Merge pull request #1766 from markus-oehme-pg40/iso15693-emulation

ISO15693 emulation
This commit is contained in:
Iceman 2022-09-02 05:29:16 +02:00 committed by GitHub
commit b82feee002
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 215 additions and 24 deletions

View file

@ -89,6 +89,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac
- Added new standalone mode `lf_em4100rsww` (@zabszk)
- Fixed `hf 15 slixdisable` wrong pass id (@r1ddl3rz)
- Added `script run hf_mf_hid_sim.lua` (@micsen)
- Added `hf 15 sim --blocksize` - configure block size for simulation (@markus-oehme-pg40)
- Added `hf 15 eload` - specify memory image for ISO15693 simulation (@markus-oehme-pg40)
## [Frostbit.4.14831][2022-01-11]

View file

@ -1256,12 +1256,27 @@ static void PacketReceived(PacketCommandNG *packet) {
ReaderIso15693(NULL);
break;
}
case CMD_HF_ISO15693_EML_CLEAR: {
EmlClearIso15693();
break;
}
case CMD_HF_ISO15693_EML_SETMEM: {
struct p {
uint32_t offset;
uint8_t count;
uint8_t data[];
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
EmlSetMemIso15693(payload->count, payload->data, payload->offset);
break;
}
case CMD_HF_ISO15693_SIMULATE: {
struct p {
uint8_t uid[8];
uint8_t block_size;
} PACKED;
struct p *payload = (struct p *) packet->data.asBytes;
SimTagIso15693(payload->uid);
SimTagIso15693(payload->uid, payload->block_size);
break;
}
case CMD_HF_ISO15693_CSETUID: {

View file

@ -116,7 +116,6 @@
#define CMD_READ_RESP 13
#define CMD_INV_RESP 12
#define CMD_SYSINFO_RESP 17
#define CMD_READBLOCK_RESP 7
//#define Crc(data, len) Crc(CRC_15693, (data), (len))
#define CheckCrc15(data, len) check_crc(CRC_15693, (data), (len))
@ -2098,9 +2097,23 @@ void Iso15693InitTag(void) {
StartCountSspClk();
}
void EmlClearIso15693(void) {
// Resetting the bitstream also frees the BigBuf memory, so we do this here to prevent
// an inconvenient reset in the future by Iso15693InitTag
FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15);
BigBuf_Clear_EM();
reply_ng(CMD_HF_ISO15693_EML_CLEAR, PM3_SUCCESS, NULL, 0);
}
void EmlSetMemIso15693(uint8_t count, uint8_t *data, uint32_t offset) {
uint8_t *emCARD = BigBuf_get_EM_addr();
memcpy(emCARD + offset, data, count);
}
// Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands
// all demodulation performed in arm rather than host. - greg
void SimTagIso15693(uint8_t *uid) {
void SimTagIso15693(uint8_t *uid, uint8_t block_size) {
// free eventually allocated BigBuf memory
BigBuf_free_keep_EM();
@ -2109,12 +2122,10 @@ void SimTagIso15693(uint8_t *uid) {
LED_A_ON();
Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7]);
Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size);
LED_C_ON();
enum { NO_FIELD, IDLE, ACTIVATED, SELECTED, HALTED } chip_state = NO_FIELD;
bool button_pressed = false;
@ -2188,7 +2199,7 @@ void SimTagIso15693(uint8_t *uid) {
bool slow = !(cmd[0] & ISO15_REQ_DATARATE_HIGH);
uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM;
// Build GET_SYSTEM_INFO command
// Build GET_SYSTEM_INFO response
uint8_t resp_sysinfo[CMD_SYSINFO_RESP] = {0};
resp_sysinfo[0] = 0; // Response flags.
@ -2207,8 +2218,8 @@ void SimTagIso15693(uint8_t *uid) {
resp_sysinfo[10] = 0; // DSFID
resp_sysinfo[11] = 0; // AFI
resp_sysinfo[12] = 0x1B; // Memory size.
resp_sysinfo[13] = 0x03; // Memory size.
resp_sysinfo[12] = 0x1F; // Block count
resp_sysinfo[13] = block_size - 1; // Block size.
resp_sysinfo[14] = 0x01; // IC reference.
// CRC
@ -2221,28 +2232,72 @@ void SimTagIso15693(uint8_t *uid) {
LogTrace_ISO15693(resp_sysinfo, CMD_SYSINFO_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false);
}
// READ_BLOCK
if ((cmd[1] == ISO15693_READBLOCK)) {
// READ_BLOCK and READ_MULTI_BLOCK
if ((cmd[1] == ISO15693_READBLOCK) || (cmd[1] == ISO15693_READ_MULTI_BLOCK)) {
bool slow = !(cmd[0] & ISO15_REQ_DATARATE_HIGH);
bool option = cmd[0] & ISO15_REQ_OPTION;
uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM;
// Build GET_SYSTEM_INFO command
uint8_t resp_readblock[CMD_READBLOCK_RESP] = {0};
uint8_t block_idx = 0;
uint8_t block_count = 1;
if (cmd[1] == ISO15693_READBLOCK) {
if (cmd_len == 13) {
// addressed mode
block_idx= cmd[10];
} else if (cmd_len == 5) {
// non-addressed mode
block_idx = cmd[2];
}
} else if (cmd[1] == ISO15693_READ_MULTI_BLOCK) {
if (cmd_len == 14) {
// addressed mode
block_idx= cmd[10];
block_count= cmd[11] + 1;
} else if (cmd_len == 6) {
// non-addressed mode
block_idx = cmd[2];
block_count = cmd[3] + 1;
}
}
resp_readblock[0] = 0; // Response flags.
resp_readblock[1] = 0; // Block data.
resp_readblock[2] = 0; // Block data.
resp_readblock[3] = 0; // Block data.
resp_readblock[4] = 0; // Block data.
// Build READ_(MULTI_)BLOCK response
int response_length = 3 + block_size * block_count;
int security_offset = 0;
if (option) {
response_length += block_count;
security_offset = 1;
}
uint8_t resp_readblock[response_length];
for (int i = 0; i < response_length; i++) {
resp_readblock[i] = 0;
}
uint8_t *emCARD = BigBuf_get_EM_addr();
resp_readblock[0] = 0; // Response flags
for (int j = 0; j < block_count; j++) {
// where to put the data of the current block
int work_offset = 1 + j * (block_size + security_offset);
if (option) {
resp_readblock[work_offset] = 0; // Security status
}
for (int i = 0; i < block_size; i++) {
// Block data
if (block_size * (block_idx + j + 1) <= CARD_MEMORY_SIZE) {
resp_readblock[work_offset + security_offset + i] = emCARD[block_size * (block_idx + j) + i];
} else {
resp_readblock[work_offset + security_offset + i] = 0;
}
}
}
// CRC
AddCrc15(resp_readblock, 5);
CodeIso15693AsTag(resp_readblock, CMD_READBLOCK_RESP);
AddCrc15(resp_readblock, response_length - 2);
CodeIso15693AsTag(resp_readblock, response_length);
tosend_t *ts = get_tosend();
TransmitTo15693Reader(ts->buf, ts->max, &response_time, 0, slow);
LogTrace_ISO15693(resp_readblock, CMD_READBLOCK_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false);
LogTrace_ISO15693(resp_readblock, response_length, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false);
}
}

View file

@ -46,7 +46,9 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo
//void RecordRawAdcSamplesIso15693(void);
void AcquireRawAdcSamplesIso15693(void);
void ReaderIso15693(iso15_card_select_t *p_card); // ISO15693 reader
void SimTagIso15693(uint8_t *uid); // simulate an ISO15693 tag
void EmlClearIso15693(void);
void EmlSetMemIso15693(uint8_t count, uint8_t *data, uint32_t offset);
void SimTagIso15693(uint8_t *uid, uint8_t block_size); // simulate an ISO15693 tag
void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag
void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t *data); // send arbitrary commands from CLI

View file

@ -47,6 +47,7 @@
#define Logic0 Iso15693Logic0
#define Logic1 Iso15693Logic1
#define FrameEOF Iso15693FrameEOF
#define CARD_MEMORY_SIZE 4096
#ifndef Crc15
# define Crc15(data, len) Crc16ex(CRC_15693, (data), (len))
@ -988,6 +989,115 @@ static int CmdHF15Reader(const char *Cmd) {
return PM3_SUCCESS;
}
static int hf15EmlClear(void) {
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_EML_CLEAR, NULL, 0);
PacketResponseNG resp;
WaitForResponse(CMD_HF_ISO15693_EML_CLEAR, &resp);
return PM3_SUCCESS;
}
static int hf15EmlSetMem(uint8_t *data, uint8_t count, size_t offset) {
struct p {
uint32_t offset;
uint8_t count;
uint8_t data[];
} PACKED;
size_t size = count;
if (size > (PM3_CMD_DATA_SIZE - sizeof(struct p))) {
return PM3_ESOFT;
}
size_t paylen = sizeof(struct p) + size;
struct p *payload = calloc(1, paylen);
payload->offset = offset;
payload->count = count;
memcpy(payload->data, data, size);
clearCommandBuffer();
SendCommandNG(CMD_HF_ISO15693_EML_SETMEM, (uint8_t *)payload, paylen);
free(payload);
return PM3_SUCCESS;
}
static int CmdHF15ELoad(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf 15 eload",
"Load memory image from file to be used with 'hf 15 sim'",
"hf 15 eload -f hf-15-01020304.bin\n"
);
void *argtable[] = {
arg_param_begin,
arg_str1("f", "file", "<fn>", "filename of image"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
int fnlen = 0;
char filename[FILE_PATH_SIZE];
CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
CLIParserFree(ctx);
uint8_t *data = NULL;
size_t bytes_read = 0;
int res = loadFile_safe(filename, ".bin", (void **)&data, &bytes_read);
if (res != PM3_SUCCESS) {
return res;
}
if (bytes_read > CARD_MEMORY_SIZE) {
PrintAndLogEx(FAILED, "Memory image too large.");
free(data);
return PM3_EINVARG;
}
if (bytes_read == 0) {
PrintAndLogEx(FAILED, "Memory image empty.");
free(data);
return PM3_EINVARG;
}
PrintAndLogEx(INFO, "Clearing emulator memory");
fflush(stdout);
hf15EmlClear();
PrintAndLogEx(INFO, "Uploading to emulator memory");
PrintAndLogEx(INFO, "." NOLF);
// fast push mode
g_conn.block_after_ACK = true;
int chuncksize = 64;
size_t offset = 0;
while (bytes_read > 0) {
if (bytes_read <= chuncksize) {
// Disable fast mode on last packet
g_conn.block_after_ACK = false;
}
int tosend = MIN(chuncksize, bytes_read);
if (hf15EmlSetMem(data + offset, tosend, offset) != PM3_SUCCESS) {
PrintAndLogEx(FAILED, "Can't set emulator memory at offest: 0x%x", offset);
free(data);
return PM3_ESOFT;
}
PrintAndLogEx(NORMAL, "." NOLF);
fflush(stdout);
offset += tosend;
bytes_read -= tosend;
}
free(data);
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(HINT, "You are ready to simulate. See " _YELLOW_("`hf 15 sim -h`"));
PrintAndLogEx(INFO, "Done!");
return PM3_SUCCESS;
}
// Simulation is still not working very good
// helptext
static int CmdHF15Sim(const char *Cmd) {
@ -1000,23 +1110,27 @@ static int CmdHF15Sim(const char *Cmd) {
void *argtable[] = {
arg_param_begin,
arg_str1("u", "uid", "<8b hex>", "UID eg E011223344556677"),
arg_int0("b", "blocksize", "<dec>", "block size, defaults to 4"),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
struct {
uint8_t uid[8];
uint8_t block_size;
} PACKED payload;
int uidlen = 0;
CLIGetHexWithReturn(ctx, 1, payload.uid, &uidlen);
CLIParserFree(ctx);
if (uidlen != 8) {
PrintAndLogEx(WARNING, "UID must include 16 HEX symbols");
return PM3_EINVARG;
}
payload.block_size = arg_get_int_def(ctx, 2, 4);
CLIParserFree(ctx);
PrintAndLogEx(SUCCESS, "Starting simulating UID " _YELLOW_("%s"), iso15693_sprintUID(NULL, payload.uid));
PrintAndLogEx(INFO, "press " _YELLOW_("`Pm3 button`") " to cancel");
@ -2175,6 +2289,7 @@ static command_t CommandTable[] = {
{"reader", CmdHF15Reader, IfPm3Iso15693, "Act like an ISO-15693 reader"},
{"restore", CmdHF15Restore, IfPm3Iso15693, "Restore from file to all memory pages of an ISO-15693 tag"},
{"samples", CmdHF15Samples, IfPm3Iso15693, "Acquire samples as reader (enables carrier, sends inquiry)"},
{"eload", CmdHF15ELoad, IfPm3Iso15693, "Load image file to be used by 'sim' command"},
{"sim", CmdHF15Sim, IfPm3Iso15693, "Fake an ISO-15693 tag"},
{"slixdisable", CmdHF15SlixDisable, IfPm3Iso15693, "Disable privacy mode on SLIX ISO-15693 tag"},
{"wrbl", CmdHF15Write, IfPm3Iso15693, "Write a block"},

View file

@ -523,6 +523,8 @@ typedef struct {
#define CMD_HF_ISO15693_SLIX_L_DISABLE_PRIVACY 0x0317
#define CMD_HF_ISO15693_SLIX_L_DISABLE_AESAFI 0x0318
#define CMD_HF_TEXKOM_SIMULATE 0x0320
#define CMD_HF_ISO15693_EML_CLEAR 0x0330
#define CMD_HF_ISO15693_EML_SETMEM 0x0331
#define CMD_LF_SNIFF_RAW_ADC 0x0360