SHOW:
|
|
- or go back to the newest paste.
| 1 | Index: include/usb_cmd.h | |
| 2 | =================================================================== | |
| 3 | --- include/usb_cmd.h (revision 603) | |
| 4 | +++ include/usb_cmd.h (working copy) | |
| 5 | @@ -91,6 +91,7 @@ | |
| 6 | #define CMD_SNOOP_ISO_14443a 0x0383 | |
| 7 | #define CMD_SIMULATE_TAG_ISO_14443a 0x0384 | |
| 8 | #define CMD_READER_ISO_14443a 0x0385 | |
| 9 | +#define CMD_PACE_ISO_14443a 0x386 | |
| 10 | #define CMD_SIMULATE_TAG_LEGIC_RF 0x0387 | |
| 11 | #define CMD_READER_LEGIC_RF 0x0388 | |
| 12 | #define CMD_WRITER_LEGIC_RF 0x0399 | |
| 13 | Index: armsrc/iso14443a.c | |
| 14 | =================================================================== | |
| 15 | --- armsrc/iso14443a.c (revision 603) | |
| 16 | +++ armsrc/iso14443a.c (working copy) | |
| 17 | @@ -1790,6 +1790,189 @@ | |
| 18 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
| 19 | LEDsoff(); | |
| 20 | } | |
| 21 | + | |
| 22 | +//----------------------------------------------------------------------------- | |
| 23 | +// Perform initial part of PACE protocol | |
| 24 | +// | |
| 25 | +//----------------------------------------------------------------------------- | |
| 26 | +void PaceIso14443a(UsbCommand * c, UsbCommand * ack) | |
| 27 | +{
| |
| 28 | + /* | |
| 29 | + * ack layout: | |
| 30 | + * arg: | |
| 31 | + * 1. element | |
| 32 | + * 1. bit: 1 = failure, 0 = success | |
| 33 | + * 2.+3. bit: step where failure occured | |
| 34 | + * 0: card select | |
| 35 | + * 1: PACE MSE: Set AT | |
| 36 | + * 2: PACE General Authenticate | |
| 37 | + * 16.-31. bit: SW1 || SW2 of response APDU (in case of failure) | |
| 38 | + * 2. element | |
| 39 | + * iso14_apdu() return code | |
| 40 | + * d: | |
| 41 | + * Encrypted nonce | |
| 42 | + */ | |
| 43 | + | |
| 44 | + //iso14a_command_t param = c->arg[0]; | |
| 45 | + //uint8_t * cmd = c->d.asBytes; | |
| 46 | + //size_t len = c->arg[1]; | |
| 47 | + | |
| 48 | + // card UID | |
| 49 | + uint8_t uid[8]; | |
| 50 | + | |
| 51 | + // return value of a function | |
| 52 | + int func_return; | |
| 53 | + | |
| 54 | + // command APDU | |
| 55 | + // size should be the max. size needed by any command used here | |
| 56 | + uint8_t command_apdu[20] = {0};
| |
| 57 | + // response APDU | |
| 58 | + // for the size the same holds as for the command APDU | |
| 59 | + uint8_t response_apdu[6] = {0};
| |
| 60 | + | |
| 61 | + // initialize ack with 0 | |
| 62 | + memset(ack->arg, 0, 12); | |
| 63 | + memset(ack->d.asBytes, 0, 48); | |
| 64 | + | |
| 65 | + // power up the field | |
| 66 | + iso14443a_setup(); | |
| 67 | + | |
| 68 | + // select the card | |
| 69 | + func_return = iso14443a_select_card(uid, NULL, NULL); | |
| 70 | + // if this failed already, abort | |
| 71 | + if(func_return != 1) | |
| 72 | + {
| |
| 73 | + // set fail bit | |
| 74 | + ack->arg[0] |= 0x80000000; | |
| 75 | + UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
| 76 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
| 77 | + LEDsoff(); | |
| 78 | + return; | |
| 79 | + } | |
| 80 | + | |
| 81 | + // command APDU to initiate PACE | |
| 82 | + uint8_t i = 0; | |
| 83 | + // CLA | |
| 84 | + command_apdu[i++] = 0x00; | |
| 85 | + // INS | |
| 86 | + command_apdu[i++] = 0x22; | |
| 87 | + // P1 | |
| 88 | + command_apdu[i++] = 0xC1; | |
| 89 | + // P2 | |
| 90 | + command_apdu[i++] = 0xA4; | |
| 91 | + // Lc: 15 bytes | |
| 92 | + command_apdu[i++] = 0x0F; | |
| 93 | + // Content: | |
| 94 | + // Type: Protocol (by OID) | |
| 95 | + command_apdu[i++] = 0x80; | |
| 96 | + // Length: 10 bytes | |
| 97 | + command_apdu[i++] = 0x0A; | |
| 98 | + // OID | |
| 99 | + // bsi-de | |
| 100 | + command_apdu[i++] = 0x04; | |
| 101 | + command_apdu[i++] = 0x00; | |
| 102 | + command_apdu[i++] = 0x7F; | |
| 103 | + command_apdu[i++] = 0x00; | |
| 104 | + command_apdu[i++] = 0x07; | |
| 105 | + // protocols | |
| 106 | + command_apdu[i++] = 0x02; | |
| 107 | + // smartcard | |
| 108 | + command_apdu[i++] = 0x02; | |
| 109 | + // id_PACE | |
| 110 | + command_apdu[i++] = 0x04; | |
| 111 | + // ECDH-GM | |
| 112 | + command_apdu[i++] = 0x02; | |
| 113 | + // 3DES-CBC-CBC | |
| 114 | + command_apdu[i++] = 0x01; | |
| 115 | + // Type: Password | |
| 116 | + command_apdu[i++] = 0x83; | |
| 117 | + // Length: 1 byte | |
| 118 | + command_apdu[i++] = 0x01; | |
| 119 | + // CAN | |
| 120 | + command_apdu[i++] = 0x02; | |
| 121 | + | |
| 122 | + // send it | |
| 123 | + iso14_apdu(command_apdu, 20, response_apdu); | |
| 124 | + // check if command failed | |
| 125 | + if(func_return == -1 || response_apdu[0] != 0x90 || response_apdu[1] != 0x00) | |
| 126 | + {
| |
| 127 | + // fail | |
| 128 | + ack->arg[0] |= 0x80000000; | |
| 129 | + // step 1 | |
| 130 | + ack->arg[0] |= 0x20000000; | |
| 131 | + // SW1 of RAPDU | |
| 132 | + ack->arg[0] |= ((uint32_t) response_apdu[0]) << 8; | |
| 133 | + // SW2 of RAPDU | |
| 134 | + ack->arg[0] |= ((uint32_t) response_apdu[1]); | |
| 135 | + | |
| 136 | + // return code | |
| 137 | + ack->arg[1] = func_return; | |
| 138 | + | |
| 139 | + // send it | |
| 140 | + UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
| 141 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
| 142 | + LEDsoff(); | |
| 143 | + return; | |
| 144 | + } | |
| 145 | + // clear command and response APDUs | |
| 146 | + memset(command_apdu, 0, 20); | |
| 147 | + memset(response_apdu, 0, 2); | |
| 148 | + | |
| 149 | + // command APDU to request the encrypted nonce | |
| 150 | + i = 0; | |
| 151 | + // CLA | |
| 152 | + command_apdu[i++] = 0x00; | |
| 153 | + // INS | |
| 154 | + command_apdu[i++] = 0x86; | |
| 155 | + // P1 | |
| 156 | + command_apdu[i++] = 0x00; | |
| 157 | + // P2 | |
| 158 | + command_apdu[i++] = 0x00; | |
| 159 | + // Lc = 2 bytes | |
| 160 | + command_apdu[i++] = 0x02; | |
| 161 | + // Content: | |
| 162 | + // General Authenticate | |
| 163 | + command_apdu[i++] = 0x7C; | |
| 164 | + // zero byte (indicate first step?) | |
| 165 | + command_apdu[i++] = 0x00; | |
| 166 | + // Trailer: | |
| 167 | + // Le = 4 bytes | |
| 168 | + command_apdu[i++] = 0x04; | |
| 169 | + | |
| 170 | + // send it | |
| 171 | + func_return = iso14_apdu(command_apdu, 8, response_apdu); | |
| 172 | + // check if command failed | |
| 173 | + if(func_return == -1 || response_apdu[4] != 0x90 || response_apdu[5] != 0x00) | |
| 174 | + {
| |
| 175 | + // fail | |
| 176 | + ack->arg[0] |= 0x80000000; | |
| 177 | + // step 2 | |
| 178 | + ack->arg[0] |= 0x40000000; | |
| 179 | + // note: if command failed, APDU consists only of SW1 || SW2, no content | |
| 180 | + // SW1 of RAPDU | |
| 181 | + ack->arg[0] |= ((uint32_t) response_apdu[0]) << 8; | |
| 182 | + // SW2 of RAPDU | |
| 183 | + ack->arg[0] |= ((uint32_t) response_apdu[1]); | |
| 184 | + | |
| 185 | + // return code | |
| 186 | + ack->arg[1] = func_return; | |
| 187 | + | |
| 188 | + // send it | |
| 189 | + UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
| 190 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
| 191 | + LEDsoff(); | |
| 192 | + return; | |
| 193 | + } | |
| 194 | + | |
| 195 | + // all succeeded, copy the nonce into the ack and return | |
| 196 | + memcpy(ack->d.asBytes, response_apdu, 4); | |
| 197 | + | |
| 198 | + // all done, return | |
| 199 | + UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
| 200 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
| 201 | + LEDsoff(); | |
| 202 | +} | |
| 203 | + | |
| 204 | //----------------------------------------------------------------------------- | |
| 205 | // Read an ISO 14443a tag. Send out commands and store answers. | |
| 206 | // | |
| 207 | Index: armsrc/apps.h | |
| 208 | =================================================================== | |
| 209 | --- armsrc/apps.h (revision 603) | |
| 210 | +++ armsrc/apps.h (working copy) | |
| 211 | @@ -135,6 +135,7 @@ | |
| 212 | void RAMFUNC SnoopIso14443a(uint8_t param); | |
| 213 | void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd); // ## simulate iso14443a tag | |
| 214 | void ReaderIso14443a(UsbCommand * c, UsbCommand * ack); | |
| 215 | +void PaceIso14443a(UsbCommand * c, UsbCommand * ack); | |
| 216 | // Also used in iclass.c | |
| 217 | int RAMFUNC LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader); | |
| 218 | uint32_t GetParity(const uint8_t * pbtCmd, int iLen); | |
| 219 | Index: armsrc/appmain.c | |
| 220 | =================================================================== | |
| 221 | --- armsrc/appmain.c (revision 603) | |
| 222 | +++ armsrc/appmain.c (working copy) | |
| 223 | @@ -711,6 +711,9 @@ | |
| 224 | case CMD_READER_ISO_14443a: | |
| 225 | ReaderIso14443a(c, &ack); | |
| 226 | break; | |
| 227 | + case CMD_PACE_ISO_14443a: | |
| 228 | + PaceIso14443a(c, &ack); | |
| 229 | + break; | |
| 230 | case CMD_SIMULATE_TAG_ISO_14443a: | |
| 231 | SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2]); // ## Simulate iso14443a tag - pass tag type & UID | |
| 232 | break; | |
| 233 | - | Index: common/Makefile.common |
| 233 | + | |
| 234 | =================================================================== | |
| 235 | - | --- common/Makefile.common (revision 603) |
| 235 | + | |
| 236 | - | +++ common/Makefile.common (working copy) |
| 236 | + | |
| 237 | - | @@ -20,7 +20,8 @@ |
| 237 | + | |
| 238 | return resp->arg[0]; | |
| 239 | - | all: |
| 239 | + | |
| 240 | ||
| 241 | - | -CROSS ?= arm-none-eabi- |
| 241 | + | |
| 242 | - | +#CROSS ?= arm-none-eabi- |
| 242 | + | |
| 243 | - | +CROSS ?= /home/frederik/uni/Masterarbeit/preparation/proxmark/gnuarm4/bin/arm-eabi- |
| 243 | + | |
| 244 | - | CC = $(CROSS)gcc |
| 244 | + | |
| 245 | - | AS = $(CROSS)as |
| 245 | + | |
| 246 | - | LD = $(CROSS)ld |
| 246 | + | |
| 247 | - | @@ -29,6 +30,8 @@ |
| 247 | + | |
| 248 | - | OBJDIR = obj |
| 248 | + | |
| 249 | + PrintAndLog("Start: %u", time(NULL));
| |
| 250 | - | INCLUDE = -I../include -I../common |
| 250 | + | |
| 251 | - | +# added by me |
| 251 | + | |
| 252 | - | +INCLUDE += -I/home/frederik/uni/Masterarbeit/preparation/proxmark/gnuarm4/include |
| 252 | + | |
| 253 | + // execute anticollision procedure | |
| 254 | - | TAR=tar |
| 254 | + | |
| 255 | - | TARFLAGS = -C .. -rvf |
| 255 | + | |
| 256 | + UsbCommand * resp = WaitForResponse(CMD_ACK); | |
| 257 | + uint8_t * uid = resp->d.asBytes; | |
| 258 | + iso14a_card_select_t * card = (iso14a_card_select_t *)(uid + 12); | |
| 259 | + | |
| 260 | + // check if command failed | |
| 261 | + if(resp->arg[0] == 0) {
| |
| 262 | + PrintAndLog("Card select failed.");
| |
| 263 | + } | |
| 264 | + else | |
| 265 | + {
| |
| 266 | + // check if UID is 4 bytes | |
| 267 | + if((card->atqa[1] & 0xC0) == 0) | |
| 268 | + {
| |
| 269 | + PrintAndLog("%02X%02X%02X%02X", *uid, *(uid+1), *(uid+2), *(uid+3));
| |
| 270 | + } | |
| 271 | + else | |
| 272 | + {
| |
| 273 | + PrintAndLog("UID longer than 4 bytes");
| |
| 274 | + } | |
| 275 | + } | |
| 276 | + } | |
| 277 | + PrintAndLog("End: %u", time(NULL));
| |
| 278 | + | |
| 279 | + return 1; | |
| 280 | +} | |
| 281 | + | |
| 282 | +// Perform initial PACE steps and aqcuire enrypted random nonce | |
| 283 | +int CmdHF14APACE(const char *Cmd) | |
| 284 | +{
| |
| 285 | + // requested number of Nonces | |
| 286 | + int n = atoi(Cmd); | |
| 287 | + int i; | |
| 288 | + | |
| 289 | + PrintAndLog("Collecting %d nonces", n);
| |
| 290 | + PrintAndLog("Start: %u", time(NULL));
| |
| 291 | + // repeat n times | |
| 292 | + for(i = 0; i < n; i++) | |
| 293 | + {
| |
| 294 | + // execute PACE | |
| 295 | + UsbCommand c = {CMD_PACE_ISO_14443a, {0, 0, 0}};
| |
| 296 | + SendCommand(&c); | |
| 297 | + UsbCommand * resp = WaitForResponse(CMD_ACK); | |
| 298 | + | |
| 299 | + // check if command failed | |
| 300 | + if((resp->arg[0] & 0x80000000) != 0) {
| |
| 301 | + PrintAndLog("Operation failed in step %d, Return code: %d, SW: 0x%04X",
| |
| 302 | + (resp->arg[0] & 0x60000000) >> 29, | |
| 303 | + (int)resp->arg[1], | |
| 304 | + (resp->arg[0] & 0x0000FFFF)); | |
| 305 | + } | |
| 306 | + else | |
| 307 | + {
| |
| 308 | + // print nonce | |
| 309 | + PrintAndLog("E(r): 0x%08X", resp->d.asDwords);
| |
| 310 | + } | |
| 311 | + } | |
| 312 | + PrintAndLog("End: %u", time(NULL));
| |
| 313 | + | |
| 314 | + return 1; | |
| 315 | +} | |
| 316 | + | |
| 317 | // ## simulate iso14443a tag | |
| 318 | // ## greg - added ability to specify tag UID | |
| 319 | int CmdHF14ASim(const char *Cmd) | |
| 320 | @@ -313,6 +389,8 @@ | |
| 321 | {"help", CmdHelp, 1, "This help"},
| |
| 322 | {"list", CmdHF14AList, 0, "List ISO 14443a history"},
| |
| 323 | {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"},
| |
| 324 | + {"cuids", CmdHF14ACUIDs, 0, "<n> Collect n ISO14443 Type A UIDs"},
| |
| 325 | + {"pace", CmdHF14APACE, 0, "<n> Acquire n encrypted PACE nonces"},
| |
| 326 | {"sim", CmdHF14ASim, 0, "<UID> -- Fake ISO 14443a tag"},
| |
| 327 | {"snoop", CmdHF14ASnoop, 0, "Eavesdrop ISO 14443 Type A"},
| |
| 328 | {NULL, NULL, 0, NULL} |
