fix hf 14a sim, on device side a sneaky detection if data started with zero, it would treat it as uid is in emulator memory. Also fixed a size issue on flag

This commit is contained in:
iceman1001 2022-01-22 18:29:11 +01:00
parent 2fc5834c98
commit 98d291f5b1
8 changed files with 13 additions and 11 deletions

View file

@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
- Fix `hf 14a sim` - sneaky detection of user supplied UID might be empty (@iceman1001)
- Adds support for PCSC's proprietary HID 37bit format P10004 (@bthedorff)
- Add `nfc decode` - now NDEF vCard messages with a PHOTO in base64 format is shown (@iceman1001)
- Remove AID limitations when using Gallagher key diversification (@DarkMatterMatt)

View file

@ -248,7 +248,7 @@ void RunMod(void) {
state = STATE_SEARCH;
}
} else if (state == STATE_EMUL) {
uint8_t flags = FLAG_7B_UID_IN_DATA;
uint16_t flags = FLAG_7B_UID_IN_DATA;
Dbprintf("Starting simulation, press pm3-button to stop and go back to search state.");
SimulateIso14443aTag(7, flags, card.uid, 0);

View file

@ -78,7 +78,7 @@ void RunMod(void) {
state = STATE_EMUL;
}
} else if (state == STATE_EMUL) {
uint8_t flags = 0;
uint16_t flags = 0;
if (card.uidlen == 4) {
flags |= FLAG_4B_UID_IN_DATA;
} else if (card.uidlen == 7) {

View file

@ -236,7 +236,7 @@ void RunMod(void) {
int button_pressed = BUTTON_HELD(1000);
if (button_pressed == BUTTON_NO_CLICK) { // No button action, proceed with sim
uint8_t flags = FLAG_4B_UID_IN_DATA;
uint16_t flags = FLAG_4B_UID_IN_DATA;
uint8_t data[PM3_CMD_DATA_SIZE] = {0}; // in case there is a read command received we shouldn't break
memcpy(data, uids[selected].uid, uids[selected].uidlen);

View file

@ -1395,7 +1395,7 @@ static void PacketReceived(PacketCommandNG *packet) {
case CMD_HF_ISO14443A_SIMULATE: {
struct p {
uint8_t tagtype;
uint8_t flags;
uint16_t flags;
uint8_t uid[10];
uint8_t exitAfter;
} PACKED;

View file

@ -1007,7 +1007,7 @@ bool prepare_allocated_tag_modulation(tag_response_info_t *response_info, uint8_
}
}
bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_info_t **responses, uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages) {
bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_response_info_t **responses, uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages) {
uint8_t sak = 0;
// The first response contains the ATQA (note: bytes are transmitted in reverse order).
static uint8_t rATQA[2] = { 0x00 };
@ -1128,7 +1128,7 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
}
// if uid not supplied then get from emulator memory
if (data[0] == 0 || (flags & FLAG_UID_IN_EMUL) == FLAG_UID_IN_EMUL) {
if ( (memcmp(data, "\x00\x00\x00\x00", 4) == 0) || ((flags & FLAG_UID_IN_EMUL) == FLAG_UID_IN_EMUL)) {
if (tagType == 2 || tagType == 7) {
uint16_t start = MFU_DUMP_PREFIX_LENGTH;
uint8_t emdata[8];
@ -1178,6 +1178,7 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
*cuid = bytes_to_num(data + 3, 4);
} else if ((flags & FLAG_10B_UID_IN_DATA) == FLAG_10B_UID_IN_DATA) {
rUIDc1[0] = 0x88; // Cascade Tag marker
rUIDc1[1] = data[0];
rUIDc1[2] = data[1];
@ -1265,7 +1266,7 @@ bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_i
// response to send, and send it.
// 'hf 14a sim'
//-----------------------------------------------------------------------------
void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data, uint8_t exitAfterNReads) {
void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t exitAfterNReads) {
#define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack()

View file

@ -137,8 +137,8 @@ RAMFUNC bool MillerDecoding(uint8_t bit, uint32_t non_real_time);
RAMFUNC int ManchesterDecoding(uint8_t bit, uint16_t offset, uint32_t non_real_time);
void RAMFUNC SniffIso14443a(uint8_t param);
void SimulateIso14443aTag(uint8_t tagType, uint8_t flags, uint8_t *data, uint8_t exitAfterNReads);
bool SimulateIso14443aInit(int tagType, int flags, uint8_t *data, tag_response_info_t **responses, uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages);
void SimulateIso14443aTag(uint8_t tagType, uint16_t flags, uint8_t *data, uint8_t exitAfterNReads);
bool SimulateIso14443aInit(uint8_t tagType, uint16_t flags, uint8_t *data, tag_response_info_t **responses, uint32_t *cuid, uint32_t counters[3], uint8_t tearings[3], uint8_t *pages);
bool GetIso14443aCommandFromReader(uint8_t *received, uint8_t *par, int *len);
void iso14443a_antifuzz(uint32_t flags);
void ReaderIso14443a(PacketCommandNG *c);

View file

@ -676,7 +676,7 @@ int CmdHF14ASim(const char *Cmd) {
uint8_t uid[10] = {0};
CLIGetHexWithReturn(ctx, 2, uid, &uid_len);
uint8_t flags = 0;
uint16_t flags = 0;
bool useUIDfromEML = true;
if (uid_len > 0) {
@ -719,7 +719,7 @@ int CmdHF14ASim(const char *Cmd) {
struct {
uint8_t tagtype;
uint8_t flags;
uint16_t flags;
uint8_t uid[10];
uint8_t exitAfter;
} PACKED payload;