_HF_ICLASS_EML_MEMSET 0x0398
639 #define CMD_HF_ICLASS_CHKKEYS 0x039A
640 #define CMD_HF_ICLASS_RESTORE 0x039B
641
642 // For ISO1092 / FeliCa
643 #define CMD_HF_FELICA_SIMULATE 0x03A0
644 #define CMD_HF_FELICA_SNIFF 0x03A1
645 #define CMD_HF_FELICA_COMMAND 0x03A2
646 //temp
647 #define CMD_HF_FELICALITE_DUMP 0x03AA
648 #define CMD_HF_FELICALITE_SIMULATE 0x03AB
649
650 // For 14a config
651 #define CMD_HF_ISO14443A_PRINT_CONFIG 0x03B0
652 #define CMD_HF_ISO14443A_GET_CONFIG 0x03B1
653 #define CMD_HF_ISO14443A_SET_CONFIG 0x03B2
654
655 // For measurements of the antenna tuning
656 #define CMD_MEASURE_ANTENNA_TUNING 0x0400
657 #define CMD_MEASURE_ANTENNA_TUNING_HF 0x0401
658 #define CMD_MEASURE_ANTENNA_TUNING_LF 0x0402
659 #define CMD_LISTEN_READER_FIELD 0x0420
660 #define CMD_HF_DROPFIELD 0x0430
661
662 // For direct FPGA control
663 #define CMD_FPGA_MAJOR_MODE_OFF 0x0500
664
665 // For mifare commands
666 #define CMD_HF_MIFARE_EML_MEMCLR 0x0601
667 #define CMD_HF_MIFARE_EML_MEMSET 0x0602
668 #define CMD_HF_MIFARE_EML_MEMGET 0x0603
669 #define CMD_HF_MIFARE_EML_LOAD 0x0604
670
671 // magic chinese card commands
672 #define CMD_HF_MIFARE_CSETBL 0x0605
673 #define CMD_HF_MIFARE_CGETBL 0x0606
674 #define CMD_HF_MIFARE_CIDENT 0x0607
675
676 #define CMD_HF_MIFARE_SIMULATE 0x0610
677
678 #define CMD_HF_MIFARE_READER 0x0611
679 #define CMD_HF_MIFARE_NESTED 0x0612
680 #define CMD_HF_MIFARE_ACQ_ENCRYPTED_NONCES 0x0613
681 #define CMD_HF_MIFARE_ACQ_NONCES 0x0614
682 #define CMD_HF_MIFARE_STATIC_NESTED 0x0615
683
684 #define CMD_HF_MIFARE_READBL 0x0620
685 #define CMD_HF_MIFAREU_READBL 0x0720
686 #define CMD_HF_MIFARE_READSC 0x0621
687 #define CMD_HF_MIFAREU_READCARD 0x0721
688 #define CMD_HF_MIFARE_WRITEBL 0x0622
689 #define CMD_HF_MIFAREU_WRITEBL 0x0722
690 #define CMD_HF_MIFAREU_WRITEBL_COMPAT 0x0723
691
692 #define CMD_HF_MIFARE_CHKKEYS 0x0623
693 #define CMD_HF_MIFARE_SETMOD 0x0624
694 #define CMD_HF_MIFARE_CHKKEYS_FAST 0x0625
695 #define CMD_HF_MIFARE_CHKKEYS_FILE 0x0626
696
697 #define CMD_HF_MIFARE_SNIFF 0x0630
698 #define CMD_HF_MIFARE_MFKEY 0x0631
699 #define CMD_HF_MIFARE_PERSONALIZE_UID 0x0632
700
701 //ultralightC
702 #define CMD_HF_MIFAREUC_AUTH 0x0724
703 //0x0725 and 0x0726 no longer used
704 #define CMD_HF_MIFAREUC_SETPWD 0x0727
705
706 // mifare desfire
707 #define CMD_HF_DESFIRE_READBL 0x0728
708 #define CMD_HF_DESFIRE_WRITEBL 0x0729
709 #define CMD_HF_DESFIRE_AUTH1 0x072a
710 #define CMD_HF_DESFIRE_AUTH2 0x072b
711 #define CMD_HF_DESFIRE_READER 0x072c
712 #define CMD_HF_DESFIRE_INFO 0x072d
713 #define CMD_HF_DESFIRE_COMMAND 0x072e
714
715 #define CMD_HF_MIFARE_NACK_DETECT 0x0730
716 #define CMD_HF_MIFARE_STATIC_NONCE 0x0731
717
718 // MFU OTP TearOff
719 #define CMD_HF_MFU_OTP_TEAROFF 0x0740
720 // MFU_Ev1 Counter TearOff
721 #define CMD_HF_MFU_COUNTER_TEAROFF 0x0741
722
723
724 #define CMD_HF_SNIFF 0x0800
725 #define CMD_HF_PLOT 0x0801
726
727 // Fpga plot download
728 #define CMD_FPGAMEM_DOWNLOAD 0x0802
729 #define CMD_FPGAMEM_DOWNLOADED 0x0803
730
731 // For ThinFilm Kovio
732 #define CMD_HF_THINFILM_READ 0x0810
733 #define CMD_HF_THINFILM_SIMULATE 0x0811
734
735 //For Atmel CryptoRF
736 #define CMD_HF_CRYPTORF_SIM 0x0820
737
738 // Gen 3 magic cards
739 #define CMD_HF_MIFARE_GEN3UID 0x0850
740 #define CMD_HF_MIFARE_GEN3BLK 0x0851
741 #define CMD_HF_MIFARE_GEN3FREEZ 0x0852
742
743 // Gen 3 GTU magic cards
744 #define CMD_HF_MIFARE_G3_RDBL 0x0860
745
746 #define CMD_UNKNOWN 0xFFFF
747
748 //Mifare simulation flags
749 #define FLAG_INTERACTIVE 0x01
750 #define FLAG_4B_UID_IN_DATA 0x02
751 #define FLAG_7B_UID_IN_DATA 0x04
752 #define FLAG_10B_UID_IN_DATA 0x08
753 #define FLAG_UID_IN_EMUL 0x10
754 #define FLAG_NR_AR_ATTACK 0x20
755 #define FLAG_MF_MINI 0x80
756 #define FLAG_MF_1K 0x100
757 #define FLAG_MF_2K 0x200
758 #define FLAG_MF_4K 0x400
759 #define FLAG_FORCED_ATQA 0x800
760 #define FLAG_FORCED_SAK 0x1000
761 #define FLAG_CVE21_0430 0x2000
762
763
764 // iCLASS reader flags
765 #define FLAG_ICLASS_READER_INIT 0x01
766 #define FLAG_ICLASS_READER_CLEARTRACE 0x02
767 #define FLAG_ICLASS_READER_ONLY_ONCE 0x04
768 #define FLAG_ICLASS_READER_CREDITKEY 0x08
769 #define FLAG_ICLASS_READER_AIA 0x10
770
771 // iCLASS reader status flags
772 #define FLAG_ICLASS_CSN 0x01
773 #define FLAG_ICLASS_CC 0x02
774 #define FLAG_ICLASS_CONF 0x04
775 #define FLAG_ICLASS_AIA 0x08
776
777 // iCLASS simulation modes
778 #define ICLASS_SIM_MODE_CSN 0
779 #define ICLASS_SIM_MODE_CSN_DEFAULT 1
780 #define ICLASS_SIM_MODE_READER_ATTACK 2
781 #define ICLASS_SIM_MODE_FULL 3
782 #define ICLASS_SIM_MODE_READER_ATTACK_KEYROLL 4
783 #define ICLASS_SIM_MODE_EXIT_AFTER_MAC 5 // note: device internal only
784 #define ICLASS_SIM_MODE_CONFIG_CARD 6
785
786 #define MODE_SIM_CSN 0
787 #define MODE_EXIT_AFTER_MAC 1
788 #define MODE_FULLSIM 2
789
790 // Static Nonce detection
791 #define NONCE_FAIL 0x01
792 #define NONCE_NORMAL 0x02
793 #define NONCE_STATIC 0x03
794
795 // Dbprintf flags
796 #define FLAG_RAWPRINT 0x00
797 #define FLAG_LOG 0x01
798 #define FLAG_NEWLINE 0x02
799 #define FLAG_INPLACE 0x04
800 #define FLAG_ANSI 0x08
801
802 // Error codes Usages:
803
804 // Success, transfer nonces pm3: Sending nonces back to client
805 #define PM3_SNONCES 1
806 // Success (no error)
807 #define PM3_SUCCESS 0
808
809 // Undefined error
810 #define PM3_EUNDEF -1
811 // Invalid argument(s) client: user input parsing
812 #define PM3_EINVARG -2
813 // Operation not supported by device client/pm3: probably only on pm3 once client becomes universal
814 #define PM3_EDEVNOTSUPP -3
815 // Operation timed out client: no response in time from pm3
816 #define PM3_ETIMEOUT -4
817 // Operation aborted (by user) client/pm3: kbd/button pressed
818 #define PM3_EOPABORTED -5
819 // Not (yet) implemented client/pm3: TBD place holder
820 #define PM3_ENOTIMPL -6
821 // Error while RF transmission client/pm3: fail between pm3 & card
822 #define PM3_ERFTRANS -7
823 // Input / output error pm3: error in client frame reception
824 #define PM3_EIO -8
825 // Buffer overflow client/pm3: specified buffer too large for the operation
826 #define PM3_EOVFLOW -9
827 // Software error client/pm3: e.g. error in parsing some data
828 #define PM3_ESOFT -10
829 // Flash error client/pm3: error in RDV4 Flash operation
830 #define PM3_EFLASH -11
831 // Memory allocation error client: error in memory allocation (maybe also for pm3 BigBuff?)
832 #define PM3_EMALLOC -12
833 // File error client: error related to file access on host
834 #define PM3_EFILE -13
835 // Generic TTY error
836 #define PM3_ENOTTY -14
837 // Initialization error pm3: error related to trying to initialize the pm3 / fpga for different operations
838 #define PM3_EINIT -15
839 // Expected a different answer error client/pm3: error when expecting one answer and got another one
840 #define PM3_EWRONGANSWER -16
841 // Memory out-of-bounds error client/pm3: error when a read/write is outside the expected array
842 #define PM3_EOUTOFBOUND -17
843 // exchange with card error client/pm3: error when cant get answer from card or got an incorrect answer
844 #define PM3_ECARDEXCHANGE -18
845
846 // Failed to create APDU,
847 #define PM3_EAPDU_ENCODEFAIL -19
848 // APDU responded with a failure code
849 #define PM3_EAPDU_FAIL -20
850
851 // execute pm3 cmd failed client/pm3: when one of our pm3 cmd tries and fails. opposite from PM3_SUCCESS
852 #define PM3_EFAILED -21
853 // partial success client/pm3: when trying to dump a tag and fails on some blocks. Partial dump.
854 #define PM3_EPARTIAL -22
855 // tearoff occured client/pm3: when a tearoff hook was called and a tearoff actually happened
856 #define PM3_ETEAROFF -23
857
858 // Got bad CRC client/pm3: error in transfer of data, crc mismatch.
859 #define PM3_ECRC -24
860
861 // No data pm3: no data available, no host frame available (not really an error)
862 #define PM3_ENODATA -98
863 // Quit program client: reserved, order to quit the program
864 #define PM3_EFATAL -99
865
866 // LF
867 #define LF_FREQ2DIV(f) ((int)(((12000.0 + (f)/2.0)/(f))-1))
868 #define LF_DIVISOR_125 LF_FREQ2DIV(125)
869 #define LF_DIVISOR_134 LF_FREQ2DIV(134.2)
870 #define LF_DIV2FREQ(d) (12000.0/((d)+1))
871 #define LF_CMDREAD_MAX_EXTRA_SYMBOLS 4
872
873 // Receiving from USART need more than 30ms as we used on USB
874 // else we get errors about partial packet reception
875 // FTDI 9600 hw status -> we need 20ms
876 // FTDI 115200 hw status -> we need 50ms
877 // FTDI 460800 hw status -> we need 30ms
878 // BT 115200 hf mf fchk --1k -f file.dic -> we need 140ms
879 // all zero's configure: no timeout for read/write used.
880 // took settings from libnfc/buses/uart.c
881
882 // uart_windows.c & uart_posix.c
883 # define UART_FPC_CLIENT_RX_TIMEOUT_MS 200
884 # define UART_USB_CLIENT_RX_TIMEOUT_MS 20
885 # define UART_TCP_CLIENT_RX_TIMEOUT_MS 500
886
887
888 // CMD_DEVICE_INFO response packet has flags in arg[0], flag definitions:
889 /* Whether a bootloader that understands the common_area is present */
890 #define DEVICE_INFO_FLAG_BOOTROM_PRESENT (1<<0)
891
892 /* Whether a osimage that understands the common_area is present */
893 #define DEVICE_INFO_FLAG_OSIMAGE_PRESENT (1<<1)
894
895 /* Set if the bootloader is currently executing */
896 #define DEVICE_INFO_FLAG_CURRENT_MODE_BOOTROM (1<<2)
897
898 /* Set if the OS is currently executing */
899 #define DEVICE_INFO_FLAG_CURRENT_MODE_OS (1<<3)
900
901 /* Set if this device understands the extend start flash command */
902 #define DEVICE_INFO_FLAG_UNDERSTANDS_START_FLASH (1<<4)
903
904 /* Set if this device understands the chip info command */
905 #define DEVICE_INFO_FLAG_UNDERSTANDS_CHIP_INFO (1<<5)
906
907 /* Set if this device understands the version command */
908 #define DEVICE_INFO_FLAG_UNDERSTANDS_VERSION (1<<6)
909
910 #define BL_VERSION_MAJOR(version) ((uint32_t)(version) >> 22)
911 #define BL_VERSION_MINOR(version) (((uint32_t)(version) >> 12) & 0x3ff)
912 #define BL_VERSION_PATCH(version) ((uint32_t)(version) & 0xfff)
913 #define BL_MAKE_VERSION(major, minor, patch) (((major) << 22) | ((minor) << 12) | (patch))
914 // Some boundaries to distinguish valid versions from corrupted info
915 #define BL_VERSION_FIRST_MAJOR 1
916 #define BL_VERSION_LAST_MAJOR 99
917 #define BL_VERSION_INVALID 0
918 // Different versions here. Each version should increase the numbers
919 #define BL_VERSION_1_0_0 BL_MAKE_VERSION(1, 0, 0)
920
921
922 /* CMD_START_FLASH may have three arguments: start of area to flash,
923 end of area to flash, optional magic.
924 The bootrom will not allow to overwrite itself unless this magic
925 is given as third parameter */
926
927 #define START_FLASH_MAGIC 0x54494f44 // 'DOIT'
928
929 #endif
Proxmark3 - the RFID research Swiss army knife. Iceman firmware