From 745928e609a556f127ffe01c2fa7154d26d6ee48 Mon Sep 17 00:00:00 2001 From: Markus Walter Date: Fri, 26 Aug 2022 09:28:04 +0200 Subject: [PATCH 1/7] Fix comments. --- armsrc/iso15693.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index 91dc22488..d4a7be85f 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -2188,7 +2188,7 @@ void SimTagIso15693(uint8_t *uid) { bool slow = !(cmd[0] & ISO15_REQ_DATARATE_HIGH); uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM; - // Build GET_SYSTEM_INFO command + // Build GET_SYSTEM_INFO response uint8_t resp_sysinfo[CMD_SYSINFO_RESP] = {0}; resp_sysinfo[0] = 0; // Response flags. @@ -2226,7 +2226,7 @@ void SimTagIso15693(uint8_t *uid) { bool slow = !(cmd[0] & ISO15_REQ_DATARATE_HIGH); uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM; - // Build GET_SYSTEM_INFO command + // Build READ_BLOCK response uint8_t resp_readblock[CMD_READBLOCK_RESP] = {0}; resp_readblock[0] = 0; // Response flags. From eef1ce9c332dcbcd9ff735dcfff78d58afa38665 Mon Sep 17 00:00:00 2001 From: Markus Walter Date: Fri, 26 Aug 2022 09:29:15 +0200 Subject: [PATCH 2/7] Enhance simulation of ISO15693 devices. This adds the following things: - support for reading multiple blocks, - configurable block size, - ability to provide a memory image. --- armsrc/appmain.c | 5 ++- armsrc/iso15693.c | 87 +++++++++++++++++++++++++++++++++++--------- armsrc/iso15693.h | 2 +- client/src/cmdhf15.c | 37 ++++++++++++++++++- include/pm3_cmd.h | 4 ++ 5 files changed, 113 insertions(+), 22 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 330bf2c48..0eccd418a 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1259,9 +1259,12 @@ static void PacketReceived(PacketCommandNG *packet) { case CMD_HF_ISO15693_SIMULATE: { struct p { uint8_t uid[8]; + uint8_t block_size; + int data_length; + uint8_t data[PM3_CMD_BLOB_SIZE]; } PACKED; struct p *payload = (struct p *) packet->data.asBytes; - SimTagIso15693(payload->uid); + SimTagIso15693(payload->uid, payload->block_size, payload->data_length, payload->data); break; } case CMD_HF_ISO15693_CSETUID: { diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index d4a7be85f..f754d3a3c 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -2100,7 +2100,7 @@ void Iso15693InitTag(void) { // Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands // all demodulation performed in arm rather than host. - greg -void SimTagIso15693(uint8_t *uid) { +void SimTagIso15693(uint8_t *uid, uint8_t block_size, int image_length, uint8_t *image) { // free eventually allocated BigBuf memory BigBuf_free_keep_EM(); @@ -2109,12 +2109,14 @@ void SimTagIso15693(uint8_t *uid) { LED_A_ON(); - Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7]); + if (image_length == -1) { + Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d with no image", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size); + } else { + Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d with 0x%X bytes image", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size, image_length); + } LED_C_ON(); - - enum { NO_FIELD, IDLE, ACTIVATED, SELECTED, HALTED } chip_state = NO_FIELD; bool button_pressed = false; @@ -2207,8 +2209,14 @@ void SimTagIso15693(uint8_t *uid) { resp_sysinfo[10] = 0; // DSFID resp_sysinfo[11] = 0; // AFI - resp_sysinfo[12] = 0x1B; // Memory size. - resp_sysinfo[13] = 0x03; // Memory size. + // Memory size. + if (image_length == -1) { + // use sensible default value if no image is provided + resp_sysinfo[12] = 0x1F; + } else { + resp_sysinfo[12] = image_length / block_size; + } + resp_sysinfo[13] = block_size - 1; // Memory size. resp_sysinfo[14] = 0x01; // IC reference. // CRC @@ -2221,28 +2229,71 @@ void SimTagIso15693(uint8_t *uid) { LogTrace_ISO15693(resp_sysinfo, CMD_SYSINFO_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false); } - // READ_BLOCK - if ((cmd[1] == ISO15693_READBLOCK)) { + // READ_BLOCK and READ_MULTI_BLOCK + if ((cmd[1] == ISO15693_READBLOCK) || (cmd[1] == ISO15693_READ_MULTI_BLOCK)) { bool slow = !(cmd[0] & ISO15_REQ_DATARATE_HIGH); + bool option = cmd[0] & ISO15_REQ_OPTION; uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM; - // Build READ_BLOCK response - uint8_t resp_readblock[CMD_READBLOCK_RESP] = {0}; + uint8_t block_idx = 0; + uint8_t block_count = 1; + if (cmd[1] == ISO15693_READBLOCK) { + if (cmd_len == 13) { + // addressed mode + block_idx= cmd[10]; + } else if (cmd_len == 5) { + // non-addressed mode + block_idx = cmd[2]; + } + } else if (cmd[1] == ISO15693_READ_MULTI_BLOCK) { + if (cmd_len == 14) { + // addressed mode + block_idx= cmd[10]; + block_count= cmd[11] + 1; + } else if (cmd_len == 6) { + // non-addressed mode + block_idx = cmd[2]; + block_count = cmd[3] + 1; + } + } - resp_readblock[0] = 0; // Response flags. - resp_readblock[1] = 0; // Block data. - resp_readblock[2] = 0; // Block data. - resp_readblock[3] = 0; // Block data. - resp_readblock[4] = 0; // Block data. + // Build READ_(MULTI_)BLOCK response + int response_length = 3 + block_size * block_count; + int security_offset = 0; + if (option) { + response_length += block_count; + security_offset = 1; + } + uint8_t resp_readblock[response_length]; + for (int i = 0; i < response_length; i++) { + resp_readblock[i] = 0; + } + + resp_readblock[0] = 0; // Response flags + for (int j = 0; j < block_count; j++) { + // where to put the data of the current block + int work_offset = 1 + j * (block_size + security_offset); + if (option) { + resp_readblock[work_offset] = 0; // Security status + } + for (int i = 0; i < block_size; i++) { + // Block data + if (block_size * (block_idx + j + 1) <= image_length) { + resp_readblock[work_offset + security_offset + i] = image[block_size * (block_idx + j) + i]; + } else { + resp_readblock[work_offset + security_offset + i] = 0; + } + } + } // CRC - AddCrc15(resp_readblock, 5); - CodeIso15693AsTag(resp_readblock, CMD_READBLOCK_RESP); + AddCrc15(resp_readblock, response_length - 2); + CodeIso15693AsTag(resp_readblock, response_length); tosend_t *ts = get_tosend(); TransmitTo15693Reader(ts->buf, ts->max, &response_time, 0, slow); - LogTrace_ISO15693(resp_readblock, CMD_READBLOCK_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false); + LogTrace_ISO15693(resp_readblock, response_length, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false); } } diff --git a/armsrc/iso15693.h b/armsrc/iso15693.h index 277074189..3fd40e49a 100644 --- a/armsrc/iso15693.h +++ b/armsrc/iso15693.h @@ -46,7 +46,7 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo //void RecordRawAdcSamplesIso15693(void); void AcquireRawAdcSamplesIso15693(void); void ReaderIso15693(iso15_card_select_t *p_card); // ISO15693 reader -void SimTagIso15693(uint8_t *uid); // simulate an ISO15693 tag +void SimTagIso15693(uint8_t *uid, uint8_t block_size, int payload_length, uint8_t *payload); // simulate an ISO15693 tag void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t *data); // send arbitrary commands from CLI diff --git a/client/src/cmdhf15.c b/client/src/cmdhf15.c index aeda14380..c5a5677f2 100644 --- a/client/src/cmdhf15.c +++ b/client/src/cmdhf15.c @@ -1000,23 +1000,56 @@ static int CmdHF15Sim(const char *Cmd) { void *argtable[] = { arg_param_begin, arg_str1("u", "uid", "<8b hex>", "UID eg E011223344556677"), + arg_int0("b", "blocksize", "", "block size, defaults to 4"), + arg_str0("i", "image", "", "Memory image to load, defaults to zeros"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); struct { uint8_t uid[8]; + uint8_t block_size; + int image_length; + uint8_t image[PM3_CMD_BLOB_SIZE]; } PACKED payload; int uidlen = 0; CLIGetHexWithReturn(ctx, 1, payload.uid, &uidlen); - CLIParserFree(ctx); - if (uidlen != 8) { PrintAndLogEx(WARNING, "UID must include 16 HEX symbols"); return PM3_EINVARG; } + payload.block_size = arg_get_int_def(ctx, 2, 4); + + int fnlen = 0; + char filename[FILE_PATH_SIZE] = {0}; + CLIParamStrToBuf(arg_get_str(ctx, 3), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); + CLIParserFree(ctx); + + if (fnlen > 0) { + uint8_t *image = NULL; + size_t image_len = 0; + if (loadFile_safe(filename, "", (void **)&image, &image_len) != PM3_SUCCESS) { + PrintAndLogEx(FAILED, "Could not open file " _YELLOW_("%s"), filename); + return PM3_EIO; + } + + if (image_len > PM3_CMD_BLOB_SIZE) { + PrintAndLogEx(WARNING, "Memory image to large for us"); + return PM3_EINVARG; + } + if (image_len % payload.block_size != 0) { + PrintAndLogEx(WARNING, "Memory image size not a multiple of the block size"); + return PM3_EINVARG; + } + payload.image_length = image_len; + memcpy(payload.image, image, image_len); + free(image); + } else { + payload.image_length = -1; + } + PrintAndLogEx(SUCCESS, "Starting simulating UID " _YELLOW_("%s"), iso15693_sprintUID(NULL, payload.uid)); PrintAndLogEx(INFO, "press " _YELLOW_("`Pm3 button`") " to cancel"); diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index 69d9fed5b..f2a8bc56a 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -27,6 +27,10 @@ #define PM3_CMD_DATA_SIZE 512 #define PM3_CMD_DATA_SIZE_MIX ( PM3_CMD_DATA_SIZE - 3 * sizeof(uint64_t) ) +/* To be used for commands with a big blob of data along with some other data (for which 32 bytes + * is put aside, so if there is more of it this is unsuitable). + */ +#define PM3_CMD_BLOB_SIZE ( PM3_CMD_DATA_SIZE - 32 ) typedef struct { uint64_t cmd; From 62b577d170c59e43ba416742023697545332b77c Mon Sep 17 00:00:00 2001 From: Markus Walter Date: Wed, 31 Aug 2022 12:23:05 +0200 Subject: [PATCH 3/7] Remove unused definition. --- armsrc/iso15693.c | 1 - 1 file changed, 1 deletion(-) diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index f754d3a3c..d894e3c1f 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -116,7 +116,6 @@ #define CMD_READ_RESP 13 #define CMD_INV_RESP 12 #define CMD_SYSINFO_RESP 17 -#define CMD_READBLOCK_RESP 7 //#define Crc(data, len) Crc(CRC_15693, (data), (len)) #define CheckCrc15(data, len) check_crc(CRC_15693, (data), (len)) From f3a41fdc4e91013ba3b5f8811d4a2a49c2293295 Mon Sep 17 00:00:00 2001 From: Markus Walter Date: Wed, 31 Aug 2022 12:40:25 +0200 Subject: [PATCH 4/7] Added Changelog entries. --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93c557838..7c09c300b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -87,6 +87,8 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Added new standalone mode `lf_em4100rsww` (@zabszk) - Fixed `hf 15 slixdisable` wrong pass id (@r1ddl3rz) - Added `script run hf_mf_hid_sim.lua` (@micsen) + - Added `hf 15 sim --blocksize` - configure block size for simulation (@markus-oehme-pg40) + - Added `hf 15 sim --image` - specify memory image for simulation (@markus-oehme-pg40) ## [Frostbit.4.14831][2022-01-11] From 03fa7573952e4177c425fe46ba772194365764d7 Mon Sep 17 00:00:00 2001 From: Markus Walter Date: Thu, 1 Sep 2022 16:12:22 +0200 Subject: [PATCH 5/7] Implement `hf 15 eload` command to move image dump to emulator. --- armsrc/appmain.c | 14 ++++++ armsrc/iso15693.c | 14 ++++++ armsrc/iso15693.h | 2 + client/src/cmdhf15.c | 111 +++++++++++++++++++++++++++++++++++++++++++ include/pm3_cmd.h | 2 + 5 files changed, 143 insertions(+) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 0eccd418a..69961cc7d 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1256,6 +1256,20 @@ static void PacketReceived(PacketCommandNG *packet) { ReaderIso15693(NULL); break; } + case CMD_HF_ISO15693_EML_CLEAR: { + EmlClearIso15693(); + break; + } + case CMD_HF_ISO15693_EML_SETMEM: { + struct p { + uint32_t offset; + uint8_t count; + uint8_t data[]; + } PACKED; + struct p *payload = (struct p *) packet->data.asBytes; + EmlSetMemIso15693(payload->count, payload->data, payload->offset); + break; + } case CMD_HF_ISO15693_SIMULATE: { struct p { uint8_t uid[8]; diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index d894e3c1f..92c6f2e4e 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -2097,6 +2097,20 @@ void Iso15693InitTag(void) { StartCountSspClk(); } + +void EmlClearIso15693(void) { + // Resetting the bitstream also frees the BigBuf memory, so we do this here to prevent + // an inconvenient reset in the future by Iso15693InitTag + FpgaDownloadAndGo(FPGA_BITSTREAM_HF_15); + BigBuf_Clear_EM(); + reply_ng(CMD_HF_ISO15693_EML_CLEAR, PM3_SUCCESS, NULL, 0); +} + +void EmlSetMemIso15693(uint8_t count, uint8_t *data, uint32_t offset) { + uint8_t *emCARD = BigBuf_get_EM_addr(); + memcpy(emCARD + offset, data, count); +} + // Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands // all demodulation performed in arm rather than host. - greg void SimTagIso15693(uint8_t *uid, uint8_t block_size, int image_length, uint8_t *image) { diff --git a/armsrc/iso15693.h b/armsrc/iso15693.h index 3fd40e49a..4f1800dc7 100644 --- a/armsrc/iso15693.h +++ b/armsrc/iso15693.h @@ -46,6 +46,8 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo //void RecordRawAdcSamplesIso15693(void); void AcquireRawAdcSamplesIso15693(void); void ReaderIso15693(iso15_card_select_t *p_card); // ISO15693 reader +void EmlClearIso15693(void); +void EmlSetMemIso15693(uint8_t count, uint8_t *data, uint32_t offset); void SimTagIso15693(uint8_t *uid, uint8_t block_size, int payload_length, uint8_t *payload); // simulate an ISO15693 tag void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t *data); // send arbitrary commands from CLI diff --git a/client/src/cmdhf15.c b/client/src/cmdhf15.c index c5a5677f2..417ad1fe5 100644 --- a/client/src/cmdhf15.c +++ b/client/src/cmdhf15.c @@ -47,6 +47,7 @@ #define Logic0 Iso15693Logic0 #define Logic1 Iso15693Logic1 #define FrameEOF Iso15693FrameEOF +#define CARD_MEMORY_SIZE 4096 #ifndef Crc15 # define Crc15(data, len) Crc16ex(CRC_15693, (data), (len)) @@ -988,6 +989,115 @@ static int CmdHF15Reader(const char *Cmd) { return PM3_SUCCESS; } +static int hf15EmlClear(void) { + clearCommandBuffer(); + SendCommandNG(CMD_HF_ISO15693_EML_CLEAR, NULL, 0); + PacketResponseNG resp; + WaitForResponse(CMD_HF_ISO15693_EML_CLEAR, &resp); + return PM3_SUCCESS; +} + +static int hf15EmlSetMem(uint8_t *data, uint8_t count, size_t offset) { + struct p { + uint32_t offset; + uint8_t count; + uint8_t data[]; + } PACKED; + + size_t size = count; + if (size > (PM3_CMD_DATA_SIZE - sizeof(struct p))) { + return PM3_ESOFT; + } + + size_t paylen = sizeof(struct p) + size; + struct p *payload = calloc(1, paylen); + + payload->offset = offset; + payload->count = count; + memcpy(payload->data, data, size); + + clearCommandBuffer(); + SendCommandNG(CMD_HF_ISO15693_EML_SETMEM, (uint8_t *)payload, paylen); + free(payload); + return PM3_SUCCESS; +} + +static int CmdHF15ELoad(const char *Cmd) { + + CLIParserContext *ctx; + CLIParserInit(&ctx, "hf 15 eload", + "Load memory image from file to be used with 'hf 15 sim'", + "hf 15 eload -f hf-15-01020304.bin\n" + ); + void *argtable[] = { + arg_param_begin, + arg_str1("f", "file", "", "filename of image"), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, false); + + int fnlen = 0; + char filename[FILE_PATH_SIZE]; + CLIParamStrToBuf(arg_get_str(ctx, 1), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); + CLIParserFree(ctx); + + uint8_t *data = NULL; + size_t bytes_read = 0; + int res = loadFile_safe(filename, ".bin", (void **)&data, &bytes_read); + if (res != PM3_SUCCESS) { + return res; + } + + if (bytes_read > CARD_MEMORY_SIZE) { + PrintAndLogEx(FAILED, "Memory image too large."); + free(data); + return PM3_EINVARG; + } + if (bytes_read == 0) { + PrintAndLogEx(FAILED, "Memory image empty."); + free(data); + return PM3_EINVARG; + } + + PrintAndLogEx(INFO, "Clearing emulator memory"); + fflush(stdout); + hf15EmlClear(); + + PrintAndLogEx(INFO, "Uploading to emulator memory"); + PrintAndLogEx(INFO, "." NOLF); + + // fast push mode + g_conn.block_after_ACK = true; + + int chuncksize = 64; + size_t offset = 0; + + while (bytes_read > 0) { + if (bytes_read <= chuncksize) { + // Disable fast mode on last packet + g_conn.block_after_ACK = false; + } + + int tosend = MIN(chuncksize, bytes_read); + if (hf15EmlSetMem(data + offset, tosend, offset) != PM3_SUCCESS) { + PrintAndLogEx(FAILED, "Can't set emulator memory at offest: 0x%x", offset); + free(data); + return PM3_ESOFT; + } + PrintAndLogEx(NORMAL, "." NOLF); + fflush(stdout); + + offset += tosend; + bytes_read -= tosend; + } + free(data); + PrintAndLogEx(NORMAL, ""); + + PrintAndLogEx(HINT, "You are ready to simulate. See " _YELLOW_("`hf 15 sim -h`")); + PrintAndLogEx(INFO, "Done!"); + return PM3_SUCCESS; +} + // Simulation is still not working very good // helptext static int CmdHF15Sim(const char *Cmd) { @@ -2208,6 +2318,7 @@ static command_t CommandTable[] = { {"reader", CmdHF15Reader, IfPm3Iso15693, "Act like an ISO-15693 reader"}, {"restore", CmdHF15Restore, IfPm3Iso15693, "Restore from file to all memory pages of an ISO-15693 tag"}, {"samples", CmdHF15Samples, IfPm3Iso15693, "Acquire samples as reader (enables carrier, sends inquiry)"}, + {"eload", CmdHF15ELoad, IfPm3Iso15693, "Load image file to be used by 'sim' command"}, {"sim", CmdHF15Sim, IfPm3Iso15693, "Fake an ISO-15693 tag"}, {"slixdisable", CmdHF15SlixDisable, IfPm3Iso15693, "Disable privacy mode on SLIX ISO-15693 tag"}, {"wrbl", CmdHF15Write, IfPm3Iso15693, "Write a block"}, diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index f2a8bc56a..f2e9f0607 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -527,6 +527,8 @@ typedef struct { #define CMD_HF_ISO15693_SLIX_L_DISABLE_PRIVACY 0x0317 #define CMD_HF_ISO15693_SLIX_L_DISABLE_AESAFI 0x0318 #define CMD_HF_TEXKOM_SIMULATE 0x0320 +#define CMD_HF_ISO15693_EML_CLEAR 0x0330 +#define CMD_HF_ISO15693_EML_SETMEM 0x0331 #define CMD_LF_SNIFF_RAW_ADC 0x0360 From d79bd5b6b869831365134b82d3de54b86ae901a7 Mon Sep 17 00:00:00 2001 From: Markus Walter Date: Thu, 1 Sep 2022 18:46:20 +0200 Subject: [PATCH 6/7] Switch `hf 15 sim` to use image in emulator memory. --- armsrc/appmain.c | 4 +--- armsrc/iso15693.c | 23 +++++++---------------- armsrc/iso15693.h | 2 +- client/src/cmdhf15.c | 29 ----------------------------- include/pm3_cmd.h | 4 ---- 5 files changed, 9 insertions(+), 53 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 69961cc7d..d2ead4fc3 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1274,11 +1274,9 @@ static void PacketReceived(PacketCommandNG *packet) { struct p { uint8_t uid[8]; uint8_t block_size; - int data_length; - uint8_t data[PM3_CMD_BLOB_SIZE]; } PACKED; struct p *payload = (struct p *) packet->data.asBytes; - SimTagIso15693(payload->uid, payload->block_size, payload->data_length, payload->data); + SimTagIso15693(payload->uid, payload->block_size); break; } case CMD_HF_ISO15693_CSETUID: { diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index 92c6f2e4e..7e4c5c4f3 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -2113,7 +2113,7 @@ void EmlSetMemIso15693(uint8_t count, uint8_t *data, uint32_t offset) { // Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands // all demodulation performed in arm rather than host. - greg -void SimTagIso15693(uint8_t *uid, uint8_t block_size, int image_length, uint8_t *image) { +void SimTagIso15693(uint8_t *uid, uint8_t block_size) { // free eventually allocated BigBuf memory BigBuf_free_keep_EM(); @@ -2122,11 +2122,7 @@ void SimTagIso15693(uint8_t *uid, uint8_t block_size, int image_length, uint8_t LED_A_ON(); - if (image_length == -1) { - Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d with no image", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size); - } else { - Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d with 0x%X bytes image", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size, image_length); - } + Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size); LED_C_ON(); @@ -2222,14 +2218,8 @@ void SimTagIso15693(uint8_t *uid, uint8_t block_size, int image_length, uint8_t resp_sysinfo[10] = 0; // DSFID resp_sysinfo[11] = 0; // AFI - // Memory size. - if (image_length == -1) { - // use sensible default value if no image is provided - resp_sysinfo[12] = 0x1F; - } else { - resp_sysinfo[12] = image_length / block_size; - } - resp_sysinfo[13] = block_size - 1; // Memory size. + resp_sysinfo[12] = 0x1F; // Block count + resp_sysinfo[13] = block_size - 1; // Block size. resp_sysinfo[14] = 0x01; // IC reference. // CRC @@ -2282,6 +2272,7 @@ void SimTagIso15693(uint8_t *uid, uint8_t block_size, int image_length, uint8_t resp_readblock[i] = 0; } + uint8_t *emCARD = BigBuf_get_EM_addr(); resp_readblock[0] = 0; // Response flags for (int j = 0; j < block_count; j++) { // where to put the data of the current block @@ -2291,8 +2282,8 @@ void SimTagIso15693(uint8_t *uid, uint8_t block_size, int image_length, uint8_t } for (int i = 0; i < block_size; i++) { // Block data - if (block_size * (block_idx + j + 1) <= image_length) { - resp_readblock[work_offset + security_offset + i] = image[block_size * (block_idx + j) + i]; + if (block_size * (block_idx + j + 1) <= CARD_MEMORY_SIZE) { + resp_readblock[work_offset + security_offset + i] = emCARD[block_size * (block_idx + j) + i]; } else { resp_readblock[work_offset + security_offset + i] = 0; } diff --git a/armsrc/iso15693.h b/armsrc/iso15693.h index 4f1800dc7..6bd3882bc 100644 --- a/armsrc/iso15693.h +++ b/armsrc/iso15693.h @@ -48,7 +48,7 @@ void AcquireRawAdcSamplesIso15693(void); void ReaderIso15693(iso15_card_select_t *p_card); // ISO15693 reader void EmlClearIso15693(void); void EmlSetMemIso15693(uint8_t count, uint8_t *data, uint32_t offset); -void SimTagIso15693(uint8_t *uid, uint8_t block_size, int payload_length, uint8_t *payload); // simulate an ISO15693 tag +void SimTagIso15693(uint8_t *uid, uint8_t block_size); // simulate an ISO15693 tag void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t *data); // send arbitrary commands from CLI diff --git a/client/src/cmdhf15.c b/client/src/cmdhf15.c index 417ad1fe5..066d6bfdf 100644 --- a/client/src/cmdhf15.c +++ b/client/src/cmdhf15.c @@ -1111,7 +1111,6 @@ static int CmdHF15Sim(const char *Cmd) { arg_param_begin, arg_str1("u", "uid", "<8b hex>", "UID eg E011223344556677"), arg_int0("b", "blocksize", "", "block size, defaults to 4"), - arg_str0("i", "image", "", "Memory image to load, defaults to zeros"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); @@ -1119,8 +1118,6 @@ static int CmdHF15Sim(const char *Cmd) { struct { uint8_t uid[8]; uint8_t block_size; - int image_length; - uint8_t image[PM3_CMD_BLOB_SIZE]; } PACKED payload; int uidlen = 0; @@ -1131,34 +1128,8 @@ static int CmdHF15Sim(const char *Cmd) { } payload.block_size = arg_get_int_def(ctx, 2, 4); - - int fnlen = 0; - char filename[FILE_PATH_SIZE] = {0}; - CLIParamStrToBuf(arg_get_str(ctx, 3), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); CLIParserFree(ctx); - if (fnlen > 0) { - uint8_t *image = NULL; - size_t image_len = 0; - if (loadFile_safe(filename, "", (void **)&image, &image_len) != PM3_SUCCESS) { - PrintAndLogEx(FAILED, "Could not open file " _YELLOW_("%s"), filename); - return PM3_EIO; - } - - if (image_len > PM3_CMD_BLOB_SIZE) { - PrintAndLogEx(WARNING, "Memory image to large for us"); - return PM3_EINVARG; - } - if (image_len % payload.block_size != 0) { - PrintAndLogEx(WARNING, "Memory image size not a multiple of the block size"); - return PM3_EINVARG; - } - payload.image_length = image_len; - memcpy(payload.image, image, image_len); - free(image); - } else { - payload.image_length = -1; - } PrintAndLogEx(SUCCESS, "Starting simulating UID " _YELLOW_("%s"), iso15693_sprintUID(NULL, payload.uid)); PrintAndLogEx(INFO, "press " _YELLOW_("`Pm3 button`") " to cancel"); diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index f2e9f0607..7c7eb6ed6 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -27,10 +27,6 @@ #define PM3_CMD_DATA_SIZE 512 #define PM3_CMD_DATA_SIZE_MIX ( PM3_CMD_DATA_SIZE - 3 * sizeof(uint64_t) ) -/* To be used for commands with a big blob of data along with some other data (for which 32 bytes - * is put aside, so if there is more of it this is unsuitable). - */ -#define PM3_CMD_BLOB_SIZE ( PM3_CMD_DATA_SIZE - 32 ) typedef struct { uint64_t cmd; From 6fe7d997fffc20b2c88cd2e9fdb0408c8caf8597 Mon Sep 17 00:00:00 2001 From: Markus Walter Date: Thu, 1 Sep 2022 18:48:24 +0200 Subject: [PATCH 7/7] Adjusted changelog entry to new `hf 15 eload` command. --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c09c300b..1fcbd808a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -88,7 +88,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac - Fixed `hf 15 slixdisable` wrong pass id (@r1ddl3rz) - Added `script run hf_mf_hid_sim.lua` (@micsen) - Added `hf 15 sim --blocksize` - configure block size for simulation (@markus-oehme-pg40) - - Added `hf 15 sim --image` - specify memory image for simulation (@markus-oehme-pg40) + - Added `hf 15 eload` - specify memory image for ISO15693 simulation (@markus-oehme-pg40) ## [Frostbit.4.14831][2022-01-11]