From 66803e442d3cedbb5c128e486904720759c12ec1 Mon Sep 17 00:00:00 2001 From: Kevin-Nakamoto Date: Wed, 22 Jan 2020 13:55:37 -0500 Subject: [PATCH] Support LTO-CM read block and add CM-type into hf lto info command. --- client/cmdhflist.c | 4 +- client/cmdhflto.c | 197 ++++++++++++++++++++++++++++++++++----------- client/cmdhflto.h | 3 +- 3 files changed, 152 insertions(+), 52 deletions(-) diff --git a/client/cmdhflist.c b/client/cmdhflist.c index 2fde8492c..b35e4d622 100644 --- a/client/cmdhflist.c +++ b/client/cmdhflist.c @@ -1119,7 +1119,7 @@ void annotateLTO(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { snprintf(exp, size, "READWORD"); break; case (LTO_READBLOCK & 0xF0): - snprintf(exp, size, "READBLOCK"); + snprintf(exp, size, "READBLOCK(%d)", cmd[1]); break; case LTO_READBLOCK_CONT: snprintf(exp, size, "READBLOCK CONT"); @@ -1128,7 +1128,7 @@ void annotateLTO(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { snprintf(exp, size, "WRITEWORD"); break; case (LTO_WRITEBLOCK & 0xF0): - snprintf(exp, size, "WRITEBLOCK"); + snprintf(exp, size, "WRITEBLOCK(%d)", cmd[1]); break; case LTO_HALT: snprintf(exp, size, "HALT"); diff --git a/client/cmdhflto.c b/client/cmdhflto.c index 39e9cf30b..e82fee381 100644 --- a/client/cmdhflto.c +++ b/client/cmdhflto.c @@ -33,6 +33,18 @@ static int usage_lto_info(void) { return PM3_SUCCESS; } +static int usage_lto_rdbl(void) { + PrintAndLogEx(NORMAL, "Usage: hf lto rdbl [h] s e "); + PrintAndLogEx(NORMAL, "Options:"); + PrintAndLogEx(NORMAL, " h this help"); + PrintAndLogEx(NORMAL, " s start block in decimal >= 0"); + PrintAndLogEx(NORMAL, " e end block in decimal <= 254"); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, " hf lto rdbl s 0 e 254 - Read data block from 0 to 254"); + return PM3_SUCCESS; +} + static void lto_switch_off_field(void) { SendCommandMIX(CMD_HF_ISO14443A_READER, 0, 0, 0, NULL, 0); } @@ -42,15 +54,22 @@ static void lto_switch_on_field(void) { } // send a raw LTO-CM command, returns the length of the response (0 in case of error) -static int lto_send_cmd_raw(uint8_t *cmd, uint8_t len, uint8_t *response, uint16_t *response_len, bool addcrc, bool verbose) { +static int lto_send_cmd_raw(uint8_t *cmd, uint8_t len, uint8_t *response, uint16_t *response_len, bool addcrc, bool is7bits, bool verbose) { uint64_t arg0 = ISO14A_RAW | ISO14A_NO_DISCONNECT | ISO14A_NO_RATS; - uint32_t arg1 = (len == 1) ? (7 << 16) : 0; - arg1 |= len; + uint32_t arg1; if (addcrc) { arg0 |= ISO14A_APPEND_CRC; } + + if (is7bits) { + arg1 = 7 << 16; + } else { + arg1 = 0; + } + + arg1 |= len; SendCommandOLD(CMD_HF_ISO14443A_READER, arg0, arg1, 0, cmd, len); PacketResponseNG resp; @@ -62,7 +81,6 @@ static int lto_send_cmd_raw(uint8_t *cmd, uint8_t len, uint8_t *response, uint16 if (resp.oldarg[0] == *response_len) { *response_len = resp.oldarg[0]; - if (*response_len > 0) { memcpy(response, resp.data.asBytes, *response_len); } @@ -70,40 +88,36 @@ static int lto_send_cmd_raw(uint8_t *cmd, uint8_t len, uint8_t *response, uint16 if (verbose) PrintAndLogEx(WARNING, "Wrong response length (%d != %" PRIu64 ")", *response_len, resp.oldarg[0]); return PM3_ESOFT; } + return PM3_SUCCESS; } // select a LTO-CM tag. Send WUPA and RID. -static int lto_select(uint8_t *id_response, uint8_t id_len, bool verbose) { +static int lto_select(uint8_t *id_response, uint8_t id_len, uint8_t *type_response, bool verbose) { // Todo: implement anticollision uint8_t resp[] = {0, 0}; uint16_t resp_len; uint8_t wupa_cmd[] = {LTO_REQ_STANDARD}; - uint8_t select_cmd[] = {LTO_SELECT, 0x20}; - uint8_t select_1_cmd[] = {LTO_SELECT, 0x70, 0, 0, 0, 0, 0}; - - lto_switch_on_field(); + uint8_t select_sn_cmd[] = {LTO_SELECT, 0x20}; + uint8_t select_cmd[] = {LTO_SELECT, 0x70, 0, 0, 0, 0, 0}; resp_len = 2; - int status = lto_send_cmd_raw(wupa_cmd, sizeof(wupa_cmd), resp, &resp_len, false, verbose); + int status = lto_send_cmd_raw(wupa_cmd, sizeof(wupa_cmd), type_response, &resp_len, false, true, verbose); if (status == PM3_ETIMEOUT || status == PM3_ESOFT) { - lto_switch_off_field(); return PM3_ESOFT; // WUPA failed } resp_len = id_len; - status = lto_send_cmd_raw(select_cmd, sizeof(select_cmd), id_response, &resp_len, false, verbose); + status = lto_send_cmd_raw(select_sn_cmd, sizeof(select_sn_cmd), id_response, &resp_len, false, false, verbose); if (status == PM3_ETIMEOUT || status == PM3_ESOFT) { - lto_switch_off_field(); - return PM3_EWRONGANSVER; // SELECT failed + return PM3_EWRONGANSVER; // REQUEST SERIAL NUMBER failed } - memcpy(select_1_cmd + 2, id_response, sizeof(select_1_cmd) - 2); + memcpy(select_cmd + 2, id_response, sizeof(select_cmd) - 2); resp_len = 1; - status = lto_send_cmd_raw(select_1_cmd, sizeof(select_1_cmd), resp, &resp_len, true, verbose); + status = lto_send_cmd_raw(select_cmd, sizeof(select_cmd), resp, &resp_len, true, false, verbose); if (status == PM3_ETIMEOUT || status == PM3_ESOFT || resp[0] != 0x0A) { - lto_switch_off_field(); return PM3_EWRONGANSVER; // SELECT failed } @@ -132,63 +146,148 @@ static int CmdHfLTOInfo(const char *Cmd) { return PM3_EINVARG; } - return infoLTO(false); + return infoLTO(true); } int infoLTO(bool verbose) { clearCommandBuffer(); + lto_switch_on_field(); + uint8_t serial_number[5]; uint8_t serial_len = sizeof(serial_number); - int ret_val = lto_select(serial_number, serial_len, verbose); + uint8_t type_info[2]; + + int ret_val = lto_select(serial_number, serial_len, type_info, verbose); lto_switch_off_field(); if (ret_val == PM3_SUCCESS) { PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(SUCCESS, " UID : " _YELLOW_("%s"), sprint_hex_inrow(serial_number, sizeof(serial_number))); - PrintAndLogEx(SUCCESS, "TYPE : "); - // todo: add printing of all configuration - } else { - if (verbose) PrintAndLogEx(WARNING, "LTO-CM card select failed"); + PrintAndLogEx(SUCCESS, "TYPE INFO: " _YELLOW_("%s"), sprint_hex_inrow(type_info, sizeof(type_info))); + PrintAndLogEx(SUCCESS, "UID: " _YELLOW_("%s"), sprint_hex_inrow(serial_number, sizeof(serial_number))); } - /* read block: - - SendCommandNG(CMD_HF_THINFILM_READ, NULL, 0); - PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_HF_THINFILM_READ, &resp, 1500)) { - PrintAndLogEx(WARNING, "timeout while waiting for reply."); - return PM3_ETIMEOUT; - } - - if (resp.status == PM3_SUCCESS) { - if (resp.length == 16 || resp.length == 32) { - print_barcode(resp.data.asBytes, resp.length, verbose); - } else { - if (verbose) - PrintAndLogEx(WARNING, "Response is wrong length. (%d)", resp.length); - - return PM3_ESOFT; - } - } - - return resp.status; - */ return ret_val; } static int CmdHfLTOList(const char *Cmd) { (void)Cmd; // Cmd is not used so far - CmdTraceList("14a"); -// CmdTraceList("lto"); + CmdTraceList("lto"); return PM3_SUCCESS; } +static int lto_rdbl(uint8_t blk, uint8_t *block_responce, uint8_t *block_cnt_responce, bool verbose) { + + uint16_t resp_len; + uint8_t rdbl_cmd[] = {0x30, blk}; + uint8_t rdbl_cnt_cmd[] ={0x80}; + + resp_len = 18; + int status = lto_send_cmd_raw(rdbl_cmd, sizeof(rdbl_cmd), block_responce, &resp_len, true, false, verbose); + if (status == PM3_ETIMEOUT || status == PM3_ESOFT ) { + return PM3_EWRONGANSVER; // READ BLOCK failed + } + + resp_len = 18; + status = lto_send_cmd_raw(rdbl_cnt_cmd, sizeof(rdbl_cnt_cmd), block_cnt_responce, &resp_len, false, false, verbose); + if (status == PM3_ETIMEOUT || status == PM3_ESOFT ) { + return PM3_EWRONGANSVER; // READ BLOCK CONTINUE failed + } + + return PM3_SUCCESS; +} + +int rdblLTO(uint8_t st_blk, uint8_t end_blk, bool verbose) { + + clearCommandBuffer(); + + lto_switch_on_field(); + + uint8_t serial_number[5]; + uint8_t serial_len = sizeof(serial_number); + uint8_t type_info[2]; + int ret_val = lto_select(serial_number, serial_len, type_info, verbose); + + if (ret_val != PM3_SUCCESS) { + lto_switch_off_field(); + return ret_val; + } + + uint8_t block_data_d00_d15[18]; + uint8_t block_data_d16_d31[18]; + uint8_t block_data[32]; + + for(uint8_t i = st_blk; i < end_blk + 1; i++) { + + ret_val = lto_rdbl(i, block_data_d00_d15, block_data_d16_d31, verbose); + + if (ret_val == PM3_SUCCESS) { + //Remove CRCs + for (int t = 0; t < 16; t++) { + block_data[t] = block_data_d00_d15[t]; + block_data[t + 16] = block_data_d16_d31[t]; + } + + PrintAndLogEx(SUCCESS, "BLK%03d: " _YELLOW_("%s"), i, sprint_hex_inrow(block_data, sizeof(block_data))); + } else { + lto_switch_off_field(); + return ret_val; + } + } + + lto_switch_off_field(); + return ret_val; +} + +static int CmdHfLTOReadBlock(const char *Cmd) { + + uint8_t cmdp = 0; + bool errors = false; + uint8_t st_blk = 0; + uint8_t end_blk = 254; + + while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch (tolower(param_getchar(Cmd, cmdp))) { + case 'h': + return usage_lto_rdbl(); + case 's': + st_blk = param_get8(Cmd, cmdp+1); + if ( end_blk < st_blk ) { + errors = true; + break; + } + cmdp += 2; + break; + + case 'e': + end_blk = param_get8(Cmd, cmdp+1); + if ( end_blk < st_blk ) { + errors = true; + break; } + cmdp += 2; + break; + + default: + PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + + //Validations + if (errors) { + usage_lto_rdbl(); + return PM3_EINVARG; + } + + return rdblLTO(st_blk, end_blk, true); +} + static command_t CommandTable[] = { {"help", CmdHelp, AlwaysAvailable, "This help"}, {"info", CmdHfLTOInfo, IfPm3Iso14443a, "Tag information"}, -// {"rdbl", CmdHfLTOReadBlock, IfPm3Iso14443a, "Read block"}, + {"rdbl", CmdHfLTOReadBlock, IfPm3Iso14443a, "Read block"}, // {"wrbl", CmdHfLTOWriteBlock, IfPm3Iso14443a, "Write block"}, // {"sim", CmdHfLTOSim, IfPm3Iso14443a, " Simulate LTO-CM tag"}, {"list", CmdHfLTOList, AlwaysAvailable, "List LTO-CM history"}, diff --git a/client/cmdhflto.h b/client/cmdhflto.h index 52c22da0d..d54eb75f1 100644 --- a/client/cmdhflto.h +++ b/client/cmdhflto.h @@ -14,7 +14,8 @@ #include "common.h" int infoLTO(bool verbose); - +int rdblLTO(uint8_t st_blk, uint8_t end_blk, bool verbose); int CmdHFLTO(const char *Cmd); #endif +