SHOW:
|
|
- or go back to the newest paste.
1 | Index: include/usb_cmd.h | |
2 | =================================================================== | |
3 | --- include/usb_cmd.h (revision 603) | |
4 | +++ include/usb_cmd.h (working copy) | |
5 | @@ -91,6 +91,7 @@ | |
6 | #define CMD_SNOOP_ISO_14443a 0x0383 | |
7 | #define CMD_SIMULATE_TAG_ISO_14443a 0x0384 | |
8 | #define CMD_READER_ISO_14443a 0x0385 | |
9 | +#define CMD_PACE_ISO_14443a 0x386 | |
10 | #define CMD_SIMULATE_TAG_LEGIC_RF 0x0387 | |
11 | #define CMD_READER_LEGIC_RF 0x0388 | |
12 | #define CMD_WRITER_LEGIC_RF 0x0399 | |
13 | Index: armsrc/iso14443a.c | |
14 | =================================================================== | |
15 | --- armsrc/iso14443a.c (revision 603) | |
16 | +++ armsrc/iso14443a.c (working copy) | |
17 | @@ -1790,6 +1790,192 @@ | |
18 | FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
19 | LEDsoff(); | |
20 | } | |
21 | + | |
22 | +//----------------------------------------------------------------------------- | |
23 | +// Perform initial part of PACE protocol | |
24 | +// | |
25 | +//----------------------------------------------------------------------------- | |
26 | +void PaceIso14443a(UsbCommand * c, UsbCommand * ack) | |
27 | +{ | |
28 | + /* | |
29 | + * ack layout: | |
30 | + * arg: | |
31 | + * 1. element | |
32 | + * 1. bit: 1 = failure, 0 = success | |
33 | + * 2.+3. bit: step where failure occured | |
34 | + * 0: card select | |
35 | + * 1: PACE MSE: Set AT | |
36 | + * 2: PACE General Authenticate | |
37 | + * 16.-31. bit: SW1 || SW2 of response APDU (in case of failure) | |
38 | + * 2. element | |
39 | + * iso14_apdu() return code | |
40 | + * d: | |
41 | + * Encrypted nonce | |
42 | + */ | |
43 | + | |
44 | + //iso14a_command_t param = c->arg[0]; | |
45 | + //uint8_t * cmd = c->d.asBytes; | |
46 | + //size_t len = c->arg[1]; | |
47 | + | |
48 | + // card UID | |
49 | + uint8_t uid[8]; | |
50 | + | |
51 | + // card select information | |
52 | + iso14a_card_select_t card_select_info; | |
53 | + | |
54 | + // return value of a function | |
55 | + int func_return; | |
56 | + | |
57 | + // command APDU | |
58 | + // size should be the max. size needed by any command used here | |
59 | + uint8_t command_apdu[20] = {0}; | |
60 | + // response APDU | |
61 | + // for the size the same holds as for the command APDU | |
62 | + uint8_t response_apdu[6] = {0}; | |
63 | + | |
64 | + // initialize ack with 0 | |
65 | + memset(ack->arg, 0, 12); | |
66 | + memset(ack->d.asBytes, 0, 48); | |
67 | + | |
68 | + // power up the field | |
69 | + iso14443a_setup(); | |
70 | + | |
71 | + // select the card | |
72 | + func_return = iso14443a_select_card(uid, &card_select_info, NULL); | |
73 | + // if this failed already, abort | |
74 | + if(func_return != 1) | |
75 | + { | |
76 | + // set fail bit | |
77 | + ack->arg[0] |= 0x80000000; | |
78 | + UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
79 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
80 | + LEDsoff(); | |
81 | + return; | |
82 | + } | |
83 | + | |
84 | + // command APDU to initiate PACE | |
85 | + uint8_t i = 0; | |
86 | + // CLA | |
87 | + command_apdu[i++] = 0x00; | |
88 | + // INS | |
89 | + command_apdu[i++] = 0x22; | |
90 | + // P1 | |
91 | + command_apdu[i++] = 0xC1; | |
92 | + // P2 | |
93 | + command_apdu[i++] = 0xA4; | |
94 | + // Lc: 15 bytes | |
95 | + command_apdu[i++] = 0x0F; | |
96 | + // Content: | |
97 | + // Type: Protocol (by OID) | |
98 | + command_apdu[i++] = 0x80; | |
99 | + // Length: 10 bytes | |
100 | + command_apdu[i++] = 0x0A; | |
101 | + // OID | |
102 | + // bsi-de | |
103 | + command_apdu[i++] = 0x04; | |
104 | + command_apdu[i++] = 0x00; | |
105 | + command_apdu[i++] = 0x7F; | |
106 | + command_apdu[i++] = 0x00; | |
107 | + command_apdu[i++] = 0x07; | |
108 | + // protocols | |
109 | + command_apdu[i++] = 0x02; | |
110 | + // smartcard | |
111 | + command_apdu[i++] = 0x02; | |
112 | + // id_PACE | |
113 | + command_apdu[i++] = 0x04; | |
114 | + // ECDH-GM | |
115 | + command_apdu[i++] = 0x02; | |
116 | + // 3DES-CBC-CBC | |
117 | + command_apdu[i++] = 0x01; | |
118 | + // Type: Password | |
119 | + command_apdu[i++] = 0x83; | |
120 | + // Length: 1 byte | |
121 | + command_apdu[i++] = 0x01; | |
122 | + // CAN | |
123 | + command_apdu[i++] = 0x02; | |
124 | + | |
125 | + // send it | |
126 | + iso14_apdu(command_apdu, 20, response_apdu); | |
127 | + // check if command failed | |
128 | + if(func_return == -1 || response_apdu[0] != 0x90 || response_apdu[1] != 0x00) | |
129 | + { | |
130 | + // fail | |
131 | + ack->arg[0] |= 0x80000000; | |
132 | + // step 1 | |
133 | + ack->arg[0] |= 0x20000000; | |
134 | + // SW1 of RAPDU | |
135 | + ack->arg[0] |= ((uint32_t) response_apdu[0]) << 8; | |
136 | + // SW2 of RAPDU | |
137 | + ack->arg[0] |= ((uint32_t) response_apdu[1]); | |
138 | + | |
139 | + // return code | |
140 | + ack->arg[1] = func_return; | |
141 | + | |
142 | + // send it | |
143 | + UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
144 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
145 | + LEDsoff(); | |
146 | + return; | |
147 | + } | |
148 | + // clear command and response APDUs | |
149 | + memset(command_apdu, 0, 20); | |
150 | + memset(response_apdu, 0, 2); | |
151 | + | |
152 | + // command APDU to request the encrypted nonce | |
153 | + i = 0; | |
154 | + // CLA | |
155 | + command_apdu[i++] = 0x00; | |
156 | + // INS | |
157 | + command_apdu[i++] = 0x86; | |
158 | + // P1 | |
159 | + command_apdu[i++] = 0x00; | |
160 | + // P2 | |
161 | + command_apdu[i++] = 0x00; | |
162 | + // Lc = 2 bytes | |
163 | + command_apdu[i++] = 0x02; | |
164 | + // Content: | |
165 | + // General Authenticate | |
166 | + command_apdu[i++] = 0x7C; | |
167 | + // zero byte (indicate first step?) | |
168 | + command_apdu[i++] = 0x00; | |
169 | + // Trailer: | |
170 | + // Le = 4 bytes | |
171 | + command_apdu[i++] = 0x04; | |
172 | + | |
173 | + // send it | |
174 | + func_return = iso14_apdu(command_apdu, 8, response_apdu); | |
175 | + // check if command failed | |
176 | + if(func_return == -1 || response_apdu[4] != 0x90 || response_apdu[5] != 0x00) | |
177 | + { | |
178 | + // fail | |
179 | + ack->arg[0] |= 0x80000000; | |
180 | + // step 2 | |
181 | + ack->arg[0] |= 0x40000000; | |
182 | + // note: if command failed, APDU consists only of SW1 || SW2, no content | |
183 | + // SW1 of RAPDU | |
184 | + ack->arg[0] |= ((uint32_t) response_apdu[0]) << 8; | |
185 | + // SW2 of RAPDU | |
186 | + ack->arg[0] |= ((uint32_t) response_apdu[1]); | |
187 | + | |
188 | + // return code | |
189 | + ack->arg[1] = func_return; | |
190 | + | |
191 | + // send it | |
192 | + UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
193 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
194 | + LEDsoff(); | |
195 | + return; | |
196 | + } | |
197 | + | |
198 | + // all succeeded, copy the nonce into the ack and return | |
199 | + memcpy(ack->d.asBytes, response_apdu, 4); | |
200 | + | |
201 | + // all done, return | |
202 | + UsbSendPacket((void *)ack, sizeof(UsbCommand)); | |
203 | + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); | |
204 | + LEDsoff(); | |
205 | +} | |
206 | + | |
207 | //----------------------------------------------------------------------------- | |
208 | // Read an ISO 14443a tag. Send out commands and store answers. | |
209 | // | |
210 | Index: armsrc/apps.h | |
211 | =================================================================== | |
212 | --- armsrc/apps.h (revision 603) | |
213 | +++ armsrc/apps.h (working copy) | |
214 | @@ -135,6 +135,7 @@ | |
215 | void RAMFUNC SnoopIso14443a(uint8_t param); | |
216 | void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd); // ## simulate iso14443a tag | |
217 | void ReaderIso14443a(UsbCommand * c, UsbCommand * ack); | |
218 | +void PaceIso14443a(UsbCommand * c, UsbCommand * ack); | |
219 | // Also used in iclass.c | |
220 | int RAMFUNC LogTrace(const uint8_t * btBytes, int iLen, int iSamples, uint32_t dwParity, int bReader); | |
221 | uint32_t GetParity(const uint8_t * pbtCmd, int iLen); | |
222 | Index: armsrc/appmain.c | |
223 | =================================================================== | |
224 | --- armsrc/appmain.c (revision 603) | |
225 | +++ armsrc/appmain.c (working copy) | |
226 | @@ -711,6 +711,9 @@ | |
227 | case CMD_READER_ISO_14443a: | |
228 | ReaderIso14443a(c, &ack); | |
229 | break; | |
230 | + case CMD_PACE_ISO_14443a: | |
231 | + PaceIso14443a(c, &ack); | |
232 | + break; | |
233 | case CMD_SIMULATE_TAG_ISO_14443a: | |
234 | SimulateIso14443aTag(c->arg[0], c->arg[1], c->arg[2]); // ## Simulate iso14443a tag - pass tag type & UID | |
235 | break; | |
236 | - | Index: common/Makefile.common |
236 | + | |
237 | =================================================================== | |
238 | - | --- common/Makefile.common (revision 603) |
238 | + | |
239 | - | +++ common/Makefile.common (working copy) |
239 | + | |
240 | - | @@ -20,7 +20,8 @@ |
240 | + | |
241 | return resp->arg[0]; | |
242 | - | all: |
242 | + | |
243 | ||
244 | - | -CROSS ?= arm-none-eabi- |
244 | + | |
245 | - | +#CROSS ?= arm-none-eabi- |
245 | + | |
246 | - | +CROSS ?= /home/frederik/uni/Masterarbeit/preparation/proxmark/gnuarm4/bin/arm-eabi- |
246 | + | |
247 | - | CC = $(CROSS)gcc |
247 | + | |
248 | - | AS = $(CROSS)as |
248 | + | |
249 | - | LD = $(CROSS)ld |
249 | + | |
250 | - | @@ -29,6 +30,8 @@ |
250 | + | |
251 | - | OBJDIR = obj |
251 | + | |
252 | + PrintAndLog("Start: %u", time(NULL)); | |
253 | - | INCLUDE = -I../include -I../common |
253 | + | |
254 | - | +# added by me |
254 | + | |
255 | - | +INCLUDE += -I/home/frederik/uni/Masterarbeit/preparation/proxmark/gnuarm4/include |
255 | + | |
256 | + // execute anticollision procedure | |
257 | - | TAR=tar |
257 | + | |
258 | - | TARFLAGS = -C .. -rvf |
258 | + | |
259 | + UsbCommand * resp = WaitForResponse(CMD_ACK); | |
260 | + uint8_t * uid = resp->d.asBytes; | |
261 | + iso14a_card_select_t * card = (iso14a_card_select_t *)(uid + 12); | |
262 | + | |
263 | + // check if command failed | |
264 | + if(resp->arg[0] == 0) { | |
265 | + PrintAndLog("Card select failed."); | |
266 | + } | |
267 | + else | |
268 | + { | |
269 | + // check if UID is 4 bytes | |
270 | + if((card->atqa[1] & 0xC0) == 0) | |
271 | + { | |
272 | + PrintAndLog("%02X%02X%02X%02X", *uid, *(uid+1), *(uid+2), *(uid+3)); | |
273 | + } | |
274 | + else | |
275 | + { | |
276 | + PrintAndLog("UID longer than 4 bytes"); | |
277 | + } | |
278 | + } | |
279 | + } | |
280 | + PrintAndLog("End: %u", time(NULL)); | |
281 | + | |
282 | + return 1; | |
283 | +} | |
284 | + | |
285 | +// Perform initial PACE steps and aqcuire enrypted random nonce | |
286 | +int CmdHF14APACE(const char *Cmd) | |
287 | +{ | |
288 | + // requested number of Nonces | |
289 | + int n = atoi(Cmd); | |
290 | + int i; | |
291 | + | |
292 | + PrintAndLog("Collecting %d nonces", n); | |
293 | + PrintAndLog("Start: %u", time(NULL)); | |
294 | + // repeat n times | |
295 | + for(i = 0; i < n; i++) | |
296 | + { | |
297 | + // execute PACE | |
298 | + UsbCommand c = {CMD_PACE_ISO_14443a, {0, 0, 0}}; | |
299 | + SendCommand(&c); | |
300 | + UsbCommand * resp = WaitForResponse(CMD_ACK); | |
301 | + | |
302 | + // check if command failed | |
303 | + if((resp->arg[0] & 0x80000000) != 0) { | |
304 | + PrintAndLog("Operation failed in step %d, Return code: %d, SW: 0x%04X", | |
305 | + (resp->arg[0] & 0x60000000) >> 29, | |
306 | + (int)resp->arg[1], | |
307 | + (resp->arg[0] & 0x0000FFFF)); | |
308 | + } | |
309 | + else | |
310 | + { | |
311 | + // print nonce | |
312 | + PrintAndLog("E(r): 0x%08X", resp->d.asDwords); | |
313 | + } | |
314 | + } | |
315 | + PrintAndLog("End: %u", time(NULL)); | |
316 | + | |
317 | + return 1; | |
318 | +} | |
319 | + | |
320 | // ## simulate iso14443a tag | |
321 | // ## greg - added ability to specify tag UID | |
322 | int CmdHF14ASim(const char *Cmd) | |
323 | @@ -313,6 +389,8 @@ | |
324 | {"help", CmdHelp, 1, "This help"}, | |
325 | {"list", CmdHF14AList, 0, "List ISO 14443a history"}, | |
326 | {"reader", CmdHF14AReader, 0, "Act like an ISO14443 Type A reader"}, | |
327 | + {"cuids", CmdHF14ACUIDs, 0, "<n> Collect n ISO14443 Type A UIDs"}, | |
328 | + {"pace", CmdHF14APACE, 0, "<n> Acquire n encrypted PACE nonces"}, | |
329 | {"sim", CmdHF14ASim, 0, "<UID> -- Fake ISO 14443a tag"}, | |
330 | {"snoop", CmdHF14ASnoop, 0, "Eavesdrop ISO 14443 Type A"}, | |
331 | {NULL, NULL, 0, NULL} |