RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-01-29 03:17:59 +08:00
Code Issues Projects Releases Packages Wiki Activity

Enhance simulation of ISO15693 devices.

Browse source 
This adds the following things:
- support for reading multiple blocks,
- configurable block size,
- ability to provide a memory image.
This commit is contained in:
Markus Walter 2022-08-26 09:29:15 +02:00
parent 745928e609
commit eef1ce9c33
5 changed files with 113 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
armsrc/appmain.c
View file

@ -1259,9 +1259,12 @@ static void PacketReceived(PacketCommandNG *packet) {
case CMD_HF_ISO15693_SIMULATE: { case CMD_HF_ISO15693_SIMULATE: {
struct p { struct p {
uint8_t uid[8]; uint8_t uid[8];
uint8_t block_size;
int data_length;
uint8_t data[PM3_CMD_BLOB_SIZE];
} PACKED; } PACKED;
struct p *payload = (struct p *) packet->data.asBytes; struct p *payload = (struct p *) packet->data.asBytes;
SimTagIso15693(payload->uid); SimTagIso15693(payload->uid, payload->block_size, payload->data_length, payload->data);
break; break;
} }
case CMD_HF_ISO15693_CSETUID: { case CMD_HF_ISO15693_CSETUID: {

87
armsrc/iso15693.c
View file

@ -2100,7 +2100,7 @@ void Iso15693InitTag(void) {
// Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands // Simulate an ISO15693 TAG, perform anti-collision and then print any reader commands
// all demodulation performed in arm rather than host. - greg // all demodulation performed in arm rather than host. - greg
void SimTagIso15693(uint8_t *uid) { void SimTagIso15693(uint8_t *uid, uint8_t block_size, int image_length, uint8_t *image) {
// free eventually allocated BigBuf memory // free eventually allocated BigBuf memory
BigBuf_free_keep_EM(); BigBuf_free_keep_EM();
@ -2109,12 +2109,14 @@ void SimTagIso15693(uint8_t *uid) {
LED_A_ON(); LED_A_ON();
Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7]); if (image_length == -1) {
Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d with no image", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size);
} else {
Dbprintf("ISO-15963 Simulating uid: %02X%02X%02X%02X%02X%02X%02X%02X block size %d with 0x%X bytes image", uid[0], uid[1], uid[2], uid[3], uid[4], uid[5], uid[6], uid[7], block_size, image_length);
}
LED_C_ON(); LED_C_ON();
enum { NO_FIELD, IDLE, ACTIVATED, SELECTED, HALTED } chip_state = NO_FIELD; enum { NO_FIELD, IDLE, ACTIVATED, SELECTED, HALTED } chip_state = NO_FIELD;
bool button_pressed = false; bool button_pressed = false;
@ -2207,8 +2209,14 @@ void SimTagIso15693(uint8_t *uid) {
resp_sysinfo[10] = 0; // DSFID resp_sysinfo[10] = 0; // DSFID
resp_sysinfo[11] = 0; // AFI resp_sysinfo[11] = 0; // AFI
resp_sysinfo[12] = 0x1B; // Memory size. // Memory size.
resp_sysinfo[13] = 0x03; // Memory size. if (image_length == -1) {
// use sensible default value if no image is provided
resp_sysinfo[12] = 0x1F;
} else {
resp_sysinfo[12] = image_length / block_size;
}
resp_sysinfo[13] = block_size - 1; // Memory size.
resp_sysinfo[14] = 0x01; // IC reference. resp_sysinfo[14] = 0x01; // IC reference.
// CRC // CRC
@ -2221,28 +2229,71 @@ void SimTagIso15693(uint8_t *uid) {
LogTrace_ISO15693(resp_sysinfo, CMD_SYSINFO_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false); LogTrace_ISO15693(resp_sysinfo, CMD_SYSINFO_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false);
} }
// READ_BLOCK // READ_BLOCK and READ_MULTI_BLOCK
if ((cmd[1] == ISO15693_READBLOCK)) { if ((cmd[1] == ISO15693_READBLOCK) || (cmd[1] == ISO15693_READ_MULTI_BLOCK)) {
bool slow = !(cmd[0] & ISO15_REQ_DATARATE_HIGH); bool slow = !(cmd[0] & ISO15_REQ_DATARATE_HIGH);
bool option = cmd[0] & ISO15_REQ_OPTION;
uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM; uint32_t response_time = reader_eof_time + DELAY_ISO15693_VCD_TO_VICC_SIM;
// Build READ_BLOCK response uint8_t block_idx = 0;
uint8_t resp_readblock[CMD_READBLOCK_RESP] = {0}; uint8_t block_count = 1;
if (cmd[1] == ISO15693_READBLOCK) {
if (cmd_len == 13) {
// addressed mode
block_idx= cmd[10];
} else if (cmd_len == 5) {
// non-addressed mode
block_idx = cmd[2];
}
} else if (cmd[1] == ISO15693_READ_MULTI_BLOCK) {
if (cmd_len == 14) {
// addressed mode
block_idx= cmd[10];
block_count= cmd[11] + 1;
} else if (cmd_len == 6) {
// non-addressed mode
block_idx = cmd[2];
block_count = cmd[3] + 1;
}
}
resp_readblock[0] = 0; // Response flags. // Build READ_(MULTI_)BLOCK response
resp_readblock[1] = 0; // Block data. int response_length = 3 + block_size * block_count;
resp_readblock[2] = 0; // Block data. int security_offset = 0;
resp_readblock[3] = 0; // Block data. if (option) {
resp_readblock[4] = 0; // Block data. response_length += block_count;
security_offset = 1;
}
uint8_t resp_readblock[response_length];
for (int i = 0; i < response_length; i++) {
resp_readblock[i] = 0;
}
resp_readblock[0] = 0; // Response flags
for (int j = 0; j < block_count; j++) {
// where to put the data of the current block
int work_offset = 1 + j * (block_size + security_offset);
if (option) {
resp_readblock[work_offset] = 0; // Security status
}
for (int i = 0; i < block_size; i++) {
// Block data
if (block_size * (block_idx + j + 1) <= image_length) {
resp_readblock[work_offset + security_offset + i] = image[block_size * (block_idx + j) + i];
} else {
resp_readblock[work_offset + security_offset + i] = 0;
}
}
}
// CRC // CRC
AddCrc15(resp_readblock, 5); AddCrc15(resp_readblock, response_length - 2);
CodeIso15693AsTag(resp_readblock, CMD_READBLOCK_RESP); CodeIso15693AsTag(resp_readblock, response_length);
tosend_t *ts = get_tosend(); tosend_t *ts = get_tosend();
TransmitTo15693Reader(ts->buf, ts->max, &response_time, 0, slow); TransmitTo15693Reader(ts->buf, ts->max, &response_time, 0, slow);
LogTrace_ISO15693(resp_readblock, CMD_READBLOCK_RESP, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false); LogTrace_ISO15693(resp_readblock, response_length, response_time * 32, (response_time * 32) + (ts->max * 32 * 64), NULL, false);
} }
} }

2
armsrc/iso15693.h
View file

@ -46,7 +46,7 @@ int GetIso15693AnswerFromTag(uint8_t *response, uint16_t max_len, uint16_t timeo
//void RecordRawAdcSamplesIso15693(void); //void RecordRawAdcSamplesIso15693(void);
void AcquireRawAdcSamplesIso15693(void); void AcquireRawAdcSamplesIso15693(void);
void ReaderIso15693(iso15_card_select_t *p_card); // ISO15693 reader void ReaderIso15693(iso15_card_select_t *p_card); // ISO15693 reader
void SimTagIso15693(uint8_t *uid); // simulate an ISO15693 tag void SimTagIso15693(uint8_t *uid, uint8_t block_size, int payload_length, uint8_t *payload); // simulate an ISO15693 tag
void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag void BruteforceIso15693Afi(uint32_t speed); // find an AFI of a tag
void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t *data); // send arbitrary commands from CLI void DirectTag15693Command(uint32_t datalen, uint32_t speed, uint32_t recv, uint8_t *data); // send arbitrary commands from CLI

37
client/src/cmdhf15.c
View file

@ -1000,23 +1000,56 @@ static int CmdHF15Sim(const char *Cmd) {
void *argtable[] = { void *argtable[] = {
arg_param_begin, arg_param_begin,
arg_str1("u", "uid", "<8b hex>", "UID eg E011223344556677"), arg_str1("u", "uid", "<8b hex>", "UID eg E011223344556677"),
arg_int0("b", "blocksize", "<dec>", "block size, defaults to 4"),
arg_str0("i", "image", "<fn>", "Memory image to load, defaults to zeros"),
arg_param_end arg_param_end
}; };
CLIExecWithReturn(ctx, Cmd, argtable, false); CLIExecWithReturn(ctx, Cmd, argtable, false);
struct { struct {
uint8_t uid[8]; uint8_t uid[8];
uint8_t block_size;
int image_length;
uint8_t image[PM3_CMD_BLOB_SIZE];
} PACKED payload; } PACKED payload;
int uidlen = 0; int uidlen = 0;
CLIGetHexWithReturn(ctx, 1, payload.uid, &uidlen); CLIGetHexWithReturn(ctx, 1, payload.uid, &uidlen);
CLIParserFree(ctx);
if (uidlen != 8) { if (uidlen != 8) {
PrintAndLogEx(WARNING, "UID must include 16 HEX symbols"); PrintAndLogEx(WARNING, "UID must include 16 HEX symbols");
return PM3_EINVARG; return PM3_EINVARG;
} }
payload.block_size = arg_get_int_def(ctx, 2, 4);
int fnlen = 0;
char filename[FILE_PATH_SIZE] = {0};
CLIParamStrToBuf(arg_get_str(ctx, 3), (uint8_t *)filename, FILE_PATH_SIZE, &fnlen);
CLIParserFree(ctx);
if (fnlen > 0) {
uint8_t *image = NULL;
size_t image_len = 0;
if (loadFile_safe(filename, "", (void **)&image, &image_len) != PM3_SUCCESS) {
PrintAndLogEx(FAILED, "Could not open file " _YELLOW_("%s"), filename);
return PM3_EIO;
}
if (image_len > PM3_CMD_BLOB_SIZE) {
PrintAndLogEx(WARNING, "Memory image to large for us");
return PM3_EINVARG;
}
if (image_len % payload.block_size != 0) {
PrintAndLogEx(WARNING, "Memory image size not a multiple of the block size");
return PM3_EINVARG;
}
payload.image_length = image_len;
memcpy(payload.image, image, image_len);
free(image);
} else {
payload.image_length = -1;
}
PrintAndLogEx(SUCCESS, "Starting simulating UID " _YELLOW_("%s"), iso15693_sprintUID(NULL, payload.uid)); PrintAndLogEx(SUCCESS, "Starting simulating UID " _YELLOW_("%s"), iso15693_sprintUID(NULL, payload.uid));
PrintAndLogEx(INFO, "press " _YELLOW_("`Pm3 button`") " to cancel"); PrintAndLogEx(INFO, "press " _YELLOW_("`Pm3 button`") " to cancel");

4
include/pm3_cmd.h
View file

@ -27,6 +27,10 @@
#define PM3_CMD_DATA_SIZE 512 #define PM3_CMD_DATA_SIZE 512
#define PM3_CMD_DATA_SIZE_MIX ( PM3_CMD_DATA_SIZE - 3 * sizeof(uint64_t) ) #define PM3_CMD_DATA_SIZE_MIX ( PM3_CMD_DATA_SIZE - 3 * sizeof(uint64_t) )
/* To be used for commands with a big blob of data along with some other data (for which 32 bytes
* is put aside, so if there is more of it this is unsuitable).
*/
#define PM3_CMD_BLOB_SIZE ( PM3_CMD_DATA_SIZE - 32 )
typedef struct { typedef struct {
uint64_t cmd; uint64_t cmd;