From b578e55d1752dec8f3bbf9ff119a918af8b2e380 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 6 Jan 2018 21:12:28 +0100 Subject: [PATCH] chg: 'hf 14b snoop' renamed 'hf 14b sniff'... In order to use one command for SNIFFING.. All snoop names will be renamed. --- armsrc/appmain.c | 2 +- armsrc/apps.h | 2 +- armsrc/iso14443b.c | 99 ++++++++++++++++++++++------------------------ client/cmdhf14b.c | 12 +++--- client/cmdhf14b.h | 26 ++++++------ 5 files changed, 68 insertions(+), 73 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 658e82c8d..293d4e7ef 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -764,7 +764,7 @@ void UsbPacketReceived(uint8_t *packet, int len) { ReadSTMemoryIso14443b(c->arg[0]); break; case CMD_SNOOP_ISO_14443B: - SnoopIso14443b(); + SniffIso14443b(); break; case CMD_SIMULATE_TAG_ISO_14443B: SimulateIso14443bTag(c->arg[0]); diff --git a/armsrc/apps.h b/armsrc/apps.h index 3f44e54ef..56f87d1ba 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -110,7 +110,7 @@ void Cotag(uint32_t arg0); void SimulateIso14443bTag(uint32_t pupi); void AcquireRawAdcSamplesIso14443b(uint32_t parameter); void ReadSTMemoryIso14443b(uint8_t numofblocks); -void RAMFUNC SnoopIso14443b(void); +void RAMFUNC SniffIso14443b(void); void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]); void SendRawCommand14443B_Ex(UsbCommand *c); void AppendCrc14443b(uint8_t* data, int len); diff --git a/armsrc/iso14443b.c b/armsrc/iso14443b.c index 5ec22111c..37033eaaa 100644 --- a/armsrc/iso14443b.c +++ b/armsrc/iso14443b.c @@ -450,12 +450,15 @@ static int GetIso14443bCommandFromReader(uint8_t *received, uint16_t *len) { // clear receiving shift register and holding register // What does this loop do? Is it TR1? - for(uint8_t c = 0; c < 10;) { + // loop is a wait/delay ? + /* + for(uint8_t c = 0; c < 10;) { if(AT91C_BASE_SSC->SSC_SR & (AT91C_SSC_TXRDY)) { AT91C_BASE_SSC->SSC_THR = 0xFF; ++c; } - } + } + */ // Now run a `software UART' on the stream of incoming samples. UartInit(received); @@ -778,9 +781,7 @@ static RAMFUNC int Handle14443bTagSamplesDemod(int ci, int cq) { } //note: couldn't we just use MAX(ABS(ci),ABS(cq)) + (MIN(ABS(ci),ABS(cq))/2) from common.h - marshmellow -#define CHECK_FOR_SUBCARRIER() { \ - v = MAX(myI, myQ) + (MIN(myI, myQ) >> 1); \ - } +#define CHECK_FOR_SUBCARRIER() { v = MAX(myI, myQ) + (MIN(myI, myQ) >> 1); } switch(Demod.state) { case DEMOD_UNSYNCD: @@ -1130,10 +1131,9 @@ static void CodeIso14443bAsReader(const uint8_t *cmd, int len) { // TR1 - Synchronization time // Convert from last character reference to length - ++ToSendMax; + ToSendMax++; } - /* * Convenience function to encode, transmit and trace iso 14443b comms */ @@ -1153,8 +1153,7 @@ static void CodeAndTransmit14443bAsReader(const uint8_t *cmd, int len) { /* Sends an APDU to the tag * TODO: check CRC and preamble */ -uint8_t iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response) -{ +uint8_t iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *response) { uint8_t crc[2] = {0x00, 0x00}; uint8_t message_frame[message_length + 4]; // PCB @@ -1188,8 +1187,7 @@ uint8_t iso14443b_apdu(uint8_t const *message, size_t message_length, uint8_t *r /** * SRx Initialise. */ -uint8_t iso14443b_select_srx_card(iso14b_card_select_t *card ) -{ +uint8_t iso14443b_select_srx_card(iso14b_card_select_t *card ) { // INITIATE command: wake up the tag using the INITIATE static const uint8_t init_srx[] = { ISO14443B_INITIATE, 0x00, 0x97, 0x5b }; // SELECT command (with space for CRC) @@ -1246,8 +1244,7 @@ uint8_t iso14443b_select_srx_card(iso14b_card_select_t *card ) * TODO: Support multiple cards (perform anticollision) * TODO: Verify CRC checksums */ -uint8_t iso14443b_select_card(iso14b_card_select_t *card ) -{ +uint8_t iso14443b_select_card(iso14b_card_select_t *card ) { // WUPB command (including CRC) // Note: WUPB wakes up all tags, REQB doesn't wake up tags in HALT state static const uint8_t wupb[] = { ISO14443B_REQB, 0x00, 0x08, 0x39, 0x73 }; @@ -1359,20 +1356,18 @@ void iso14443b_setup() { // // I tried to be systematic and check every answer of the tag, every CRC, etc... //----------------------------------------------------------------------------- -void ReadSTMemoryIso14443b(uint8_t numofblocks) -{ +void ReadSTMemoryIso14443b(uint8_t numofblocks) { // Make sure that we start from off, since the tags are stateful; // confusing things will happen if we don't reset them between reads. switch_off(); - + FpgaDownloadAndGo(FPGA_BITSTREAM_HF); - - set_tracing(true); - SetAdcMuxFor(GPIO_MUXSEL_HIPKD); - + FpgaSetupSsc(); + set_tracing(true); + // Now give it time to spin up. // Signal field is on with the appropriate LED LED_D_ON(); @@ -1387,7 +1382,7 @@ void ReadSTMemoryIso14443b(uint8_t numofblocks) GetTagSamplesFor14443bDemod(); // no if (Demod.len == 0) { - DbpString("No response from tag"); + DbpString("[!] No response from tag"); set_tracing(false); return; } else { @@ -1396,27 +1391,27 @@ void ReadSTMemoryIso14443b(uint8_t numofblocks) } // There is a response, SELECT the uid - DbpString("Now SELECT tag:"); + DbpString("[!] SELECT tag:"); cmd1[0] = ISO14443B_SELECT; // 0x0E is SELECT cmd1[1] = Demod.output[0]; ComputeCrc14443(CRC_14443_B, cmd1, 2, &cmd1[2], &cmd1[3]); CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1)); //no GetTagSamplesFor14443bDemod(); //no if (Demod.len != 3) { - Dbprintf("Expected 3 bytes from tag, got %d", Demod.len); + Dbprintf("[!] expected 3 bytes from tag, got %d", Demod.len); set_tracing(false); return; } // Check the CRC of the answer: ComputeCrc14443(CRC_14443_B, Demod.output, 1 , &cmd1[2], &cmd1[3]); if(cmd1[2] != Demod.output[1] || cmd1[3] != Demod.output[2]) { - DbpString("CRC Error reading select response."); + DbpString("[!] CRC Error reading select response."); set_tracing(false); return; } // Check response from the tag: should be the same UID as the command we just sent: if (cmd1[1] != Demod.output[0]) { - Dbprintf("Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]); + Dbprintf("[!] Bad response to SELECT from Tag, aborting: %02x %02x", cmd1[1], Demod.output[0]); set_tracing(false); return; } @@ -1428,30 +1423,29 @@ void ReadSTMemoryIso14443b(uint8_t numofblocks) CodeAndTransmit14443bAsReader(cmd1, 3); // no -- Only first three bytes for this one GetTagSamplesFor14443bDemod(); //no if (Demod.len != 10) { - Dbprintf("Expected 10 bytes from tag, got %d", Demod.len); + Dbprintf("[!] expected 10 bytes from tag, got %d", Demod.len); set_tracing(false); return; } // The check the CRC of the answer (use cmd1 as temporary variable): ComputeCrc14443(CRC_14443_B, Demod.output, 8, &cmd1[2], &cmd1[3]); if(cmd1[2] != Demod.output[8] || cmd1[3] != Demod.output[9]) { - Dbprintf("CRC Error reading block! Expected: %04x got: %04x", - (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]); + Dbprintf("[!] CRC Error reading block! Expected: %04x got: %04x", (cmd1[2]<<8)+cmd1[3], (Demod.output[8]<<8)+Demod.output[9]); // Do not return;, let's go on... (we should retry, maybe ?) } - Dbprintf("Tag UID (64 bits): %08x %08x", + Dbprintf("[+] Tag UID (64 bits): %08x %08x", (Demod.output[7]<<24) + (Demod.output[6]<<16) + (Demod.output[5]<<8) + Demod.output[4], (Demod.output[3]<<24) + (Demod.output[2]<<16) + (Demod.output[1]<<8) + Demod.output[0]); // Now loop to read all 16 blocks, address from 0 to last block - Dbprintf("Tag memory dump, block 0 to %d", numofblocks); + Dbprintf("[+] Tag memory dump, block 0 to %d", numofblocks); cmd1[0] = 0x08; i = 0x00; ++numofblocks; for (;;) { if (i == numofblocks) { - DbpString("System area block (0xff):"); + DbpString("System area block (0xFF):"); i = 0xff; } cmd1[1] = i; @@ -1460,13 +1454,13 @@ void ReadSTMemoryIso14443b(uint8_t numofblocks) GetTagSamplesFor14443bDemod(); //no if (Demod.len != 6) { // Check if we got an answer from the tag - DbpString("Expected 6 bytes from tag, got less..."); + DbpString("[!] expected 6 bytes from tag, got less..."); return; } // The check the CRC of the answer (use cmd1 as temporary variable): ComputeCrc14443(CRC_14443_B, Demod.output, 4, &cmd1[2], &cmd1[3]); if(cmd1[2] != Demod.output[4] || cmd1[3] != Demod.output[5]) { - Dbprintf("CRC Error reading block! Expected: %04x got: %04x", + Dbprintf("[!] CRC Error reading block! Expected: %04x got: %04x", (cmd1[2]<<8)+cmd1[3], (Demod.output[4]<<8)+Demod.output[5]); // Do not return;, let's go on... (we should retry, maybe ?) } @@ -1482,9 +1476,8 @@ void ReadSTMemoryIso14443b(uint8_t numofblocks) set_tracing(false); } - -static void iso1444b_setup_snoop(void){ - if (MF_DBGLEVEL > 3) Dbprintf("iso1443b_setup_snoop Enter"); +static void iso1444b_setup_sniff(void){ + if (MF_DBGLEVEL > 3) Dbprintf("iso1443b_setup_sniff Enter"); LEDsoff(); FpgaDownloadAndGo(FPGA_BITSTREAM_HF); BigBuf_free(); @@ -1498,11 +1491,11 @@ static void iso1444b_setup_snoop(void){ if (MF_DBGLEVEL > 1) { // Print debug information about the buffer sizes - Dbprintf("Snooping buffers initialized:"); - Dbprintf(" Trace: %i bytes", BigBuf_max_traceLen()); - Dbprintf(" Reader -> tag: %i bytes", MAX_FRAME_SIZE); - Dbprintf(" tag -> Reader: %i bytes", MAX_FRAME_SIZE); - Dbprintf(" DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE); + Dbprintf("[+] Sniff buffers initialized:"); + Dbprintf("[+] trace: %i bytes", BigBuf_max_traceLen()); + Dbprintf("[+] reader -> tag: %i bytes", MAX_FRAME_SIZE); + Dbprintf("[+] tag -> reader: %i bytes", MAX_FRAME_SIZE); + Dbprintf("[+] DMA: %i bytes", ISO14443B_DMA_BUFFER_SIZE); } // connect Demodulated Signal to ADC: @@ -1517,7 +1510,8 @@ static void iso1444b_setup_snoop(void){ // Start the SSP timer StartCountSspClk(); - if (MF_DBGLEVEL > 3) Dbprintf("iso1443b_setup_snoop Exit"); + + if (MF_DBGLEVEL > 3) Dbprintf("iso1443b_setup_sniff Exit"); } //============================================================================= @@ -1537,7 +1531,7 @@ static void iso1444b_setup_snoop(void){ * DMA Buffer - ISO14443B_DMA_BUFFER_SIZE * Demodulated samples received - all the rest */ -void RAMFUNC SnoopIso14443b(void) { +void RAMFUNC SniffIso14443b(void) { uint32_t time_0 = 0, time_start = 0, time_stop = 0; int ci = 0, cq = 0; @@ -1548,7 +1542,7 @@ void RAMFUNC SnoopIso14443b(void) { bool TagIsActive = false; bool ReaderIsActive = false; - iso1444b_setup_snoop(); + iso1444b_setup_sniff(); // The DMA buffer, used to stream samples from the FPGA int8_t *dmaBuf = (int8_t*) BigBuf_malloc(ISO14443B_DMA_BUFFER_SIZE); @@ -1556,7 +1550,7 @@ void RAMFUNC SnoopIso14443b(void) { // Setup and start DMA. if ( !FpgaSetupSscDma((uint8_t*) dmaBuf, ISO14443B_DMA_BUFFER_SIZE) ){ - if (MF_DBGLEVEL > 1) Dbprintf("FpgaSetupSscDma failed. Exiting"); + if (MF_DBGLEVEL > 1) Dbprintf("[!] FpgaSetupSscDma failed. Exiting"); BigBuf_free(); return; } @@ -1577,12 +1571,12 @@ void RAMFUNC SnoopIso14443b(void) { AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) dmaBuf; AT91C_BASE_PDC_SSC->PDC_RNCR = ISO14443B_DMA_BUFFER_SIZE; } - + + // no need to try decoding reader data if the tag is sending if (!TagIsActive) { LED_A_INV(); - - // no need to try decoding reader data if the tag is sending + if (Handle14443bReaderUartBit(ci & 0x01)) { time_stop = GetCountSspClk() - time_0; LogTrace(Uart.output, Uart.byteCnt, time_start, time_stop, NULL, true); @@ -1603,8 +1597,9 @@ void RAMFUNC SnoopIso14443b(void) { ReaderIsActive = (Uart.state > STATE_GOT_FALLING_EDGE_OF_SOF); } + // no need to try decoding tag data if the reader is sending - and we cannot afford the time if (!ReaderIsActive) { - // no need to try decoding tag data if the reader is sending - and we cannot afford the time + // is this | 0x01 the error? & 0xfe in https://github.com/Proxmark/proxmark3/issues/103 // LSB is a fpga signal bit. if (Handle14443bTagSamplesDemod(ci >> 1, cq >> 1)) { @@ -1620,9 +1615,9 @@ void RAMFUNC SnoopIso14443b(void) { } if (MF_DBGLEVEL >= 2) { - DbpString("Sniff statistics:"); - Dbprintf(" Uart State: %x ByteCount: %i ByteCountMax: %i", Uart.state, Uart.byteCnt, Uart.byteCntMax); - Dbprintf(" Trace length: %i", BigBuf_get_traceLen()); + DbpString("[+] Sniff statistics:"); + Dbprintf("[+] uart State: %x ByteCount: %i ByteCountMax: %i", Uart.state, Uart.byteCnt, Uart.byteCntMax); + Dbprintf("[+] trace length: %i", BigBuf_get_traceLen()); } switch_off(); diff --git a/client/cmdhf14b.c b/client/cmdhf14b.c index ce708d020..7df1797b2 100644 --- a/client/cmdhf14b.c +++ b/client/cmdhf14b.c @@ -44,14 +44,14 @@ int usage_hf_14b_raw(void){ PrintAndLog(" hf 14b raw -s -c -p 0200a40400"); return 0; } -int usage_hf_14b_snoop(void){ +int usage_hf_14b_sniff(void){ PrintAndLog("It get data from the field and saves it into command buffer."); PrintAndLog("Buffer accessible from command 'hf list 14b'"); - PrintAndLog("Usage: hf 14b snoop [h]"); + PrintAndLog("Usage: hf 14b sniff [h]"); PrintAndLog("Options:"); PrintAndLog(" h this help"); PrintAndLog("sample:"); - PrintAndLog(" hf 14b snoop"); + PrintAndLog(" hf 14b sniff"); return 0; } int usage_hf_14b_sim(void){ @@ -123,10 +123,10 @@ int CmdHF14BSim(const char *Cmd) { return 0; } -int CmdHF14BSnoop(const char *Cmd) { +int CmdHF14BSniff(const char *Cmd) { char cmdp = param_getchar(Cmd, 0); - if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_snoop(); + if (cmdp == 'h' || cmdp == 'H') return usage_hf_14b_sniff(); UsbCommand c = {CMD_SNOOP_ISO_14443B, {0, 0, 0}}; clearCommandBuffer(); @@ -850,7 +850,7 @@ static command_t CommandTable[] = { {"raw", CmdHF14BCmdRaw, 0, "Send raw hex data to tag"}, {"reader", CmdHF14BReader, 0, "Act as a 14443B reader to identify a tag"}, {"sim", CmdHF14BSim, 0, "Fake ISO 14443B tag"}, - {"snoop", CmdHF14BSnoop, 0, "Eavesdrop ISO 14443B"}, + {"sniff", CmdHF14BSniff, 0, "Eavesdrop ISO 14443B"}, {"sriread", CmdHF14BReadSri, 0, "Read contents of a SRI512 | SRIX4K tag"}, {"sriwrite", CmdHF14BWriteSri, 0, "Write data to a SRI512 | SRIX4K tag"}, //{"valid", srix4kValid, 1, "srix4k checksum test"}, diff --git a/client/cmdhf14b.h b/client/cmdhf14b.h index 5ee451bcf..4642339b1 100644 --- a/client/cmdhf14b.h +++ b/client/cmdhf14b.h @@ -33,26 +33,26 @@ int usage_hf_14b_info(void); int usage_hf_14b_reader(void); int usage_hf_14b_raw(void); -int usage_hf_14b_snoop(void); +int usage_hf_14b_sniff(void); int usage_hf_14b_sim(void); int usage_hf_14b_read_srx(void); int usage_hf_14b_write_srx(void); -int CmdHF14B(const char *Cmd); -int CmdHF14BList(const char *Cmd); -int CmdHF14BInfo(const char *Cmd); -int CmdHF14BSim(const char *Cmd); -int CmdHF14BSnoop(const char *Cmd); -int CmdHF14BWrite( const char *cmd); -int CmdHF14BReader(const char *Cmd); +extern int CmdHF14B(const char *Cmd); +extern int CmdHF14BList(const char *Cmd); +extern int CmdHF14BInfo(const char *Cmd); +extern int CmdHF14BSim(const char *Cmd); +extern int CmdHF14BSniff(const char *Cmd); +extern int CmdHF14BWrite( const char *cmd); +extern int CmdHF14BReader(const char *Cmd); -bool HF14BInfo(bool verbose); -bool HF14BReader(bool verbose); -int CmdHF14BCmdRaw (const char *Cmd); +extern bool HF14BInfo(bool verbose); +extern bool HF14BReader(bool verbose); +extern int CmdHF14BCmdRaw (const char *Cmd); // SRi ST Microelectronics read/write -int CmdHF14BReadSri(const char *Cmd); -int CmdHF14BWriteSri(const char *Cmd); +extern int CmdHF14BReadSri(const char *Cmd); +extern int CmdHF14BWriteSri(const char *Cmd); bool waitCmd14b(bool verbose); #endif