2020-09-03 22:33:36 +08:00
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
// A. Ozkal, 2020
|
|
|
|
//
|
|
|
|
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
|
|
|
|
// at your option, any later version. See the LICENSE.txt file for the text of
|
|
|
|
// the license.
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
// main code for HF Mifare Ultralight read/simulation by Ave Ozkal
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
|
2020-09-03 23:44:30 +08:00
|
|
|
// Several parts of this code is based on code by Craig Young from HF_YOUNG
|
2020-09-03 22:33:36 +08:00
|
|
|
|
2020-09-03 23:44:30 +08:00
|
|
|
// This code does not:
|
|
|
|
// - Account for cards with authentication (MFU EV1 etc)
|
|
|
|
// - Determine if cards have block count that's not the same as the BLOCKS def
|
2020-09-03 22:43:47 +08:00
|
|
|
|
2020-09-03 22:33:36 +08:00
|
|
|
#include "standalone.h" // standalone definitions
|
|
|
|
#include "proxmark3_arm.h"
|
|
|
|
#include "appmain.h"
|
|
|
|
#include "fpgaloader.h"
|
|
|
|
#include "util.h"
|
|
|
|
#include "dbprint.h"
|
|
|
|
|
|
|
|
#include "ticks.h" // SpinDelay
|
|
|
|
#include "mifareutil.h"
|
|
|
|
#include "iso14443a.h"
|
|
|
|
|
2020-09-03 23:29:18 +08:00
|
|
|
#define BLOCKS 16
|
|
|
|
#define SAK 0x00
|
|
|
|
#define ATQA0 0x44
|
|
|
|
#define ATQA1 0x00
|
|
|
|
|
|
|
|
#define STATE_SEARCH 0
|
|
|
|
#define STATE_READ 1
|
|
|
|
#define STATE_EMUL 2
|
|
|
|
|
2020-09-03 22:33:36 +08:00
|
|
|
typedef struct {
|
|
|
|
uint8_t uid[10];
|
|
|
|
uint8_t uidlen;
|
|
|
|
uint8_t atqa[2];
|
|
|
|
uint8_t sak;
|
|
|
|
} PACKED card_clone_t;
|
|
|
|
|
|
|
|
void ModInfo(void) {
|
|
|
|
DbpString(" HF Mifare Ultralight read/simulation by Ave Ozkal");
|
|
|
|
}
|
|
|
|
|
|
|
|
void RunMod(void) {
|
|
|
|
StandAloneMode();
|
2020-09-03 23:38:58 +08:00
|
|
|
Dbprintf("AveFUL (MF Ultralight read/emul) started");
|
2020-09-03 22:33:36 +08:00
|
|
|
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
|
|
|
|
|
|
|
|
// the main loop for your standalone mode
|
|
|
|
for (;;) {
|
|
|
|
WDT_HIT();
|
|
|
|
|
|
|
|
// exit from RunMod, send a usbcommand.
|
|
|
|
if (data_available()) break;
|
|
|
|
|
|
|
|
iso14a_card_select_t card;
|
|
|
|
|
|
|
|
SpinDelay(500);
|
|
|
|
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
|
|
|
|
|
|
|
|
// 0 = search, 1 = read, 2 = emul
|
2020-09-03 23:29:18 +08:00
|
|
|
int state = STATE_SEARCH;
|
2020-09-03 22:33:36 +08:00
|
|
|
|
|
|
|
DbpString("Scanning...");
|
|
|
|
for (;;) {
|
|
|
|
// Was our button held down or pressed?
|
|
|
|
int button_pressed = BUTTON_HELD(1000);
|
|
|
|
|
|
|
|
if (button_pressed != BUTTON_NO_CLICK || data_available())
|
|
|
|
break;
|
2020-09-03 23:29:18 +08:00
|
|
|
else if (state == STATE_SEARCH) {
|
2020-09-03 22:33:36 +08:00
|
|
|
if (!iso14443a_select_card(NULL, &card, NULL, true, 0, true)) {
|
|
|
|
continue;
|
|
|
|
} else {
|
2020-09-03 23:29:18 +08:00
|
|
|
if (card.sak == SAK && card.atqa[0] == ATQA0 && card.atqa[1] == ATQA1 && card.uidlen == 7) {
|
2020-09-03 22:33:36 +08:00
|
|
|
DbpString("Found ultralight with UID: ");
|
2020-09-03 23:29:18 +08:00
|
|
|
Dbhexdump(card.uidlen, card.uid, 0);
|
|
|
|
state = STATE_READ;
|
2020-09-03 23:44:30 +08:00
|
|
|
} else {
|
2020-09-03 23:29:18 +08:00
|
|
|
DbpString("Found non-ultralight card, ignoring.");
|
2020-09-03 22:33:36 +08:00
|
|
|
}
|
|
|
|
}
|
2020-09-03 23:44:30 +08:00
|
|
|
} else if (state == STATE_READ) {
|
2020-09-03 22:33:36 +08:00
|
|
|
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
|
|
|
|
iso14443a_select_card(NULL, NULL, NULL, true, 0, true);
|
|
|
|
bool read_successful = true;
|
|
|
|
Dbprintf("Contents:");
|
|
|
|
|
2020-09-03 23:44:30 +08:00
|
|
|
for (int i = 0; i < BLOCKS; i++) {
|
2020-09-03 22:33:36 +08:00
|
|
|
uint8_t dataout[4] = {0x00};
|
|
|
|
if (mifare_ultra_readblock(i, dataout)) {
|
2020-09-03 23:29:18 +08:00
|
|
|
// If there's an error reading, go back to search state
|
2020-09-03 22:33:36 +08:00
|
|
|
read_successful = false;
|
|
|
|
break;
|
|
|
|
}
|
2020-09-03 22:43:47 +08:00
|
|
|
// We're skipping 14 blocks (56 bytes) here, as that "[...] has version/signature/counter data here" according to comments on dumptoemul-mfu
|
|
|
|
// When converting a bin, it's almost all 0 other than one 0x0F byte, and functionality seems to be unaffected if that byte is set to 0x00.
|
2020-09-03 22:33:36 +08:00
|
|
|
emlSetMem_xt(dataout, 14 + i, 1, 4);
|
|
|
|
Dbhexdump(4, dataout, 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (read_successful) {
|
2020-09-03 23:29:18 +08:00
|
|
|
Dbprintf("Successfully loaded into emulator memory...");
|
|
|
|
state = STATE_EMUL;
|
2020-09-03 22:33:36 +08:00
|
|
|
} else {
|
2020-09-03 23:29:18 +08:00
|
|
|
Dbprintf("Read failure, going back to search state.");
|
|
|
|
state = STATE_SEARCH;
|
2020-09-03 22:33:36 +08:00
|
|
|
}
|
2020-09-03 23:44:30 +08:00
|
|
|
} else if (state == 2) {
|
2020-09-03 22:33:36 +08:00
|
|
|
uint8_t flags = FLAG_7B_UID_IN_DATA;
|
|
|
|
|
2020-09-03 23:29:18 +08:00
|
|
|
Dbprintf("Starting simulation, press pm3-button to stop and go back to search state.");
|
2020-09-03 22:33:36 +08:00
|
|
|
SimulateIso14443aTag(2, flags, card.uid);
|
|
|
|
|
2020-09-03 23:29:18 +08:00
|
|
|
// Go back to search state if user presses pm3-button
|
|
|
|
state = STATE_SEARCH;
|
2020-09-03 22:33:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-09-03 22:43:47 +08:00
|
|
|
DbpString("exiting");
|
2020-09-03 22:33:36 +08:00
|
|
|
LEDsoff();
|
|
|
|
}
|