From eef1ce9c332dcbcd9ff735dcfff78d58afa38665 Mon Sep 17 00:00:00 2001 From: Markus Walter Date: Fri, 26 Aug 2022 09:29:15 +0200 Subject: [PATCH] Enhance simulation of ISO15693 devices. This adds the following things: - support for reading multiple blocks, - configurable block size, - ability to provide a memory image. --- armsrc/appmain.c | 5 ++- armsrc/iso15693.c | 87 +++++++++++++++++++++++++++++++++++--------- armsrc/iso15693.h | 2 +- client/src/cmdhf15.c | 37 ++++++++++++++++++- include/pm3_cmd.h | 4 ++ 5 files changed, 113 insertions(+), 22 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 330bf2c48..0eccd418a 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -1259,9 +1259,12 @@ static void PacketReceived(PacketCommandNG *packet) { case CMD_HF_ISO15693_SIMULATE: { struct p { uint8_t uid[8]; + uint8_t block_size; + int data_length; + uint8_t data[PM3_CMD_BLOB_SIZE]; } PACKED; struct p *payload = (struct p *) packet->data.asBytes; - SimTagIso15693(payload->uid); + SimTagIso15693(payload->uid, payload->block_size, payload->data_length, payload->data); break; } case CMD_HF_ISO15693_CSETUID: { diff --git a/armsrc/iso15693.c b/armsrc/iso15693.c index d4a7be85f..f754d3a3c 100644 --- a/armsrc/iso15693.c +++ b/armsrc/iso15693.c @@ -2100,7 +2100,7 @@ void Iso15693InitTag(void) { // Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands // all demodulation performed in arm rather than host. - greg -void SimTagIso15693(uint8_t *uid) { +void SimTagIso15693(uint8_t *uid, uint8_t block_size, int image_length, uint8_t *image) { // free eventually allocated BigBuf memory BigBuf_free_keep_EM(); @@ -2109,12 +2109,14 @@ void SimTagIso15693(uint8_t *uid) { LED_A_ON(); - Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7]); + if (image_length == -1) { + Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d with no image", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size); + } else { + Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d with 0x%X bytes image", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size, image_length); + } LED_C_ON(); - - enum { NO_FIELD, IDLE, ACTIVATED, SELECTED, HALTED } chip_state = NO_FIELD; bool button_pressed = false; @@ -2207,8 +2209,14 @@ void SimTagIso15693(uint8_t *uid) { resp_sysinfo[10] = 0; // DSFID resp_sysinfo[11] = 0; // AFI - resp_sysinfo[12] = 0x1B; // Memory size. - resp_sysinfo[13] = 0x03; // Memory size. + // Memory size. + if (image_length == -1) { + // use sensible default value if no image is provided + resp_sysinfo[12] = 0x1F; + } else { + resp_sysinfo[12] = image_length / block_size; + } + resp_sysinfo[13] = block_size - 1; // Memory size. resp_sysinfo[14] = 0x01; // IC reference. // CRC @@ -2221,28 +2229,71 @@ void SimTagIso15693(uint8_t *uid) { LogTrace_ISO15693(resp_sysinfo, CMD_SYSINFO_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false); } - // READ_BLOCK - if ((cmd[1] == ISO15693_READBLOCK)) { + // READ_BLOCK and READ_MULTI_BLOCK + if ((cmd[1] == ISO15693_READBLOCK) || (cmd[1] == ISO15693_READ_MULTI_BLOCK)) { bool slow = !(cmd[0] & ISO15_REQ_DATARATE_HIGH); + bool option = cmd[0] & ISO15_REQ_OPTION; uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM; - // Build READ_BLOCK response - uint8_t resp_readblock[CMD_READBLOCK_RESP] = {0}; + uint8_t block_idx = 0; + uint8_t block_count = 1; + if (cmd[1] == ISO15693_READBLOCK) { + if (cmd_len == 13) { + // addressed mode + block_idx= cmd[10]; + } else if (cmd_len == 5) { + // non-addressed mode + block_idx = cmd[2]; + } + } else if (cmd[1] == ISO15693_READ_MULTI_BLOCK) { + if (cmd_len == 14) { + // addressed mode + block_idx= cmd[10]; + block_count= cmd[11] + 1; + } else if (cmd_len == 6) { + // non-addressed mode + block_idx = cmd[2]; + block_count = cmd[3] + 1; + } + } - resp_readblock[0] = 0; // Response flags. - resp_readblock[1] = 0; // Block data. - resp_readblock[2] = 0; // Block data. - resp_readblock[3] = 0; // Block data. - resp_readblock[4] = 0; // Block data. + // Build READ_(MULTI_)BLOCK response + int response_length = 3 + block_size * block_count; + int security_offset = 0; + if (option) { + response_length += block_count; + security_offset = 1; + } + uint8_t resp_readblock[response_length]; + for (int i = 0; i < response_length; i++) { + resp_readblock[i] = 0; + } + + resp_readblock[0] = 0; // Response flags + for (int j = 0; j < block_count; j++) { + // where to put the data of the current block + int work_offset = 1 + j * (block_size + security_offset); + if (option) { + resp_readblock[work_offset] = 0; // Security status + } + for (int i = 0; i < block_size; i++) { + // Block data + if (block_size * (block_idx + j + 1) <= image_length) { + resp_readblock[work_offset + security_offset + i] = image[block_size * (block_idx + j) + i]; + } else { + resp_readblock[work_offset + security_offset + i] = 0; + } + } + } // CRC - AddCrc15(resp_readblock, 5); - CodeIso15693AsTag(resp_readblock, CMD_READBLOCK_RESP); + AddCrc15(resp_readblock, response_length - 2); + CodeIso15693AsTag(resp_readblock, response_length); tosend_t *ts = get_tosend(); TransmitTo15693Reader(ts->buf, ts->max, &response_time, 0, slow); - LogTrace_ISO15693(resp_readblock, CMD_READBLOCK_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false); + LogTrace_ISO15693(resp_readblock, response_length, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false); } } diff --git a/armsrc/iso15693.h b/armsrc/iso15693.h index 277074189..3fd40e49a 100644 --- a/armsrc/iso15693.h +++ b/armsrc/iso15693.h @@ -46,7 +46,7 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo //void RecordRawAdcSamplesIso15693(void); void AcquireRawAdcSamplesIso15693(void); void ReaderIso15693(iso15_card_select_t *p_card); // ISO15693 reader -void SimTagIso15693(uint8_t *uid); // simulate an ISO15693 tag +void SimTagIso15693(uint8_t *uid, uint8_t block_size, int payload_length, uint8_t *payload); // simulate an ISO15693 tag void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t *data); // send arbitrary commands from CLI diff --git a/client/src/cmdhf15.c b/client/src/cmdhf15.c index aeda14380..c5a5677f2 100644 --- a/client/src/cmdhf15.c +++ b/client/src/cmdhf15.c @@ -1000,23 +1000,56 @@ static int CmdHF15Sim(const char *Cmd) { void *argtable[] = { arg_param_begin, arg_str1("u", "uid", "<8b hex>", "UID eg E011223344556677"), + arg_int0("b", "blocksize", "", "block size, defaults to 4"), + arg_str0("i", "image", "", "Memory image to load, defaults to zeros"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); struct { uint8_t uid[8]; + uint8_t block_size; + int image_length; + uint8_t image[PM3_CMD_BLOB_SIZE]; } PACKED payload; int uidlen = 0; CLIGetHexWithReturn(ctx, 1, payload.uid, &uidlen); - CLIParserFree(ctx); - if (uidlen != 8) { PrintAndLogEx(WARNING, "UID must include 16 HEX symbols"); return PM3_EINVARG; } + payload.block_size = arg_get_int_def(ctx, 2, 4); + + int fnlen = 0; + char filename[FILE_PATH_SIZE] = {0}; + CLIParamStrToBuf(arg_get_str(ctx, 3), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen); + CLIParserFree(ctx); + + if (fnlen > 0) { + uint8_t *image = NULL; + size_t image_len = 0; + if (loadFile_safe(filename, "", (void **)&image, &image_len) != PM3_SUCCESS) { + PrintAndLogEx(FAILED, "Could not open file " _YELLOW_("%s"), filename); + return PM3_EIO; + } + + if (image_len > PM3_CMD_BLOB_SIZE) { + PrintAndLogEx(WARNING, "Memory image to large for us"); + return PM3_EINVARG; + } + if (image_len % payload.block_size != 0) { + PrintAndLogEx(WARNING, "Memory image size not a multiple of the block size"); + return PM3_EINVARG; + } + payload.image_length = image_len; + memcpy(payload.image, image, image_len); + free(image); + } else { + payload.image_length = -1; + } + PrintAndLogEx(SUCCESS, "Starting simulating UID " _YELLOW_("%s"), iso15693_sprintUID(NULL, payload.uid)); PrintAndLogEx(INFO, "press " _YELLOW_("`Pm3 button`") " to cancel"); diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index 69d9fed5b..f2a8bc56a 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -27,6 +27,10 @@ #define PM3_CMD_DATA_SIZE 512 #define PM3_CMD_DATA_SIZE_MIX ( PM3_CMD_DATA_SIZE - 3 * sizeof(uint64_t) ) +/* To be used for commands with a big blob of data along with some other data (for which 32 bytes + * is put aside, so if there is more of it this is unsuitable). + */ +#define PM3_CMD_BLOB_SIZE ( PM3_CMD_DATA_SIZE - 32 ) typedef struct { uint64_t cmd;