search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix gcc 10 link issues
[legacy-proxmark3.git] / armsrc / mifaresim.c
blobabf800ce30ec0cf6563c8d79fb0a86d0d2b0f49b
1 //-----------------------------------------------------------------------------
2 // Merlok - June 2011, 2012
3 // Gerhard de Koning Gans - May 2008
4 // Hagen Fritsch - June 2010
5 //
6 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
7 // at your option, any later version. See the LICENSE.txt file for the text of
8 // the license.
9 //-----------------------------------------------------------------------------
10 // Mifare Classic Card Simulation
11 //-----------------------------------------------------------------------------
12
13 #include "mifaresim.h"
14 #include "iso14443a.h"
15 #include "iso14443crc.h"
16 #include "crapto1/crapto1.h"
17 #include "BigBuf.h"
18 #include "string.h"
19 #include "mifareutil.h"
20 #include "fpgaloader.h"
21 #include "proxmark3.h"
22 #include "usb_cdc.h"
23 #include "protocols.h"
24 #include "apps.h"
25 #include "util.h"
26
27
28 //mifare emulator states
29 #define MFEMUL_NOFIELD 0
30 #define MFEMUL_IDLE 1
31 #define MFEMUL_SELECT1 2
32 #define MFEMUL_SELECT2 3
33 #define MFEMUL_SELECT3 4
34 #define MFEMUL_AUTH1 5
35 #define MFEMUL_AUTH2 6
36 #define MFEMUL_WORK 7
37 #define MFEMUL_WRITEBL2 8
38 #define MFEMUL_INTREG_INC 9
39 #define MFEMUL_INTREG_DEC 10
40 #define MFEMUL_INTREG_REST 11
41 #define MFEMUL_HALTED 12
42
43 #define AC_DATA_READ 0
44 #define AC_DATA_WRITE 1
45 #define AC_DATA_INC 2
46 #define AC_DATA_DEC_TRANS_REST 3
47 #define AC_KEYA_READ 0
48 #define AC_KEYA_WRITE 1
49 #define AC_KEYB_READ 2
50 #define AC_KEYB_WRITE 3
51 #define AC_AC_READ 4
52 #define AC_AC_WRITE 5
53
54 #define AUTHKEYA 0
55 #define AUTHKEYB 1
56 #define AUTHKEYNONE 0xff
57
58
59 static int ParamCardSizeBlocks(const char c) {
60 int numBlocks = 16 * 4;
61 switch (c) {
62 case '0' : numBlocks = 5 * 4; break;
63 case '2' : numBlocks = 32 * 4; break;
64 case '4' : numBlocks = 32 * 4 + 8 * 16; break;
65 default: numBlocks = 16 * 4;
66 }
67 return numBlocks;
68 }
69
70 static uint8_t BlockToSector(int block_num) {
71 if (block_num < 32 * 4) { // 4 blocks per sector
72 return (block_num / 4);
73 } else { // 16 blocks per sector
74 return 32 + (block_num - 32 * 4) / 16;
75 }
76 }
77
78 static bool IsTrailerAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
79 uint8_t sector_trailer[16];
80 emlGetMem(sector_trailer, blockNo, 1);
81 uint8_t AC = ((sector_trailer[7] >> 5) & 0x04)
82 | ((sector_trailer[8] >> 2) & 0x02)
83 | ((sector_trailer[8] >> 7) & 0x01);
84 switch (action) {
85 case AC_KEYA_READ: {
86 return false;
87 break;
88 }
89 case AC_KEYA_WRITE: {
90 return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
91 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
92 break;
93 }
94 case AC_KEYB_READ: {
95 return (keytype == AUTHKEYA && (AC == 0x00 || AC == 0x02 || AC == 0x01));
96 break;
97 }
98 case AC_KEYB_WRITE: {
99 return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x01))
100 || (keytype == AUTHKEYB && (AC == 0x04 || AC == 0x03)));
101 break;
102 }
103 case AC_AC_READ: {
104 return ((keytype == AUTHKEYA)
105 || (keytype == AUTHKEYB && !(AC == 0x00 || AC == 0x02 || AC == 0x01)));
106 break;
107 }
108 case AC_AC_WRITE: {
109 return ((keytype == AUTHKEYA && (AC == 0x01))
110 || (keytype == AUTHKEYB && (AC == 0x03 || AC == 0x05)));
111 break;
112 }
113 default: return false;
114 }
115 }
116
117
118 static bool IsDataAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action)
119 {
120 uint8_t sector_trailer[16];
121 emlGetMem(sector_trailer, SectorTrailer(blockNo), 1);
122
123 uint8_t sector_block;
124 if (blockNo < 32*4) {
125 sector_block = blockNo & 0x03;
126 } else {
127 sector_block = (blockNo & 0x0f) / 5;
128 }
129
130 uint8_t AC;
131 switch (sector_block) {
132 case 0x00: {
133 AC = ((sector_trailer[7] >> 2) & 0x04)
134 | ((sector_trailer[8] << 1) & 0x02)
135 | ((sector_trailer[8] >> 4) & 0x01);
136 break;
137 }
138 case 0x01: {
139 AC = ((sector_trailer[7] >> 3) & 0x04)
140 | ((sector_trailer[8] >> 0) & 0x02)
141 | ((sector_trailer[8] >> 5) & 0x01);
142 break;
143 }
144 case 0x02: {
145 AC = ((sector_trailer[7] >> 4) & 0x04)
146 | ((sector_trailer[8] >> 1) & 0x02)
147 | ((sector_trailer[8] >> 6) & 0x01);
148 break;
149 }
150 default:
151 return false;
152 }
153
154 switch (action) {
155 case AC_DATA_READ: {
156 return ((keytype == AUTHKEYA && !(AC == 0x03 || AC == 0x05 || AC == 0x07))
157 || (keytype == AUTHKEYB && !(AC == 0x07)));
158 break;
159 }
160 case AC_DATA_WRITE: {
161 return ((keytype == AUTHKEYA && (AC == 0x00))
162 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x04 || AC == 0x06 || AC == 0x03)));
163 break;
164 }
165 case AC_DATA_INC: {
166 return ((keytype == AUTHKEYA && (AC == 0x00))
167 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06)));
168 break;
169 }
170 case AC_DATA_DEC_TRANS_REST: {
171 return ((keytype == AUTHKEYA && (AC == 0x00 || AC == 0x06 || AC == 0x01))
172 || (keytype == AUTHKEYB && (AC == 0x00 || AC == 0x06 || AC == 0x01)));
173 break;
174 }
175 }
176
177 return false;
178 }
179
180
181 static bool IsAccessAllowed(uint8_t blockNo, uint8_t keytype, uint8_t action) {
182 if (IsSectorTrailer(blockNo)) {
183 return IsTrailerAccessAllowed(blockNo, keytype, action);
184 } else {
185 return IsDataAccessAllowed(blockNo, keytype, action);
186 }
187 }
188
189
190 static void MifareSimInit(uint8_t flags, uint8_t *datain, tag_response_info_t **responses, uint32_t *cuid, uint8_t *uid_len, uint8_t cardsize) {
191
192 #define TAG_RESPONSE_COUNT 5 // number of precompiled responses
193 static uint8_t rATQA[] = {0x00, 0x00};
194 static uint8_t rUIDBCC1[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 1st cascade level
195 static uint8_t rUIDBCC2[] = {0x00, 0x00, 0x00, 0x00, 0x00}; // UID 2nd cascade level
196 static uint8_t rSAKfinal[]= {0x00, 0x00, 0x00}; // SAK after UID complete
197 static uint8_t rSAK1[] = {0x00, 0x00, 0x00}; // indicate UID not finished
198
199 *uid_len = 4;
200 // UID can be set from emulator memory or incoming data and can be 4 or 7 bytes long
201 if (flags & FLAG_4B_UID_IN_DATA) { // get UID from datain
202 memcpy(rUIDBCC1, datain, 4);
203 } else if (flags & FLAG_7B_UID_IN_DATA) {
204 rUIDBCC1[0] = 0x88;
205 memcpy(rUIDBCC1+1, datain, 3);
206 memcpy(rUIDBCC2, datain+3, 4);
207 *uid_len = 7;
208 } else {
209 uint8_t probable_atqa;
210 emlGetMemBt(&probable_atqa, 7, 1); // get UID from emul memory - weak guess at length
211 if (probable_atqa == 0x00) { // ---------- 4BUID
212 emlGetMemBt(rUIDBCC1, 0, 4);
213 } else { // ---------- 7BUID
214 rUIDBCC1[0] = 0x88;
215 emlGetMemBt(rUIDBCC1+1, 0, 3);
216 emlGetMemBt(rUIDBCC2, 3, 4);
217 *uid_len = 7;
218 }
219 }
220
221 switch (*uid_len) {
222 case 4:
223 *cuid = bytes_to_num(rUIDBCC1, 4);
224 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
225 if (MF_DBGLEVEL >= MF_DBG_INFO) {
226 Dbprintf("4B UID: %02x%02x%02x%02x",
227 rUIDBCC1[0], rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3] );
228 }
229 break;
230 case 7:
231 *cuid = bytes_to_num(rUIDBCC2, 4);
232 rUIDBCC1[4] = rUIDBCC1[0] ^ rUIDBCC1[1] ^ rUIDBCC1[2] ^ rUIDBCC1[3];
233 rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
234 if (MF_DBGLEVEL >= MF_DBG_INFO) {
235 Dbprintf("7B UID: %02x %02x %02x %02x %02x %02x %02x",
236 rUIDBCC1[1], rUIDBCC1[2], rUIDBCC1[3], rUIDBCC2[0], rUIDBCC2[1], rUIDBCC2[2], rUIDBCC2[3] );
237 }
238 break;
239 default:
240 break;
241 }
242
243 // set SAK based on cardsize
244 switch (cardsize) {
245 case '0': rSAKfinal[0] = 0x09; break; // Mifare Mini
246 case '2': rSAKfinal[0] = 0x10; break; // Mifare 2K
247 case '4': rSAKfinal[0] = 0x18; break; // Mifare 4K
248 default: rSAKfinal[0] = 0x08; // Mifare 1K
249 }
250 ComputeCrc14443(CRC_14443_A, rSAKfinal, 1, rSAKfinal + 1, rSAKfinal + 2);
251 if (MF_DBGLEVEL >= MF_DBG_INFO) {
252 Dbprintf("SAK: %02x", rSAKfinal[0]);
253 }
254
255 // set SAK for incomplete UID
256 rSAK1[0] = 0x04; // Bit 3 indicates incomplete UID
257 ComputeCrc14443(CRC_14443_A, rSAK1, 1, rSAK1 + 1, rSAK1 + 2);
258
259 // set ATQA based on cardsize and UIDlen
260 if (cardsize == '4') {
261 rATQA[0] = 0x02;
262 } else {
263 rATQA[0] = 0x04;
264 }
265 if (*uid_len == 7) {
266 rATQA[0] |= 0x40;
267 }
268 if (MF_DBGLEVEL >= MF_DBG_INFO) {
269 Dbprintf("ATQA: %02x %02x", rATQA[1], rATQA[0]);
270 }
271
272 static tag_response_info_t responses_init[TAG_RESPONSE_COUNT] = {
273 { .response = rATQA, .response_n = sizeof(rATQA) }, // Answer to request - respond with card type
274 { .response = rUIDBCC1, .response_n = sizeof(rUIDBCC1) }, // Anticollision cascade1 - respond with first part of uid
275 { .response = rUIDBCC2, .response_n = sizeof(rUIDBCC2) }, // Anticollision cascade2 - respond with 2nd part of uid
276 { .response = rSAKfinal, .response_n = sizeof(rSAKfinal) }, // Acknowledge select - last cascade
277 { .response = rSAK1, .response_n = sizeof(rSAK1) } // Acknowledge select - previous cascades
278 };
279
280 // Prepare ("precompile") the responses of the anticollision phase. There will be not enough time to do this at the moment the reader sends its REQA or SELECT
281 // There are 5 predefined responses with a total of 18 bytes data to transmit. Coded responses need one byte per bit to transfer (data, parity, start, stop, correction)
282 // 18 * 8 data bits, 18 * 1 parity bits, 5 start bits, 5 stop bits, 5 correction bits -> need 177 bytes buffer
283 #define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 177 // number of bytes required for precompiled responses
284
285 uint8_t *free_buffer_pointer = BigBuf_malloc(ALLOCATED_TAG_MODULATION_BUFFER_SIZE);
286 size_t free_buffer_size = ALLOCATED_TAG_MODULATION_BUFFER_SIZE;
287 for (size_t i = 0; i < TAG_RESPONSE_COUNT; i++) {
288 prepare_allocated_tag_modulation(&responses_init[i], &free_buffer_pointer, &free_buffer_size);
289 }
290
291 *responses = responses_init;
292
293 // indices into responses array:
294 #define ATQA 0
295 #define UIDBCC1 1
296 #define UIDBCC2 2
297 #define SAKfinal 3
298 #define SAK1 4
299
300 }
301
302
303 static bool HasValidCRC(uint8_t *receivedCmd, uint16_t receivedCmd_len) {
304 uint8_t CRC_byte_1, CRC_byte_2;
305 ComputeCrc14443(CRC_14443_A, receivedCmd, receivedCmd_len-2, &CRC_byte_1, &CRC_byte_2);
306 return (receivedCmd[receivedCmd_len-2] == CRC_byte_1 && receivedCmd[receivedCmd_len-1] == CRC_byte_2);
307 }
308
309
310 /**
311 *MIFARE simulate.
312 *
313 *@param flags :
314 * FLAG_INTERACTIVE - In interactive mode, we are expected to finish the operation with an ACK
315 * FLAG_4B_UID_IN_DATA - means that there is a 4-byte UID in the data-section, we're expected to use that
316 * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
317 * FLAG_NR_AR_ATTACK - means we should collect NR_AR responses for bruteforcing later
318 * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack)
319 *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
320 * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
321 */
322 void MifareSim(uint8_t flags, uint8_t exitAfterNReads, uint8_t cardsize, uint8_t *datain)
323 {
324 LED_A_ON();
325
326 tag_response_info_t *responses;
327 uint8_t uid_len = 4;
328 uint32_t cuid = 0;
329 uint8_t cardWRBL = 0;
330 uint8_t cardAUTHSC = 0;
331 uint8_t cardAUTHKEY = AUTHKEYNONE; // no authentication
332 uint32_t cardRr = 0;
333 //uint32_t rn_enc = 0;
334 uint32_t ans = 0;
335 uint32_t cardINTREG = 0;
336 uint8_t cardINTBLOCK = 0;
337 struct Crypto1State mpcs = {0, 0};
338 struct Crypto1State *pcs = &mpcs;
339 uint32_t numReads = 0; //Counts numer of times reader reads a block
340 uint8_t receivedCmd[MAX_MIFARE_FRAME_SIZE];
341 uint8_t receivedCmd_dec[MAX_MIFARE_FRAME_SIZE];
342 uint8_t receivedCmd_par[MAX_MIFARE_PARITY_SIZE];
343 uint16_t receivedCmd_len;
344 uint8_t response[MAX_MIFARE_FRAME_SIZE];
345 uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
346 uint8_t fixed_nonce[] = {0x01, 0x02, 0x03, 0x04};
347
348 int num_blocks = ParamCardSizeBlocks(cardsize);
349
350 // Here we collect UID, sector, keytype, NT, AR, NR, NT2, AR2, NR2
351 // This will be used in the reader-only attack.
352
353 // allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
354 #define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
355 nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // *2 for 2 separate attack types (nml, moebius) 36 * 7 * 2 bytes = 504 bytes
356 memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
357
358 uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // *2 for 2nd attack type (moebius)
359 memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
360 uint8_t nonce1_count = 0;
361 uint8_t nonce2_count = 0;
362 uint8_t moebius_n_count = 0;
363 bool gettingMoebius = false;
364 uint8_t mM = 0; // moebius_modifier for collection storage
365
366 // Authenticate response - nonce
367 uint32_t nonce;
368 if (flags & FLAG_RANDOM_NONCE) {
369 nonce = prand();
370 } else {
371 nonce = bytes_to_num(fixed_nonce, 4);
372 }
373
374 // free eventually allocated BigBuf memory but keep Emulator Memory
375 BigBuf_free_keep_EM();
376
377 MifareSimInit(flags, datain, &responses, &cuid, &uid_len, cardsize);
378
379 // We need to listen to the high-frequency, peak-detected path.
380 iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
381
382 // clear trace
383 clear_trace();
384 set_tracing(true);
385 ResetSspClk();
386
387 bool finished = false;
388 bool button_pushed = BUTTON_PRESS();
389 int cardSTATE = MFEMUL_NOFIELD;
390
391 while (!button_pushed && !finished && !usb_poll_validate_length()) {
392 WDT_HIT();
393
394 if (cardSTATE == MFEMUL_NOFIELD) {
395 // wait for reader HF field
396 int vHf = (MAX_ADC_HF_VOLTAGE_LOW * AvgAdc(ADC_CHAN_HF_LOW)) >> 10;
397 if (vHf > MF_MINFIELDV) {
398 LED_D_ON();
399 cardSTATE = MFEMUL_IDLE;
400 }
401 button_pushed = BUTTON_PRESS();
402 continue;
403 }
404
405 //Now, get data
406 FpgaEnableTracing();
407 int res = EmGetCmd(receivedCmd, &receivedCmd_len, receivedCmd_par);
408
409 if (res == 2) { // Reader has dropped the HF field. Power off.
410 FpgaDisableTracing();
411 LED_D_OFF();
412 cardSTATE = MFEMUL_NOFIELD;
413 continue;
414 } else if (res == 1) { // button pressed
415 FpgaDisableTracing();
416 button_pushed = true;
417 break;
418 }
419
420 // WUPA in HALTED state or REQA or WUPA in any other state
421 if (receivedCmd_len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
422 EmSendPrecompiledCmd(&responses[ATQA]);
423 FpgaDisableTracing();
424
425 // init crypto block
426 crypto1_destroy(pcs);
427 cardAUTHKEY = AUTHKEYNONE;
428 if (flags & FLAG_RANDOM_NONCE) {
429 nonce = prand();
430 }
431 cardSTATE = MFEMUL_SELECT1;
432 continue;
433 }
434
435 switch (cardSTATE) {
436 case MFEMUL_NOFIELD:
437 case MFEMUL_HALTED:
438 case MFEMUL_IDLE:{
439 break;
440 }
441
442 case MFEMUL_SELECT1:{
443 // select all - 0x93 0x20
444 if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
445 EmSendPrecompiledCmd(&responses[UIDBCC1]);
446 FpgaDisableTracing();
447 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT ALL CL1 received");
448 break;
449 }
450 // select card - 0x93 0x70 ...
451 if (receivedCmd_len == 9 &&
452 (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC1].response, 4) == 0)) {
453 if (uid_len == 4) {
454 EmSendPrecompiledCmd(&responses[SAKfinal]);
455 cardSTATE = MFEMUL_WORK;
456 } else if (uid_len == 7) {
457 EmSendPrecompiledCmd(&responses[SAK1]);
458 cardSTATE = MFEMUL_SELECT2;
459 }
460 FpgaDisableTracing();
461 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL1 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
462 break;
463 }
464 cardSTATE = MFEMUL_IDLE;
465 break;
466 }
467
468 case MFEMUL_SELECT2:{
469 // select all cl2 - 0x95 0x20
470 if (receivedCmd_len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
471 EmSendPrecompiledCmd(&responses[UIDBCC2]);
472 FpgaDisableTracing();
473 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT ALL CL2 received");
474 break;
475 }
476 // select cl2 card - 0x95 0x70 xxxxxxxxxxxx
477 if (receivedCmd_len == 9 &&
478 (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], responses[UIDBCC2].response, 4) == 0)) {
479 if (uid_len == 7) {
480 EmSendPrecompiledCmd(&responses[SAKfinal]);
481 FpgaDisableTracing();
482 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("SELECT CL2 %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
483 cardSTATE = MFEMUL_WORK;
484 break;
485 }
486 }
487 cardSTATE = MFEMUL_IDLE;
488 break;
489 }
490
491 case MFEMUL_WORK:{
492 if (receivedCmd_len != 4) { // all commands must have exactly 4 bytes
493 break;
494 }
495 bool encrypted_data = (cardAUTHKEY != AUTHKEYNONE) ;
496 if (encrypted_data) {
497 // decrypt seqence
498 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
499 } else {
500 memcpy(receivedCmd_dec, receivedCmd, receivedCmd_len);
501 }
502 if (!HasValidCRC(receivedCmd_dec, receivedCmd_len)) { // all commands must have a valid CRC
503 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_TR));
504 break;
505 }
506
507 if (receivedCmd_dec[0] == MIFARE_AUTH_KEYA || receivedCmd_dec[0] == MIFARE_AUTH_KEYB) {
508 // if authenticating to a block that shouldn't exist - as long as we are not doing the reader attack
509 if (receivedCmd_dec[1] >= num_blocks && !(flags & FLAG_NR_AR_ATTACK)) {
510 //is this the correct response to an auth on a out of range block? marshmellow
511 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
512 FpgaDisableTracing();
513 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking", receivedCmd_dec[0], receivedCmd_dec[1], receivedCmd_dec[1]);
514 break;
515 }
516 cardAUTHSC = BlockToSector(receivedCmd_dec[1]); // received block num
517 cardAUTHKEY = receivedCmd_dec[0] & 0x01;
518 crypto1_destroy(pcs);//Added by martin
519 crypto1_create(pcs, emlGetKey(cardAUTHSC, cardAUTHKEY));
520 if (!encrypted_data) { // first authentication
521 crypto1_word(pcs, cuid ^ nonce, 0); // Update crypto state
522 num_to_bytes(nonce, 4, response); // Send unencrypted nonce
523 EmSendCmd(response, sizeof(nonce));
524 FpgaDisableTracing();
525 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader authenticating for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
526 } else { // nested authentication
527 num_to_bytes(nonce, sizeof(nonce), response);
528 uint8_t pcs_in[4] = {0};
529 num_to_bytes(cuid ^ nonce, sizeof(nonce), pcs_in);
530 mf_crypto1_encryptEx(pcs, response, pcs_in, sizeof(nonce), response_par);
531 EmSendCmdPar(response, sizeof(nonce), response_par); // send encrypted nonce
532 FpgaDisableTracing();
533 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader doing nested authentication for block %d (0x%02x) with key %d", receivedCmd_dec[1], receivedCmd_dec[1], cardAUTHKEY);
534 }
535 cardSTATE = MFEMUL_AUTH1;
536 break;
537 }
538
539 // halt can be sent encrypted or in clear
540 if (receivedCmd_dec[0] == ISO14443A_CMD_HALT && receivedCmd_dec[1] == 0x00) {
541 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("--> HALTED.");
542 cardSTATE = MFEMUL_HALTED;
543 break;
544 }
545
546 if(receivedCmd_dec[0] == MIFARE_CMD_READBLOCK
547 || receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK
548 || receivedCmd_dec[0] == MIFARE_CMD_INC
549 || receivedCmd_dec[0] == MIFARE_CMD_DEC
550 || receivedCmd_dec[0] == MIFARE_CMD_RESTORE
551 || receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
552 if (receivedCmd_dec[1] >= num_blocks) {
553 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
554 FpgaDisableTracing();
555 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],receivedCmd_dec[1]);
556 break;
557 }
558 if (BlockToSector(receivedCmd_dec[1]) != cardAUTHSC) {
559 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
560 FpgaDisableTracing();
561 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate (0x%02x) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd_dec[0],receivedCmd_dec[1],cardAUTHSC);
562 break;
563 }
564 }
565
566 if (receivedCmd_dec[0] == MIFARE_CMD_READBLOCK) {
567 uint8_t blockNo = receivedCmd_dec[1];
568 emlGetMem(response, blockNo, 1);
569 if (IsSectorTrailer(blockNo)) {
570 memset(response, 0x00, 6); // keyA can never be read
571 if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_KEYB_READ)) {
572 memset(response+10, 0x00, 6); // keyB cannot be read
573 }
574 if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_AC_READ)) {
575 memset(response+6, 0x00, 4); // AC bits cannot be read
576 }
577 } else {
578 if (!IsAccessAllowed(blockNo, cardAUTHKEY, AC_DATA_READ)) {
579 memset(response, 0x00, 16); // datablock cannot be read
580 }
581 }
582 AppendCrc14443a(response, 16);
583 mf_crypto1_encrypt(pcs, response, 18, response_par);
584 EmSendCmdPar(response, 18, response_par);
585 FpgaDisableTracing();
586 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
587 Dbprintf("Reader reading block %d (0x%02x)", blockNo, blockNo);
588 }
589 numReads++;
590 if(exitAfterNReads > 0 && numReads == exitAfterNReads) {
591 Dbprintf("%d reads done, exiting", numReads);
592 finished = true;
593 }
594 break;
595 }
596
597 if (receivedCmd_dec[0] == MIFARE_CMD_WRITEBLOCK) {
598 uint8_t blockNo = receivedCmd_dec[1];
599 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
600 FpgaDisableTracing();
601 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0xA0 write block %d (%02x)", blockNo, blockNo);
602 cardWRBL = blockNo;
603 cardSTATE = MFEMUL_WRITEBL2;
604 break;
605 }
606
607 if (receivedCmd_dec[0] == MIFARE_CMD_INC || receivedCmd_dec[0] == MIFARE_CMD_DEC || receivedCmd_dec[0] == MIFARE_CMD_RESTORE) {
608 uint8_t blockNo = receivedCmd_dec[1];
609 if (emlCheckValBl(blockNo)) {
610 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
611 FpgaDisableTracing();
612 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
613 Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
614 }
615 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
616 break;
617 }
618 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
619 FpgaDisableTracing();
620 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
621 Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
622 }
623 cardWRBL = blockNo;
624 if (receivedCmd_dec[0] == MIFARE_CMD_INC)
625 cardSTATE = MFEMUL_INTREG_INC;
626 if (receivedCmd_dec[0] == MIFARE_CMD_DEC)
627 cardSTATE = MFEMUL_INTREG_DEC;
628 if (receivedCmd_dec[0] == MIFARE_CMD_RESTORE)
629 cardSTATE = MFEMUL_INTREG_REST;
630 break;
631 }
632
633 if (receivedCmd_dec[0] == MIFARE_CMD_TRANSFER) {
634 uint8_t blockNo = receivedCmd_dec[1];
635 if (emlSetValBl(cardINTREG, cardINTBLOCK, receivedCmd_dec[1]))
636 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
637 else
638 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK));
639 FpgaDisableTracing();
640 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("RECV 0x%02x transfer block %d (%02x)",receivedCmd_dec[0], blockNo, blockNo);
641 break;
642 }
643
644 // command not allowed
645 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
646 FpgaDisableTracing();
647 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Received command not allowed, nacking");
648 cardSTATE = MFEMUL_IDLE;
649 break;
650 }
651
652 case MFEMUL_AUTH1:{
653 if (receivedCmd_len != 8) {
654 cardSTATE = MFEMUL_IDLE;
655 break;
656 }
657
658 uint32_t nr = bytes_to_num(receivedCmd, 4);
659 uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
660
661 // Collect AR/NR per keytype & sector
662 if(flags & FLAG_NR_AR_ATTACK) {
663 for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
664 if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
665 // if first auth for sector, or matches sector and keytype of previous auth
666 if (ar_nr_collected[i+mM] < 2) {
667 // if we haven't already collected 2 nonces for this sector
668 if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
669 // Avoid duplicates... probably not necessary, ar should vary.
670 if (ar_nr_collected[i+mM]==0) {
671 // first nonce collect
672 ar_nr_resp[i+mM].cuid = cuid;
673 ar_nr_resp[i+mM].sector = cardAUTHSC;
674 ar_nr_resp[i+mM].keytype = cardAUTHKEY;
675 ar_nr_resp[i+mM].nonce = nonce;
676 ar_nr_resp[i+mM].nr = nr;
677 ar_nr_resp[i+mM].ar = ar;
678 nonce1_count++;
679 // add this nonce to first moebius nonce
680 ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
681 ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
682 ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
683 ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
684 ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
685 ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
686 ar_nr_collected[i+ATTACK_KEY_COUNT]++;
687 } else { // second nonce collect (std and moebius)
688 ar_nr_resp[i+mM].nonce2 = nonce;
689 ar_nr_resp[i+mM].nr2 = nr;
690 ar_nr_resp[i+mM].ar2 = ar;
691 if (!gettingMoebius) {
692 nonce2_count++;
693 // check if this was the last second nonce we need for std attack
694 if ( nonce2_count == nonce1_count ) {
695 // done collecting std test switch to moebius
696 // first finish incrementing last sample
697 ar_nr_collected[i+mM]++;
698 // switch to moebius collection
699 gettingMoebius = true;
700 mM = ATTACK_KEY_COUNT;
701 if (flags & FLAG_RANDOM_NONCE) {
702 nonce = prand();
703 } else {
704 nonce = nonce*7;
705 }
706 break;
707 }
708 } else {
709 moebius_n_count++;
710 // if we've collected all the nonces we need - finish.
711 if (nonce1_count == moebius_n_count) finished = true;
712 }
713 }
714 ar_nr_collected[i+mM]++;
715 }
716 }
717 // we found right spot for this nonce stop looking
718 break;
719 }
720 }
721 }
722
723 // --- crypto
724 crypto1_word(pcs, nr , 1);
725 cardRr = ar ^ crypto1_word(pcs, 0, 0);
726
727 // test if auth OK
728 if (cardRr != prng_successor(nonce, 64)){
729 FpgaDisableTracing();
730 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
731 cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B',
732 cardRr, prng_successor(nonce, 64));
733 // Shouldn't we respond anything here?
734 // Right now, we don't nack or anything, which causes the
735 // reader to do a WUPA after a while. /Martin
736 // -- which is the correct response. /piwi
737 cardAUTHKEY = AUTHKEYNONE; // not authenticated
738 cardSTATE = MFEMUL_IDLE;
739 break;
740 }
741 ans = prng_successor(nonce, 96);
742 num_to_bytes(ans, 4, response);
743 mf_crypto1_encrypt(pcs, response, 4, response_par);
744 EmSendCmdPar(response, 4, response_par);
745 FpgaDisableTracing();
746 if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("AUTH COMPLETED for sector %d with key %c.", cardAUTHSC, cardAUTHKEY == AUTHKEYA ? 'A' : 'B');
747 cardSTATE = MFEMUL_WORK;
748 break;
749 }
750
751 case MFEMUL_WRITEBL2:{
752 if (receivedCmd_len == 18) {
753 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, receivedCmd_dec);
754 if (HasValidCRC(receivedCmd_dec, receivedCmd_len)) {
755 if (IsSectorTrailer(cardWRBL)) {
756 emlGetMem(response, cardWRBL, 1);
757 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYA_WRITE)) {
758 memcpy(receivedCmd_dec, response, 6); // don't change KeyA
759 }
760 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_KEYB_WRITE)) {
761 memcpy(receivedCmd_dec+10, response+10, 6); // don't change KeyA
762 }
763 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_AC_WRITE)) {
764 memcpy(receivedCmd_dec+6, response+6, 4); // don't change AC bits
765 }
766 } else {
767 if (!IsAccessAllowed(cardWRBL, cardAUTHKEY, AC_DATA_WRITE)) {
768 memcpy(receivedCmd_dec, response, 16); // don't change anything
769 }
770 }
771 emlSetMem(receivedCmd_dec, cardWRBL, 1);
772 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_ACK)); // always ACK?
773 cardSTATE = MFEMUL_WORK;
774 break;
775 }
776 }
777 cardSTATE = MFEMUL_IDLE;
778 break;
779 }
780
781 case MFEMUL_INTREG_INC:{
782 if (receivedCmd_len == 6) {
783 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
784 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
785 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
786 cardSTATE = MFEMUL_IDLE;
787 break;
788 }
789 cardINTREG = cardINTREG + ans;
790 cardSTATE = MFEMUL_WORK;
791 }
792 break;
793 }
794
795 case MFEMUL_INTREG_DEC:{
796 if (receivedCmd_len == 6) {
797 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
798 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
799 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
800 cardSTATE = MFEMUL_IDLE;
801 break;
802 }
803 cardINTREG = cardINTREG - ans;
804 cardSTATE = MFEMUL_WORK;
805 }
806 break;
807 }
808
809 case MFEMUL_INTREG_REST:{
810 mf_crypto1_decryptEx(pcs, receivedCmd, receivedCmd_len, (uint8_t*)&ans);
811 if (emlGetValBl(&cardINTREG, &cardINTBLOCK, cardWRBL)) {
812 EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
813 cardSTATE = MFEMUL_IDLE;
814 break;
815 }
816 cardSTATE = MFEMUL_WORK;
817 break;
818 }
819
820 } // end of switch
821
822 FpgaDisableTracing();
823 button_pushed = BUTTON_PRESS();
824
825 } // end of while
826
827 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
828 LEDsoff();
829
830 if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= MF_DBG_INFO) {
831 for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
832 if (ar_nr_collected[i] == 2) {
833 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
834 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
835 ar_nr_resp[i].cuid, //UID
836 ar_nr_resp[i].nonce, //NT
837 ar_nr_resp[i].nr, //NR1
838 ar_nr_resp[i].ar, //AR1
839 ar_nr_resp[i].nr2, //NR2
840 ar_nr_resp[i].ar2 //AR2
841 );
842 }
843 }
844 for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
845 if (ar_nr_collected[i] == 2) {
846 Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
847 Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x %08x",
848 ar_nr_resp[i].cuid, //UID
849 ar_nr_resp[i].nonce, //NT
850 ar_nr_resp[i].nr, //NR1
851 ar_nr_resp[i].ar, //AR1
852 ar_nr_resp[i].nonce2,//NT2
853 ar_nr_resp[i].nr2, //NR2
854 ar_nr_resp[i].ar2 //AR2
855 );
856 }
857 }
858 }
859 if (MF_DBGLEVEL >= MF_DBG_INFO) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", get_tracing(), BigBuf_get_traceLen());
860
861 if(flags & FLAG_INTERACTIVE) { // Interactive mode flag, means we need to send ACK
862 //Send the collected ar_nr in the response
863 cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, button_pushed, 0, &ar_nr_resp, sizeof(ar_nr_resp));
864 }
865
866 LED_A_OFF();
867 }
Proxmark3 - the RFID research Swiss army knife. Official firmware