diff --git a/application.fam b/application.fam index 94d328a0942..780999f7a83 100644 --- a/application.fam +++ b/application.fam @@ -9,7 +9,8 @@ App( "gui", ], stack_size=4 * 1024, - order=30, + fap_description="App to communicate with NFC tags using the PicoPass format", + fap_version="1.0", fap_icon="125_10px.png", fap_category="NFC", fap_libs=["mbedtls"], diff --git a/lib/loclass/optimized_cipher.c b/lib/loclass/optimized_cipher.c index 94df07bae8d..01d48817dde 100644 --- a/lib/loclass/optimized_cipher.c +++ b/lib/loclass/optimized_cipher.c @@ -280,7 +280,22 @@ void loclass_opt_doTagMAC_2( loclass_opt_output(div_key_p, &_init, mac); } -void loclass_iclass_calc_div_key(uint8_t* csn, uint8_t* key, uint8_t* div_key, bool elite) { +void loclass_opt_doBothMAC_2( + LoclassState_t _init, + uint8_t* nr, + uint8_t rmac[4], + uint8_t tmac[4], + const uint8_t* div_key_p) { + loclass_opt_suc(div_key_p, &_init, nr, 4, false); + // Save internal state for reuse before outputting + LoclassState_t nr_state = _init; + loclass_opt_output(div_key_p, &_init, rmac); + // Feed the 32 0 bits for the tag mac + loclass_opt_suc(div_key_p, &nr_state, NULL, 0, true); + loclass_opt_output(div_key_p, &nr_state, tmac); +} + +void loclass_iclass_calc_div_key(uint8_t* csn, const uint8_t* key, uint8_t* div_key, bool elite) { if(elite) { uint8_t keytable[128] = {0}; uint8_t key_index[8] = {0}; diff --git a/lib/loclass/optimized_cipher.h b/lib/loclass/optimized_cipher.h index 2158f0acf75..c96c97d8ae9 100644 --- a/lib/loclass/optimized_cipher.h +++ b/lib/loclass/optimized_cipher.h @@ -93,6 +93,21 @@ void loclass_opt_doTagMAC_2( uint8_t mac[4], const uint8_t* div_key_p); +/** + * The same as loclass_opt_doTagMAC_2, but calculates both the reader and tag MACs at the same time + * @param _init - precalculated cipher state + * @param nr - the reader challenge + * @param rmac - where to store the reader MAC + * @param tmac - where to store the tag MAC + * @param div_key_p - the key to use + */ +void loclass_opt_doBothMAC_2( + LoclassState_t _init, + uint8_t* nr, + uint8_t rmac[4], + uint8_t tmac[4], + const uint8_t* div_key_p); + void loclass_doMAC_N(uint8_t* in_p, uint8_t in_size, uint8_t* div_key_p, uint8_t mac[4]); -void loclass_iclass_calc_div_key(uint8_t* csn, uint8_t* key, uint8_t* div_key, bool elite); +void loclass_iclass_calc_div_key(uint8_t* csn, const uint8_t* key, uint8_t* div_key, bool elite); #endif // OPTIMIZED_CIPHER_H diff --git a/lib/loclass/optimized_elite.c b/lib/loclass/optimized_elite.c index 34e98706026..e198a410b13 100644 --- a/lib/loclass/optimized_elite.c +++ b/lib/loclass/optimized_elite.c @@ -153,7 +153,7 @@ Definition 14. Define the rotate key function loclass_rk : (F 82 ) 8 × N → (F loclass_rk(x [0] . . . x [7] , 0) = x [0] . . . x [7] loclass_rk(x [0] . . . x [7] , n + 1) = loclass_rk(loclass_rl(x [0] ) . . . loclass_rl(x [7] ), n) **/ -static void loclass_rk(uint8_t* key, uint8_t n, uint8_t* outp_key) { +static void loclass_rk(const uint8_t* key, uint8_t n, uint8_t* outp_key) { memcpy(outp_key, key, 8); uint8_t j; while(n-- > 0) { @@ -172,7 +172,7 @@ static void loclass_desdecrypt_iclass(uint8_t* iclass_key, uint8_t* input, uint8 mbedtls_des_crypt_ecb(&loclass_ctx_dec, input, output); } -static void loclass_desencrypt_iclass(uint8_t* iclass_key, uint8_t* input, uint8_t* output) { +static void loclass_desencrypt_iclass(const uint8_t* iclass_key, uint8_t* input, uint8_t* output) { uint8_t key_std_format[8] = {0}; loclass_permutekey_rev(iclass_key, key_std_format); mbedtls_des_setkey_enc(&loclass_ctx_enc, key_std_format); @@ -185,7 +185,7 @@ static void loclass_desencrypt_iclass(uint8_t* iclass_key, uint8_t* input, uint8 * @param loclass_hash1 loclass_hash1 * @param key_sel output key_sel=h[loclass_hash1[i]] */ -void loclass_hash2(uint8_t* key64, uint8_t* outp_keytable) { +void loclass_hash2(const uint8_t* key64, uint8_t* outp_keytable) { /** *Expected: * High Security Key Table diff --git a/lib/loclass/optimized_elite.h b/lib/loclass/optimized_elite.h index 5343ebb0740..fba512a864c 100644 --- a/lib/loclass/optimized_elite.h +++ b/lib/loclass/optimized_elite.h @@ -53,6 +53,6 @@ void loclass_permutekey_rev(const uint8_t key[8], uint8_t dest[8]); * @param k output */ void loclass_hash1(const uint8_t* csn, uint8_t* k); -void loclass_hash2(uint8_t* key64, uint8_t* outp_keytable); +void loclass_hash2(const uint8_t* key64, uint8_t* outp_keytable); #endif diff --git a/loclass_writer.c b/loclass_writer.c new file mode 100644 index 00000000000..273fa67eb39 --- /dev/null +++ b/loclass_writer.c @@ -0,0 +1,100 @@ +#include "loclass_writer.h" + +#include +#include +#include +#include +#include + +struct LoclassWriter { + Stream* file_stream; +}; + +#define LOCLASS_LOGS_PATH EXT_PATH("apps_data/picopass/.loclass.log") + +LoclassWriter* loclass_writer_alloc() { + LoclassWriter* instance = malloc(sizeof(LoclassWriter)); + Storage* storage = furi_record_open(RECORD_STORAGE); + instance->file_stream = buffered_file_stream_alloc(storage); + if(!buffered_file_stream_open( + instance->file_stream, LOCLASS_LOGS_PATH, FSAM_WRITE, FSOM_OPEN_APPEND)) { + buffered_file_stream_close(instance->file_stream); + stream_free(instance->file_stream); + free(instance); + instance = NULL; + } + + furi_record_close(RECORD_STORAGE); + + return instance; +} + +void loclass_writer_free(LoclassWriter* instance) { + furi_assert(instance != NULL); + + buffered_file_stream_close(instance->file_stream); + stream_free(instance->file_stream); + free(instance); +} + +bool loclass_writer_write_start_stop(LoclassWriter* instance, bool start) { + FuriHalRtcDateTime curr_dt; + furi_hal_rtc_get_datetime(&curr_dt); + uint32_t curr_ts = furi_hal_rtc_datetime_to_timestamp(&curr_dt); + + FuriString* str = furi_string_alloc_printf( + "loclass-v1-info ts %lu %s\n", curr_ts, start ? "started" : "finished"); + bool write_success = stream_write_string(instance->file_stream, str); + furi_string_free(str); + return write_success; +} + +bool loclass_writer_write_params( + LoclassWriter* instance, + uint8_t log_no, + const uint8_t csn[8], + const uint8_t epurse[8], + const uint8_t nr[4], + const uint8_t mac[4]) { + furi_assert(instance != NULL); + + FuriHalRtcDateTime curr_dt; + furi_hal_rtc_get_datetime(&curr_dt); + uint32_t curr_ts = furi_hal_rtc_datetime_to_timestamp(&curr_dt); + + FuriString* str = furi_string_alloc_printf( + "loclass-v1-mac ts %lu no %u " + "csn %02x%02x%02x%02x%02x%02x%02x%02x " + "cc %02x%02x%02x%02x%02x%02x%02x%02x " + "nr %02x%02x%02x%02x " + "mac %02x%02x%02x%02x\n", + curr_ts, + log_no, + csn[0], + csn[1], + csn[2], + csn[3], + csn[4], + csn[5], + csn[6], + csn[7], + epurse[0], + epurse[1], + epurse[2], + epurse[3], + epurse[4], + epurse[5], + epurse[6], + epurse[7], + nr[0], + nr[1], + nr[2], + nr[3], + mac[0], + mac[1], + mac[2], + mac[3]); + bool write_success = stream_write_string(instance->file_stream, str); + furi_string_free(str); + return write_success; +} \ No newline at end of file diff --git a/loclass_writer.h b/loclass_writer.h new file mode 100644 index 00000000000..dd7a4560cb9 --- /dev/null +++ b/loclass_writer.h @@ -0,0 +1,20 @@ +#pragma once + +#include +#include + +typedef struct LoclassWriter LoclassWriter; + +LoclassWriter* loclass_writer_alloc(); + +void loclass_writer_free(LoclassWriter* instance); + +bool loclass_writer_write_start_stop(LoclassWriter* instance, bool start); + +bool loclass_writer_write_params( + LoclassWriter* instance, + uint8_t log_no, + const uint8_t csn[8], + const uint8_t epurse[8], + const uint8_t nr[4], + const uint8_t mac[4]); diff --git a/picopass.c b/picopass.c index f984eec9947..5448a58f138 100644 --- a/picopass.c +++ b/picopass.c @@ -68,6 +68,13 @@ Picopass* picopass_alloc() { PicopassViewTextInput, text_input_get_view(picopass->text_input)); + // Byte Input + picopass->byte_input = byte_input_alloc(); + view_dispatcher_add_view( + picopass->view_dispatcher, + PicopassViewByteInput, + byte_input_get_view(picopass->byte_input)); + // Custom Widget picopass->widget = widget_alloc(); view_dispatcher_add_view( @@ -79,6 +86,10 @@ Picopass* picopass_alloc() { PicopassViewDictAttack, dict_attack_get_view(picopass->dict_attack)); + picopass->loclass = loclass_alloc(); + view_dispatcher_add_view( + picopass->view_dispatcher, PicopassViewLoclass, loclass_get_view(picopass->loclass)); + return picopass; } @@ -105,6 +116,10 @@ void picopass_free(Picopass* picopass) { view_dispatcher_remove_view(picopass->view_dispatcher, PicopassViewTextInput); text_input_free(picopass->text_input); + // ByteInput + view_dispatcher_remove_view(picopass->view_dispatcher, PicopassViewByteInput); + byte_input_free(picopass->byte_input); + // Custom Widget view_dispatcher_remove_view(picopass->view_dispatcher, PicopassViewWidget); widget_free(picopass->widget); @@ -112,6 +127,9 @@ void picopass_free(Picopass* picopass) { view_dispatcher_remove_view(picopass->view_dispatcher, PicopassViewDictAttack); dict_attack_free(picopass->dict_attack); + view_dispatcher_remove_view(picopass->view_dispatcher, PicopassViewLoclass); + loclass_free(picopass->loclass); + // Worker picopass_worker_stop(picopass->worker); picopass_worker_free(picopass->worker); @@ -153,6 +171,13 @@ static const NotificationSequence picopass_sequence_blink_start_cyan = { NULL, }; +static const NotificationSequence picopass_sequence_blink_start_magenta = { + &message_blink_start_10, + &message_blink_set_color_magenta, + &message_do_not_reset, + NULL, +}; + static const NotificationSequence picopass_sequence_blink_stop = { &message_blink_stop, NULL, @@ -162,6 +187,10 @@ void picopass_blink_start(Picopass* picopass) { notification_message(picopass->notifications, &picopass_sequence_blink_start_cyan); } +void picopass_blink_emulate_start(Picopass* picopass) { + notification_message(picopass->notifications, &picopass_sequence_blink_start_magenta); +} + void picopass_blink_stop(Picopass* picopass) { notification_message(picopass->notifications, &picopass_sequence_blink_stop); } @@ -209,4 +238,4 @@ int32_t picopass_app(void* p) { picopass_free(picopass); return 0; -} \ No newline at end of file +} diff --git a/picopass_device.c b/picopass_device.c index de43b0bb7c5..52c39c44c92 100644 --- a/picopass_device.c +++ b/picopass_device.c @@ -68,13 +68,14 @@ static bool picopass_device_save_file( if(!flipper_format_write_uint32(file, "Facility Code", &fc, 1)) break; if(!flipper_format_write_uint32(file, "Card Number", &cn, 1)) break; if(!flipper_format_write_hex( - file, "Credential", pacs->credential, PICOPASS_BLOCK_LEN)) + file, "Credential", pacs->credential, RFAL_PICOPASS_BLOCK_LEN)) break; if(pacs->pin_length > 0) { - if(!flipper_format_write_hex(file, "PIN\t\t", pacs->pin0, PICOPASS_BLOCK_LEN)) + if(!flipper_format_write_hex( + file, "PIN\t\t", pacs->pin0, RFAL_PICOPASS_BLOCK_LEN)) break; if(!flipper_format_write_hex( - file, "PIN(cont.)\t", pacs->pin1, PICOPASS_BLOCK_LEN)) + file, "PIN(cont.)\t", pacs->pin1, RFAL_PICOPASS_BLOCK_LEN)) break; } } @@ -88,7 +89,10 @@ static bool picopass_device_save_file( for(size_t i = 0; i < app_limit; i++) { furi_string_printf(temp_str, "Block %d", i); if(!flipper_format_write_hex( - file, furi_string_get_cstr(temp_str), AA1[i].data, PICOPASS_BLOCK_LEN)) { + file, + furi_string_get_cstr(temp_str), + AA1[i].data, + RFAL_PICOPASS_BLOCK_LEN)) { block_saved = false; break; } @@ -162,7 +166,7 @@ static bool picopass_device_load_data(PicopassDevice* dev, FuriString* path, boo for(size_t i = 0; i < 6; i++) { furi_string_printf(temp_str, "Block %d", i); if(!flipper_format_read_hex( - file, furi_string_get_cstr(temp_str), AA1[i].data, PICOPASS_BLOCK_LEN)) { + file, furi_string_get_cstr(temp_str), AA1[i].data, RFAL_PICOPASS_BLOCK_LEN)) { block_read = false; break; } @@ -174,7 +178,7 @@ static bool picopass_device_load_data(PicopassDevice* dev, FuriString* path, boo for(size_t i = 6; i < app_limit; i++) { furi_string_printf(temp_str, "Block %d", i); if(!flipper_format_read_hex( - file, furi_string_get_cstr(temp_str), AA1[i].data, PICOPASS_BLOCK_LEN)) { + file, furi_string_get_cstr(temp_str), AA1[i].data, RFAL_PICOPASS_BLOCK_LEN)) { block_read = false; break; } @@ -338,9 +342,9 @@ ReturnCode picopass_device_parse_credential(PicopassBlock* AA1, PicopassPacs* pa } } else if(pacs->encryption == PicopassDeviceEncryptionNone) { FURI_LOG_D(TAG, "No Encryption"); - memcpy(pacs->credential, AA1[7].data, PICOPASS_BLOCK_LEN); - memcpy(pacs->pin0, AA1[8].data, PICOPASS_BLOCK_LEN); - memcpy(pacs->pin1, AA1[9].data, PICOPASS_BLOCK_LEN); + memcpy(pacs->credential, AA1[7].data, RFAL_PICOPASS_BLOCK_LEN); + memcpy(pacs->pin0, AA1[8].data, RFAL_PICOPASS_BLOCK_LEN); + memcpy(pacs->pin1, AA1[9].data, RFAL_PICOPASS_BLOCK_LEN); } else if(pacs->encryption == PicopassDeviceEncryptionDES) { FURI_LOG_D(TAG, "DES Encrypted"); } else { diff --git a/picopass_device.h b/picopass_device.h index b45df346cf2..026421193d7 100644 --- a/picopass_device.h +++ b/picopass_device.h @@ -7,23 +7,38 @@ #include #include "rfal_picopass.h" +#include "loclass_writer.h" #include #include #include "helpers/iclass_elite_dict.h" #define PICOPASS_DEV_NAME_MAX_LEN 22 #define PICOPASS_READER_DATA_MAX_SIZE 64 -#define PICOPASS_BLOCK_LEN 8 #define PICOPASS_MAX_APP_LIMIT 32 #define PICOPASS_CSN_BLOCK_INDEX 0 #define PICOPASS_CONFIG_BLOCK_INDEX 1 -#define PICOPASS_EPURSE_BLOCK_INDEX 2 -#define PICOPASS_KD_BLOCK_INDEX 3 -#define PICOPASS_KC_BLOCK_INDEX 4 -#define PICOPASS_AIA_BLOCK_INDEX 5 -#define PICOPASS_PACS_CFG_BLOCK_INDEX 6 - +// These definitions for blocks above 2 only hold for secure cards. +#define PICOPASS_SECURE_EPURSE_BLOCK_INDEX 2 +#define PICOPASS_SECURE_KD_BLOCK_INDEX 3 +#define PICOPASS_SECURE_KC_BLOCK_INDEX 4 +#define PICOPASS_SECURE_AIA_BLOCK_INDEX 5 +// Non-secure cards instead have an AIA at block 2 +#define PICOPASS_NONSECURE_AIA_BLOCK_INDEX 2 +// Only iClass cards +#define PICOPASS_ICLASS_PACS_CFG_BLOCK_INDEX 6 + +// Personalization Mode +#define PICOPASS_FUSE_PERS 0x80 +// Crypt1 // 1+1 (crypt1+crypt0) means secured and keys changable +#define PICOPASS_FUSE_CRYPT1 0x10 +// Crypt0 // 1+0 means secure and keys locked, 0+1 means not secured, 0+0 means disable auth entirely +#define PICOPASS_FUSE_CRTPT0 0x08 +#define PICOPASS_FUSE_CRYPT10 (PICOPASS_FUSE_CRYPT1 | PICOPASS_FUSE_CRTPT0) +// Read Access, 1 meanns anonymous read enabled, 0 means must auth to read applicaion +#define PICOPASS_FUSE_RA 0x01 + +#define PICOPASS_APP_FOLDER ANY_PATH("picopass") #define PICOPASS_APP_EXTENSION ".picopass" #define PICOPASS_APP_SHADOW_EXTENSION ".pas" @@ -49,6 +64,13 @@ typedef enum { PicopassDeviceSaveFormatLF, } PicopassDeviceSaveFormat; +typedef enum { + PicopassEmulatorStateHalt, + PicopassEmulatorStateIdle, + PicopassEmulatorStateActive, + PicopassEmulatorStateSelected, +} PicopassEmulatorState; + typedef struct { bool valid; uint8_t bitLength; @@ -72,7 +94,7 @@ typedef struct { } PicopassPacs; typedef struct { - uint8_t data[PICOPASS_BLOCK_LEN]; + uint8_t data[RFAL_PICOPASS_BLOCK_LEN]; } PicopassBlock; typedef struct { @@ -81,6 +103,15 @@ typedef struct { IclassEliteDictAttackData iclass_elite_dict_attack_data; } PicopassDeviceData; +typedef struct { + PicopassEmulatorState state; + LoclassState_t cipher_state; + uint8_t key_block_num; // in loclass mode used to store csn# + bool loclass_mode; + bool loclass_got_std_key; + LoclassWriter* loclass_writer; +} PicopassEmulatorCtx; + typedef struct { Storage* storage; DialogsApp* dialogs; diff --git a/picopass_i.h b/picopass_i.h index 9147cfa0cfe..77952cdb004 100644 --- a/picopass_i.h +++ b/picopass_i.h @@ -16,12 +16,14 @@ #include #include #include +#include #include #include #include "scenes/picopass_scene.h" #include "views/dict_attack.h" +#include "views/loclass.h" #include #include @@ -29,6 +31,10 @@ #define PICOPASS_TEXT_STORE_SIZE 128 +#define LOCLASS_NUM_CSNS 9 +// Collect 2 MACs per CSN to account for keyroll modes +#define LOCLASS_MACS_TO_COLLECT (LOCLASS_NUM_CSNS * 2) + enum PicopassCustomEvent { // Reserve first 100 events for button types and indexes, starting from 0 PicopassCustomEventReserved = 100, @@ -55,14 +61,17 @@ struct Picopass { char text_store[PICOPASS_TEXT_STORE_SIZE + 1]; FuriString* text_box_store; + uint8_t byte_input_store[RFAL_PICOPASS_BLOCK_LEN]; // Common Views Submenu* submenu; Popup* popup; Loading* loading; TextInput* text_input; + ByteInput* byte_input; Widget* widget; DictAttack* dict_attack; + Loclass* loclass; }; typedef enum { @@ -70,8 +79,10 @@ typedef enum { PicopassViewPopup, PicopassViewLoading, PicopassViewTextInput, + PicopassViewByteInput, PicopassViewWidget, PicopassViewDictAttack, + PicopassViewLoclass, } PicopassView; Picopass* picopass_alloc(); @@ -82,6 +93,8 @@ void picopass_text_store_clear(Picopass* picopass); void picopass_blink_start(Picopass* picopass); +void picopass_blink_emulate_start(Picopass* picopass); + void picopass_blink_stop(Picopass* picopass); void picopass_show_loading_popup(void* context, bool show); diff --git a/picopass_keys.h b/picopass_keys.h index 2b5dba66106..dc43fc68bcf 100644 --- a/picopass_keys.h +++ b/picopass_keys.h @@ -2,9 +2,9 @@ #include "picopass_device.h" -extern const uint8_t picopass_iclass_key[PICOPASS_BLOCK_LEN]; -extern const uint8_t picopass_factory_credit_key[PICOPASS_BLOCK_LEN]; -extern const uint8_t picopass_factory_debit_key[PICOPASS_BLOCK_LEN]; -extern const uint8_t picopass_xice_key[PICOPASS_BLOCK_LEN]; -extern const uint8_t picopass_xicl_key[PICOPASS_BLOCK_LEN]; -extern const uint8_t picopass_xics_key[PICOPASS_BLOCK_LEN]; +extern const uint8_t picopass_iclass_key[RFAL_PICOPASS_BLOCK_LEN]; +extern const uint8_t picopass_factory_credit_key[RFAL_PICOPASS_BLOCK_LEN]; +extern const uint8_t picopass_factory_debit_key[RFAL_PICOPASS_BLOCK_LEN]; +extern const uint8_t picopass_xice_key[RFAL_PICOPASS_BLOCK_LEN]; +extern const uint8_t picopass_xicl_key[RFAL_PICOPASS_BLOCK_LEN]; +extern const uint8_t picopass_xics_key[RFAL_PICOPASS_BLOCK_LEN]; diff --git a/picopass_worker.c b/picopass_worker.c index d7f7cf144c3..a0aac623115 100644 --- a/picopass_worker.c +++ b/picopass_worker.c @@ -1,12 +1,28 @@ #include "picopass_worker_i.h" #include +#include #define TAG "PicopassWorker" +#define HAS_MASK(x, b) ((x & b) == b) + +// CSNs from Proxmark3 repo +static const uint8_t loclass_csns[LOCLASS_NUM_CSNS][RFAL_PICOPASS_BLOCK_LEN] = { + {0x01, 0x0A, 0x0F, 0xFF, 0xF7, 0xFF, 0x12, 0xE0}, + {0x0C, 0x06, 0x0C, 0xFE, 0xF7, 0xFF, 0x12, 0xE0}, + {0x10, 0x97, 0x83, 0x7B, 0xF7, 0xFF, 0x12, 0xE0}, + {0x13, 0x97, 0x82, 0x7A, 0xF7, 0xFF, 0x12, 0xE0}, + {0x07, 0x0E, 0x0D, 0xF9, 0xF7, 0xFF, 0x12, 0xE0}, + {0x14, 0x96, 0x84, 0x76, 0xF7, 0xFF, 0x12, 0xE0}, + {0x17, 0x96, 0x85, 0x71, 0xF7, 0xFF, 0x12, 0xE0}, + {0xCE, 0xC5, 0x0F, 0x77, 0xF7, 0xFF, 0x12, 0xE0}, + {0xD2, 0x5A, 0x82, 0xF8, 0xF7, 0xFF, 0x12, 0xE0}, +}; + static void picopass_worker_enable_field() { - furi_hal_nfc_ll_txrx_on(); furi_hal_nfc_exit_sleep(); + furi_hal_nfc_ll_txrx_on(); furi_hal_nfc_ll_poll(); } @@ -68,6 +84,21 @@ void picopass_worker_stop(PicopassWorker* picopass_worker) { furi_assert(picopass_worker); furi_assert(picopass_worker->thread); + if(furi_thread_get_state(picopass_worker->thread) == FuriThreadStateStopped) { + return; + } + + if(picopass_worker->state == PicopassWorkerStateBroken || + picopass_worker->state == PicopassWorkerStateReady) { + return; + } + + if(picopass_worker->state != PicopassWorkerStateEmulate && + picopass_worker->state != PicopassWorkerStateLoclass) { + // Can't do this while emulating in transparent mode as SPI isn't active + picopass_worker_disable_field(ERR_NONE); + } + if(furi_thread_get_state(picopass_worker->thread) != FuriThreadStateStopped) { picopass_worker_change_state(picopass_worker, PicopassWorkerStateStop); furi_thread_join(picopass_worker->thread); @@ -99,7 +130,7 @@ ReturnCode picopass_detect_card(int timeout) { err = rfalPicoPassPollerCheckPresence(); if(err != ERR_RF_COLLISION) { - //FURI_LOG_E(TAG, "rfalPicoPassPollerCheckPresence error %d", err); + FURI_LOG_E(TAG, "rfalPicoPassPollerCheckPresence error %d", err); return err; } @@ -153,19 +184,19 @@ ReturnCode picopass_read_preauth(PicopassBlock* AA1) { AA1[PICOPASS_CONFIG_BLOCK_INDEX].data[7]); rfalPicoPassReadBlockRes aia; - rfalPicoPassPollerReadBlock(PICOPASS_AIA_BLOCK_INDEX, &aia); - memcpy(AA1[PICOPASS_AIA_BLOCK_INDEX].data, aia.data, sizeof(aia.data)); + rfalPicoPassPollerReadBlock(PICOPASS_SECURE_AIA_BLOCK_INDEX, &aia); + memcpy(AA1[PICOPASS_SECURE_AIA_BLOCK_INDEX].data, aia.data, sizeof(aia.data)); FURI_LOG_D( TAG, "aia %02x%02x%02x%02x%02x%02x%02x%02x", - AA1[PICOPASS_AIA_BLOCK_INDEX].data[0], - AA1[PICOPASS_AIA_BLOCK_INDEX].data[1], - AA1[PICOPASS_AIA_BLOCK_INDEX].data[2], - AA1[PICOPASS_AIA_BLOCK_INDEX].data[3], - AA1[PICOPASS_AIA_BLOCK_INDEX].data[4], - AA1[PICOPASS_AIA_BLOCK_INDEX].data[5], - AA1[PICOPASS_AIA_BLOCK_INDEX].data[6], - AA1[PICOPASS_AIA_BLOCK_INDEX].data[7]); + AA1[PICOPASS_SECURE_AIA_BLOCK_INDEX].data[0], + AA1[PICOPASS_SECURE_AIA_BLOCK_INDEX].data[1], + AA1[PICOPASS_SECURE_AIA_BLOCK_INDEX].data[2], + AA1[PICOPASS_SECURE_AIA_BLOCK_INDEX].data[3], + AA1[PICOPASS_SECURE_AIA_BLOCK_INDEX].data[4], + AA1[PICOPASS_SECURE_AIA_BLOCK_INDEX].data[5], + AA1[PICOPASS_SECURE_AIA_BLOCK_INDEX].data[6], + AA1[PICOPASS_SECURE_AIA_BLOCK_INDEX].data[7]); return ERR_NONE; } @@ -181,7 +212,7 @@ static ReturnCode PicopassPacs* pacs = &dev_data->pacs; uint8_t* csn = AA1[PICOPASS_CSN_BLOCK_INDEX].data; - uint8_t* div_key = AA1[PICOPASS_KD_BLOCK_INDEX].data; + uint8_t* div_key = AA1[PICOPASS_SECURE_KD_BLOCK_INDEX].data; ReturnCode err = ERR_PARAM; @@ -189,7 +220,7 @@ static ReturnCode uint8_t ccnr[12] = {0}; size_t index = 0; - uint8_t key[PICOPASS_BLOCK_LEN] = {0}; + uint8_t key[RFAL_PICOPASS_BLOCK_LEN] = {0}; if(!iclass_elite_dict_check_presence(dict_type)) { FURI_LOG_E(TAG, "Dictionary not found"); @@ -230,7 +261,7 @@ static ReturnCode err = rfalPicoPassPollerCheck(mac, &chkRes); if(err == ERR_NONE) { - memcpy(pacs->key, key, PICOPASS_BLOCK_LEN); + memcpy(pacs->key, key, RFAL_PICOPASS_BLOCK_LEN); break; } @@ -274,7 +305,7 @@ ReturnCode picopass_read_card(PicopassBlock* AA1) { PICOPASS_MAX_APP_LIMIT; for(size_t i = 2; i < app_limit; i++) { - if(i == PICOPASS_KD_BLOCK_INDEX) { + if(i == PICOPASS_SECURE_KD_BLOCK_INDEX) { // Skip over Kd block which is populated earlier (READ of Kd returns all FF's) continue; } @@ -349,7 +380,7 @@ ReturnCode picopass_write_card(PicopassBlock* AA1) { FURI_LOG_D(TAG, "rfalPicoPassPollerWriteBlock %d", i); uint8_t data[9] = {0}; data[0] = i; - memcpy(data + 1, AA1[i].data, RFAL_PICOPASS_MAX_BLOCK_LEN); + memcpy(data + 1, AA1[i].data, RFAL_PICOPASS_BLOCK_LEN); loclass_doMAC_N(data, sizeof(data), div_key, mac); FURI_LOG_D( TAG, @@ -408,12 +439,12 @@ ReturnCode picopass_write_block(PicopassBlock* AA1, uint8_t blockNo, uint8_t* ne } memcpy(ccnr, rcRes.CCNR, sizeof(rcRes.CCNR)); // last 4 bytes left 0 - if(memcmp(selRes.CSN, AA1[PICOPASS_CSN_BLOCK_INDEX].data, PICOPASS_BLOCK_LEN) != 0) { + if(memcmp(selRes.CSN, AA1[PICOPASS_CSN_BLOCK_INDEX].data, RFAL_PICOPASS_BLOCK_LEN) != 0) { FURI_LOG_E(TAG, "Wrong CSN for write"); return ERR_REQUEST; } - loclass_opt_doReaderMAC(ccnr, AA1[PICOPASS_KD_BLOCK_INDEX].data, mac); + loclass_opt_doReaderMAC(ccnr, AA1[PICOPASS_SECURE_KD_BLOCK_INDEX].data, mac); err = rfalPicoPassPollerCheck(mac, &chkRes); if(err != ERR_NONE) { FURI_LOG_E(TAG, "rfalPicoPassPollerCheck error %d", err); @@ -431,7 +462,7 @@ ReturnCode picopass_write_block(PicopassBlock* AA1, uint8_t blockNo, uint8_t* ne newBlock[5], newBlock[6], newBlock[7]}; - loclass_doMAC_N(data, sizeof(data), AA1[PICOPASS_KD_BLOCK_INDEX].data, mac); + loclass_doMAC_N(data, sizeof(data), AA1[PICOPASS_SECURE_KD_BLOCK_INDEX].data, mac); FURI_LOG_D( TAG, "loclass_doMAC_N %d %02x%02x%02x%02x%02x%02x%02x%02x %02x%02x%02x%02x", @@ -484,7 +515,7 @@ void picopass_worker_elite_dict_attack(PicopassWorker* picopass_worker) { uint8_t ccnr[12] = {0}; size_t index = 0; - uint8_t key[PICOPASS_BLOCK_LEN] = {0}; + uint8_t key[RFAL_PICOPASS_BLOCK_LEN] = {0}; // Load dictionary IclassEliteDict* dict = dict_attack_data->dict; @@ -541,7 +572,7 @@ void picopass_worker_elite_dict_attack(PicopassWorker* picopass_worker) { memcpy(ccnr, rcRes.CCNR, sizeof(rcRes.CCNR)); // last 4 bytes left 0 uint8_t* csn = AA1[PICOPASS_CSN_BLOCK_INDEX].data; - uint8_t* div_key = AA1[PICOPASS_KD_BLOCK_INDEX].data; + uint8_t* div_key = AA1[PICOPASS_SECURE_KD_BLOCK_INDEX].data; loclass_iclass_calc_div_key(csn, key, div_key, elite); loclass_opt_doReaderMAC(ccnr, div_key, mac); @@ -549,7 +580,7 @@ void picopass_worker_elite_dict_attack(PicopassWorker* picopass_worker) { err = rfalPicoPassPollerCheck(mac, &chkRes); if(err == ERR_NONE) { FURI_LOG_I(TAG, "Found key"); - memcpy(pacs->key, key, PICOPASS_BLOCK_LEN); + memcpy(pacs->key, key, RFAL_PICOPASS_BLOCK_LEN); pacs->elite_kdf = elite; err = picopass_read_card(AA1); if(err != ERR_NONE) { @@ -588,15 +619,22 @@ void picopass_worker_elite_dict_attack(PicopassWorker* picopass_worker) { int32_t picopass_worker_task(void* context) { PicopassWorker* picopass_worker = context; - picopass_worker_enable_field(); if(picopass_worker->state == PicopassWorkerStateDetect) { + picopass_worker_enable_field(); picopass_worker_detect(picopass_worker); } else if(picopass_worker->state == PicopassWorkerStateWrite) { + picopass_worker_enable_field(); picopass_worker_write(picopass_worker); } else if(picopass_worker->state == PicopassWorkerStateWriteKey) { + picopass_worker_enable_field(); picopass_worker_write_key(picopass_worker); } else if(picopass_worker->state == PicopassWorkerStateEliteDictAttack) { + picopass_worker_enable_field(); picopass_worker_elite_dict_attack(picopass_worker); + } else if(picopass_worker->state == PicopassWorkerStateEmulate) { + picopass_worker_emulate(picopass_worker, false); + } else if(picopass_worker->state == PicopassWorkerStateLoclass) { + picopass_worker_emulate(picopass_worker, true); } else if(picopass_worker->state == PicopassWorkerStateStop) { FURI_LOG_D(TAG, "Worker state stop"); // no-op @@ -718,9 +756,9 @@ void picopass_worker_write_key(PicopassWorker* picopass_worker) { uint8_t* csn = AA1[PICOPASS_CSN_BLOCK_INDEX].data; uint8_t* configBlock = AA1[PICOPASS_CONFIG_BLOCK_INDEX].data; uint8_t fuses = configBlock[7]; - uint8_t* oldKey = AA1[PICOPASS_KD_BLOCK_INDEX].data; + uint8_t* oldKey = AA1[PICOPASS_SECURE_KD_BLOCK_INDEX].data; - uint8_t newKey[PICOPASS_BLOCK_LEN] = {0}; + uint8_t newKey[RFAL_PICOPASS_BLOCK_LEN] = {0}; loclass_iclass_calc_div_key(csn, pacs->key, newKey, pacs->elite_kdf); if((fuses & 0x80) == 0x80) { @@ -728,14 +766,14 @@ void picopass_worker_write_key(PicopassWorker* picopass_worker) { } else { FURI_LOG_D(TAG, "XOR write for application mode key change"); // XOR when in application mode - for(size_t i = 0; i < PICOPASS_BLOCK_LEN; i++) { + for(size_t i = 0; i < RFAL_PICOPASS_BLOCK_LEN; i++) { newKey[i] ^= oldKey[i]; } } while(picopass_worker->state == PicopassWorkerStateWriteKey) { if(picopass_detect_card(1000) == ERR_NONE) { - err = picopass_write_block(AA1, PICOPASS_KD_BLOCK_INDEX, newKey); + err = picopass_write_block(AA1, PICOPASS_SECURE_KD_BLOCK_INDEX, newKey); if(err != ERR_NONE) { FURI_LOG_E(TAG, "picopass_write_block error %d", err); nextState = PicopassWorkerEventFail; @@ -750,3 +788,488 @@ void picopass_worker_write_key(PicopassWorker* picopass_worker) { furi_delay_ms(100); } } + +// from proxmark3 armsrc/iclass.c rotateCSN +static void picopass_anticoll_csn(uint8_t* rotated_csn, const uint8_t* original_csn) { + for(uint8_t i = 0; i < 8; i++) { + rotated_csn[i] = (original_csn[i] >> 3) | (original_csn[(i + 1) % 8] << 5); + } +} + +static void picopass_append_crc(uint8_t* buf, uint16_t size) { + uint16_t crc = rfalPicoPassCalculateCcitt(0xE012, buf, size); + + buf[size] = crc & 0xFF; + buf[size + 1] = crc >> 8; +} + +static inline void picopass_emu_read_blocks( + NfcVData* nfcv_data, + uint8_t* buf, + uint8_t block_num, + uint8_t block_count) { + memcpy( + buf, + nfcv_data->data + (block_num * RFAL_PICOPASS_BLOCK_LEN), + block_count * RFAL_PICOPASS_BLOCK_LEN); +} + +static inline void picopass_emu_write_blocks( + NfcVData* nfcv_data, + const uint8_t* buf, + uint8_t block_num, + uint8_t block_count) { + memcpy( + nfcv_data->data + (block_num * RFAL_PICOPASS_BLOCK_LEN), + buf, + block_count * RFAL_PICOPASS_BLOCK_LEN); +} + +static void picopass_init_cipher_state(NfcVData* nfcv_data, PicopassEmulatorCtx* ctx) { + uint8_t cc[RFAL_PICOPASS_BLOCK_LEN]; + uint8_t key[RFAL_PICOPASS_BLOCK_LEN]; + + picopass_emu_read_blocks(nfcv_data, cc, PICOPASS_SECURE_EPURSE_BLOCK_INDEX, 1); + picopass_emu_read_blocks(nfcv_data, key, ctx->key_block_num, 1); + + ctx->cipher_state = loclass_opt_doTagMAC_1(cc, key); +} + +static void + loclass_update_csn(FuriHalNfcDevData* nfc_data, NfcVData* nfcv_data, PicopassEmulatorCtx* ctx) { + // collect two nonces in a row for each CSN + uint8_t csn_num = (ctx->key_block_num / 2) % LOCLASS_NUM_CSNS; + memcpy(nfc_data->uid, loclass_csns[csn_num], RFAL_PICOPASS_BLOCK_LEN); + picopass_emu_write_blocks(nfcv_data, loclass_csns[csn_num], PICOPASS_CSN_BLOCK_INDEX, 1); +} + +static void picopass_emu_handle_packet( + FuriHalNfcTxRxContext* tx_rx, + FuriHalNfcDevData* nfc_data, + void* nfcv_data_in) { + NfcVData* nfcv_data = (NfcVData*)nfcv_data_in; + PicopassEmulatorCtx* ctx = nfcv_data->emu_protocol_ctx; + uint8_t response[34]; + uint8_t response_length = 0; + uint8_t key_block_num = PICOPASS_SECURE_KD_BLOCK_INDEX; + + const uint8_t block_ff[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; + + if(nfcv_data->frame_length < 1) { + return; + } + + switch(nfcv_data->frame[0]) { + case RFAL_PICOPASS_CMD_ACTALL: // No args + if(nfcv_data->frame_length != 1) { + return; + } + + if(ctx->state != PicopassEmulatorStateHalt) { + ctx->state = PicopassEmulatorStateActive; + } + + // Send SOF only + break; + case RFAL_PICOPASS_CMD_ACT: // No args + if(nfcv_data->frame_length != 1 || ctx->state != PicopassEmulatorStateActive) { + return; + } + + // Send SOF only + break; + case RFAL_PICOPASS_CMD_HALT: // No args + if(nfcv_data->frame_length != 1 || ctx->state != PicopassEmulatorStateSelected) { + return; + } + + // Technically we should go to StateHalt, but since we can't detect the field dropping we drop to idle instead + ctx->state = PicopassEmulatorStateIdle; + + // Send SOF only + break; + case RFAL_PICOPASS_CMD_READ_OR_IDENTIFY: + if(nfcv_data->frame_length == 1 && + ctx->state == PicopassEmulatorStateActive) { // PICOPASS_CMD_IDENTIFY + // ASNB(8) CRC16(2) + picopass_anticoll_csn(response, nfc_data->uid); + picopass_append_crc(response, RFAL_PICOPASS_BLOCK_LEN); + response_length = RFAL_PICOPASS_BLOCK_LEN + 2; + break; + } else if( + nfcv_data->frame_length == 4 && + ctx->state == PicopassEmulatorStateSelected) { // PICOPASS_CMD_READ ADDRESS(1) CRC16(2) + if(nfcv_data->frame[1] >= PICOPASS_MAX_APP_LIMIT) { + return; + } + + // TODO: Check CRC? + // TODO: Check auth? + + // DATA(8) CRC16(2) + if(nfcv_data->frame[1] == PICOPASS_SECURE_KD_BLOCK_INDEX || + nfcv_data->frame[1] == PICOPASS_SECURE_KC_BLOCK_INDEX) { + // Reading Kd or Kc blocks always returns FF's + memcpy(response, block_ff, RFAL_PICOPASS_BLOCK_LEN); + } else { + picopass_emu_read_blocks(nfcv_data, response, nfcv_data->frame[1], 1); + } + picopass_append_crc(response, RFAL_PICOPASS_BLOCK_LEN); + response_length = RFAL_PICOPASS_BLOCK_LEN + 2; + break; + } + + return; + case RFAL_PICOPASS_CMD_READ4: // ADDRESS(1) CRC16(2) + if(nfcv_data->frame_length != 4 || ctx->state != PicopassEmulatorStateSelected || + nfcv_data->frame[1] + 4 >= PICOPASS_MAX_APP_LIMIT) { + return; + } + + // TODO: Check CRC? + // TODO: Check auth? + + uint8_t blockNum = nfcv_data->frame[1]; + + // DATA(32) CRC16(2) + picopass_emu_read_blocks(nfcv_data, response, blockNum, 4); + if(blockNum == 4) { + // Kc is block 4, so just redact first block of response + memcpy(response, block_ff, RFAL_PICOPASS_BLOCK_LEN); + } else if(blockNum < 4) { + // Kd is block 3 + uint8_t* kdOffset = response + ((3 - blockNum) * RFAL_PICOPASS_BLOCK_LEN); + memcpy(kdOffset, block_ff, RFAL_PICOPASS_BLOCK_LEN); + if(blockNum != 0) { + // Redact Kc + memcpy(kdOffset + RFAL_PICOPASS_BLOCK_LEN, block_ff, RFAL_PICOPASS_BLOCK_LEN); + } + } + picopass_append_crc(response, RFAL_PICOPASS_BLOCK_LEN * 4); + response_length = (RFAL_PICOPASS_BLOCK_LEN * 4) + 2; + break; + case RFAL_PICOPASS_CMD_SELECT: // ASNB(8)|SERIALNB(8) + if(nfcv_data->frame_length != 9) { + return; + } + + uint8_t select_csn[RFAL_PICOPASS_BLOCK_LEN]; + if(ctx->state == PicopassEmulatorStateHalt || ctx->state == PicopassEmulatorStateIdle) { + memcpy(select_csn, nfc_data->uid, RFAL_PICOPASS_BLOCK_LEN); + } else { + picopass_anticoll_csn(select_csn, nfc_data->uid); + } + + if(memcmp(nfcv_data->frame + 1, select_csn, RFAL_PICOPASS_BLOCK_LEN)) { + if(ctx->state == PicopassEmulatorStateActive) { + ctx->state = PicopassEmulatorStateIdle; + } else if(ctx->state == PicopassEmulatorStateSelected) { + // Technically we should go to StateHalt, but since we can't detect the field dropping we drop to idle instead + ctx->state = PicopassEmulatorStateIdle; + } + + return; + } + + ctx->state = PicopassEmulatorStateSelected; + + // SERIALNB(8) CRC16(2) + memcpy(response, nfc_data->uid, RFAL_PICOPASS_BLOCK_LEN); + picopass_append_crc(response, RFAL_PICOPASS_BLOCK_LEN); + + response_length = RFAL_PICOPASS_BLOCK_LEN + 2; + break; + case RFAL_PICOPASS_CMD_READCHECK_KC: // ADDRESS(1) + key_block_num = PICOPASS_SECURE_KC_BLOCK_INDEX; + // fallthrough + case RFAL_PICOPASS_CMD_READCHECK_KD: // ADDRESS(1) + if(nfcv_data->frame_length != 2 || + nfcv_data->frame[1] != PICOPASS_SECURE_EPURSE_BLOCK_INDEX || + ctx->state != PicopassEmulatorStateSelected) { + return; + } + + if(ctx->key_block_num != key_block_num && !ctx->loclass_mode) { + ctx->key_block_num = key_block_num; + picopass_init_cipher_state(nfcv_data, ctx); + } + + // DATA(8) + picopass_emu_read_blocks(nfcv_data, response, nfcv_data->frame[1], 1); + response_length = RFAL_PICOPASS_BLOCK_LEN; + break; + case RFAL_PICOPASS_CMD_CHECK: // CHALLENGE(4) READERSIGNATURE(4) + if(nfcv_data->frame_length != 9 || ctx->state != PicopassEmulatorStateSelected) { + return; + } + + if(ctx->loclass_mode) { + // LOCLASS Reader attack mode + + // Copy EPURSE + uint8_t cc[RFAL_PICOPASS_BLOCK_LEN]; + picopass_emu_read_blocks(nfcv_data, cc, PICOPASS_SECURE_EPURSE_BLOCK_INDEX, 1); + + // Check if the nonce is from a standard key + uint8_t key[RFAL_PICOPASS_BLOCK_LEN]; + loclass_iclass_calc_div_key(nfc_data->uid, picopass_iclass_key, key, false); + ctx->cipher_state = loclass_opt_doTagMAC_1(cc, key); + + uint8_t rmac[4]; + loclass_opt_doBothMAC_2(ctx->cipher_state, nfcv_data->frame + 1, rmac, response, key); + + if(!memcmp(nfcv_data->frame + 5, rmac, 4)) { + // MAC from reader matches Standard Key, keyroll mode or non-elite keyed reader. + // Either way no point logging it. + + FURI_LOG_W(TAG, "loclass: standard key detected during collection"); + ctx->loclass_got_std_key = true; + + ctx->state = PicopassEmulatorStateIdle; + return; + } + + // Copy CHALLENGE (nr) and READERSIGNATURE (mac) from frame + uint8_t nr[4]; + memcpy(nr, nfcv_data->frame + 1, 4); + uint8_t mac[4]; + memcpy(mac, nfcv_data->frame + 5, 4); + + FURI_LOG_I(TAG, "loclass: got nr/mac pair"); + loclass_writer_write_params( + ctx->loclass_writer, ctx->key_block_num, nfc_data->uid, cc, nr, mac); + + // Rotate to the next CSN + ctx->key_block_num = (ctx->key_block_num + 1) % (LOCLASS_NUM_CSNS * 2); + loclass_update_csn(nfc_data, nfcv_data, ctx); + + ctx->state = PicopassEmulatorStateIdle; + + return; + } + + uint8_t key[RFAL_PICOPASS_BLOCK_LEN]; + picopass_emu_read_blocks(nfcv_data, key, ctx->key_block_num, 1); + + uint8_t rmac[4]; + loclass_opt_doBothMAC_2(ctx->cipher_state, nfcv_data->frame + 1, rmac, response, key); + + if(memcmp(nfcv_data->frame + 5, rmac, 4)) { + // Bad MAC from reader, do not send a response. + FURI_LOG_I(TAG, "Got bad MAC from reader"); +#ifndef PICOPASS_DEBUG_IGNORE_BAD_RMAC + return; +#endif + } + + // CHIPRESPONSE(4) + response_length = 4; + break; + case RFAL_PICOPASS_CMD_UPDATE: // ADDRESS(1) DATA(8) SIGN(4)|CRC16(2) + if((nfcv_data->frame_length != 12 && nfcv_data->frame_length != 14) || + ctx->state != PicopassEmulatorStateSelected) { + return; + } + + if(nfcv_data->frame[1] >= PICOPASS_MAX_APP_LIMIT) { + return; + } + + uint8_t cfgBlock[RFAL_PICOPASS_BLOCK_LEN]; + picopass_emu_read_blocks(nfcv_data, cfgBlock, PICOPASS_CONFIG_BLOCK_INDEX, 1); + bool persMode = HAS_MASK(cfgBlock[7], PICOPASS_FUSE_PERS); + + if((nfcv_data->frame[1] == PICOPASS_CSN_BLOCK_INDEX) // CSN is always read only + || + (!persMode && + !HAS_MASK(cfgBlock[3], 0x80)) // Chip is in RO mode, no updated possible (even ePurse) + || (!persMode && + nfcv_data->frame[1] == + PICOPASS_SECURE_AIA_BLOCK_INDEX) // AIA can only be set in personalisation mode + || (!persMode && + (nfcv_data->frame[1] == PICOPASS_SECURE_KD_BLOCK_INDEX || + nfcv_data->frame[1] == PICOPASS_SECURE_KC_BLOCK_INDEX) && + (!HAS_MASK(cfgBlock[7], PICOPASS_FUSE_CRYPT10)))) { + return; // TODO: Is this the right response? + } + + if(nfcv_data->frame[1] >= 6 && nfcv_data->frame[1] <= 12) { + if(!HAS_MASK( + cfgBlock[3], + 1 << (nfcv_data->frame[1] - 6))) { // bit0 is block6, up to bit6 being block12 + // Block is marked as read-only, deny writing + return; // TODO: Is this the right response? + } + } + + // TODO: Check CRC/SIGN depending on if in secure mode + // Check correct key + // -> Kd only allows decrementing e-Purse + // -> per-app controlled by key access config + //bool keyAccess = HAS_MASK(cfgBlock[5], 0x01); + // -> must auth with that key to change it + + uint8_t blockOffset = nfcv_data->frame[1]; + uint8_t block[RFAL_PICOPASS_BLOCK_LEN]; + switch(nfcv_data->frame[1]) { + case PICOPASS_CONFIG_BLOCK_INDEX: + block[0] = cfgBlock[0]; // Applications Limit + block[1] = cfgBlock[1] & nfcv_data->frame[3]; // OTP + block[2] = cfgBlock[2] & nfcv_data->frame[4]; // OTP + block[3] = cfgBlock[3] & nfcv_data->frame[5]; // Block Write Lock + block[4] = cfgBlock[4]; // Chip Config + block[5] = cfgBlock[5]; // Memory Config + block[6] = nfcv_data->frame[8]; // EAS + block[7] = cfgBlock[7]; // Fuses + + // Some parts allow w (but not e) if in persMode + if(persMode) { + block[0] &= nfcv_data->frame[2]; // Applications Limit + block[4] &= nfcv_data->frame[6]; // Chip Config + block[5] &= nfcv_data->frame[7]; // Memory Config + block[7] &= nfcv_data->frame[9]; // Fuses + } else { + // Fuses allows setting Crypt1/0 from 1 to 0 only during application mode + block[7] &= nfcv_data->frame[9] | ~PICOPASS_FUSE_CRYPT10; + } + break; + case PICOPASS_SECURE_EPURSE_BLOCK_INDEX: + // ePurse updates swap first and second half of the block each update + memcpy(block + 4, nfcv_data->frame + 2, 4); + memcpy(block, nfcv_data->frame + 6, 4); + break; + case PICOPASS_SECURE_KD_BLOCK_INDEX: + // fallthrough + case PICOPASS_SECURE_KC_BLOCK_INDEX: + if(!persMode) { + picopass_emu_read_blocks(nfcv_data, block, blockOffset, 1); + for(uint8_t i = 0; i < sizeof(RFAL_PICOPASS_BLOCK_LEN); i++) + block[i] ^= nfcv_data->frame[i + 2]; + break; + } + // Use default case when in personalisation mode + // fallthrough + default: + memcpy(block, nfcv_data->frame + 2, RFAL_PICOPASS_BLOCK_LEN); + break; + } + + picopass_emu_write_blocks(nfcv_data, block, blockOffset, 1); + + if((nfcv_data->frame[1] == ctx->key_block_num || + nfcv_data->frame[1] == PICOPASS_SECURE_EPURSE_BLOCK_INDEX) && + !ctx->loclass_mode) + picopass_init_cipher_state(nfcv_data, ctx); + + // DATA(8) CRC16(2) + if(nfcv_data->frame[1] == PICOPASS_SECURE_KD_BLOCK_INDEX || + nfcv_data->frame[1] == PICOPASS_SECURE_KD_BLOCK_INDEX) { + // Key updates always return FF's + memcpy(response, block_ff, RFAL_PICOPASS_BLOCK_LEN); + } else { + memcpy(response, block, RFAL_PICOPASS_BLOCK_LEN); + } + picopass_append_crc(response, RFAL_PICOPASS_BLOCK_LEN); + response_length = RFAL_PICOPASS_BLOCK_LEN + 2; + break; + case RFAL_PICOPASS_CMD_PAGESEL: // PAGE(1) CRC16(2) + // Chips with a single page do not answer to this command + // BLOCK1(8) CRC16(2) + return; + case RFAL_PICOPASS_CMD_DETECT: + // TODO - not used by iClass though + return; + default: + return; + } + + NfcVSendFlags flags = NfcVSendFlagsSof | NfcVSendFlagsOneSubcarrier | NfcVSendFlagsHighRate; + if(response_length > 0) { + flags |= NfcVSendFlagsEof; + } + + nfcv_emu_send( + tx_rx, + nfcv_data, + response, + response_length, + flags, + nfcv_data->eof_timestamp + NFCV_FDT_FC(4000)); // 3650 is ~254uS 4000 is ~283uS +} + +void picopass_worker_emulate(PicopassWorker* picopass_worker, bool loclass_mode) { + furi_hal_nfc_exit_sleep(); + + FuriHalNfcTxRxContext tx_rx = {}; + PicopassEmulatorCtx emu_ctx = { + .state = PicopassEmulatorStateIdle, + .key_block_num = PICOPASS_SECURE_KD_BLOCK_INDEX, + .loclass_mode = loclass_mode, + .loclass_got_std_key = false, + .loclass_writer = NULL, + }; + FuriHalNfcDevData nfc_data = { + .uid_len = RFAL_PICOPASS_UID_LEN, + }; + NfcVData* nfcv_data = malloc(sizeof(NfcVData)); + nfcv_data->block_size = RFAL_PICOPASS_BLOCK_LEN; + nfcv_data->emu_protocol_ctx = &emu_ctx; + nfcv_data->emu_protocol_handler = &picopass_emu_handle_packet; + + PicopassDeviceData* dev_data = picopass_worker->dev_data; + PicopassBlock* blocks = dev_data->AA1; + + if(loclass_mode) { + // Setup blocks for loclass attack + emu_ctx.key_block_num = 0; + loclass_update_csn(&nfc_data, nfcv_data, &emu_ctx); + + uint8_t conf[8] = {0x12, 0xFF, 0xFF, 0xFF, 0x7F, 0x1F, 0xFF, 0x3C}; + picopass_emu_write_blocks(nfcv_data, conf, PICOPASS_CONFIG_BLOCK_INDEX, 1); + + uint8_t epurse[8] = {0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; + picopass_emu_write_blocks(nfcv_data, epurse, PICOPASS_SECURE_EPURSE_BLOCK_INDEX, 1); + + uint8_t aia[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; + picopass_emu_write_blocks(nfcv_data, aia, PICOPASS_SECURE_AIA_BLOCK_INDEX, 1); + + emu_ctx.loclass_writer = loclass_writer_alloc(); + loclass_writer_write_start_stop(emu_ctx.loclass_writer, true); + } else { + memcpy(nfc_data.uid, blocks[PICOPASS_CSN_BLOCK_INDEX].data, RFAL_PICOPASS_BLOCK_LEN); + memcpy(nfcv_data->data, blocks, sizeof(dev_data->AA1)); + picopass_init_cipher_state(nfcv_data, &emu_ctx); + } + + uint8_t last_loclass_csn_num = 0; + bool loclass_got_std_key = false; + + nfcv_emu_init(&nfc_data, nfcv_data); + while(picopass_worker->state == PicopassWorkerStateEmulate || + picopass_worker->state == PicopassWorkerStateLoclass) { + if(nfcv_emu_loop(&tx_rx, &nfc_data, nfcv_data, 500)) { + if(picopass_worker->callback) { + if((loclass_mode) && (last_loclass_csn_num != emu_ctx.key_block_num)) { + last_loclass_csn_num = emu_ctx.key_block_num; + picopass_worker->callback( + PicopassWorkerEventLoclassGotMac, picopass_worker->context); + } else if((loclass_mode) && !loclass_got_std_key && emu_ctx.loclass_got_std_key) { + loclass_got_std_key = true; + picopass_worker->callback( + PicopassWorkerEventLoclassGotStandardKey, picopass_worker->context); + } else { + picopass_worker->callback( + PicopassWorkerEventSuccess, picopass_worker->context); + } + } + } + } + + if(emu_ctx.loclass_writer) { + loclass_writer_write_start_stop(emu_ctx.loclass_writer, false); + loclass_writer_free(emu_ctx.loclass_writer); + } + + nfcv_emu_deinit(nfcv_data); + free(nfcv_data); +} diff --git a/picopass_worker.h b/picopass_worker.h index e9d37481b19..642e4c9620e 100644 --- a/picopass_worker.h +++ b/picopass_worker.h @@ -15,6 +15,8 @@ typedef enum { PicopassWorkerStateWrite, PicopassWorkerStateWriteKey, PicopassWorkerStateEliteDictAttack, + PicopassWorkerStateEmulate, + PicopassWorkerStateLoclass, // Transition PicopassWorkerStateStop, } PicopassWorkerState; @@ -32,6 +34,8 @@ typedef enum { PicopassWorkerEventCardDetected, PicopassWorkerEventNewDictKeyBatch, PicopassWorkerEventNoDictFound, + PicopassWorkerEventLoclassGotMac, + PicopassWorkerEventLoclassGotStandardKey, } PicopassWorkerEvent; typedef void (*PicopassWorkerCallback)(PicopassWorkerEvent event, void* context); diff --git a/picopass_worker_i.h b/picopass_worker_i.h index f41cfce45d4..5e51b1cc6c9 100644 --- a/picopass_worker_i.h +++ b/picopass_worker_i.h @@ -1,6 +1,7 @@ #pragma once #include "picopass_worker.h" +#include "loclass_writer.h" #include "picopass_i.h" #include @@ -32,3 +33,4 @@ int32_t picopass_worker_task(void* context); void picopass_worker_detect(PicopassWorker* picopass_worker); void picopass_worker_write(PicopassWorker* picopass_worker); void picopass_worker_write_key(PicopassWorker* picopass_worker); +void picopass_worker_emulate(PicopassWorker* picopass_worker, bool loclass_mode); diff --git a/rfal_picopass.c b/rfal_picopass.c index ac66cb92d97..1d45a48dca7 100644 --- a/rfal_picopass.c +++ b/rfal_picopass.c @@ -29,8 +29,7 @@ static uint16_t rfalPicoPassUpdateCcitt(uint16_t crcSeed, uint8_t dataByte) { return crc; } -static uint16_t - rfalPicoPassCalculateCcitt(uint16_t preloadValue, const uint8_t* buf, uint16_t length) { +uint16_t rfalPicoPassCalculateCcitt(uint16_t preloadValue, const uint8_t* buf, uint16_t length) { uint16_t crc = preloadValue; uint16_t index; @@ -73,7 +72,7 @@ FuriHalNfcReturn rfalPicoPassPollerCheckPresence(void) { FuriHalNfcReturn rfalPicoPassPollerIdentify(rfalPicoPassIdentifyRes* idRes) { FuriHalNfcReturn ret; - uint8_t txBuf[1] = {RFAL_PICOPASS_CMD_IDENTIFY}; + uint8_t txBuf[1] = {RFAL_PICOPASS_CMD_READ_OR_IDENTIFY}; uint16_t recvLen = 0; uint32_t flags = RFAL_PICOPASS_TXRX_FLAGS; uint32_t fwt = furi_hal_nfc_ll_ms2fc(20); @@ -119,7 +118,7 @@ FuriHalNfcReturn rfalPicoPassPollerSelect(uint8_t* csn, rfalPicoPassSelectRes* s FuriHalNfcReturn rfalPicoPassPollerReadCheck(rfalPicoPassReadCheckRes* rcRes) { FuriHalNfcReturn ret; - uint8_t txBuf[2] = {RFAL_PICOPASS_CMD_READCHECK, 0x02}; + uint8_t txBuf[2] = {RFAL_PICOPASS_CMD_READCHECK_KD, 0x02}; uint16_t recvLen = 0; uint32_t flags = RFAL_PICOPASS_TXRX_FLAGS; uint32_t fwt = furi_hal_nfc_ll_ms2fc(20); @@ -171,7 +170,7 @@ FuriHalNfcReturn rfalPicoPassPollerCheck(uint8_t* mac, rfalPicoPassCheckRes* chk FuriHalNfcReturn rfalPicoPassPollerReadBlock(uint8_t blockNum, rfalPicoPassReadBlockRes* readRes) { FuriHalNfcReturn ret; - uint8_t txBuf[4] = {RFAL_PICOPASS_CMD_READ, 0, 0, 0}; + uint8_t txBuf[4] = {RFAL_PICOPASS_CMD_READ_OR_IDENTIFY, 0, 0, 0}; txBuf[1] = blockNum; uint16_t crc = rfalPicoPassCalculateCcitt(0xE012, txBuf + 1, 1); memcpy(txBuf + 2, &crc, sizeof(uint16_t)); @@ -194,8 +193,8 @@ FuriHalNfcReturn rfalPicoPassPollerReadBlock(uint8_t blockNum, rfalPicoPassReadB FuriHalNfcReturn rfalPicoPassPollerWriteBlock(uint8_t blockNum, uint8_t data[8], uint8_t mac[4]) { FuriHalNfcReturn ret; - uint8_t txBuf[14] = {RFAL_PICOPASS_CMD_WRITE, blockNum, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; - memcpy(txBuf + 2, data, RFAL_PICOPASS_MAX_BLOCK_LEN); + uint8_t txBuf[14] = {RFAL_PICOPASS_CMD_UPDATE, blockNum, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; + memcpy(txBuf + 2, data, RFAL_PICOPASS_BLOCK_LEN); memcpy(txBuf + 10, mac, 4); uint16_t recvLen = 0; diff --git a/rfal_picopass.h b/rfal_picopass.h index 6926b2a79d6..6265884d633 100644 --- a/rfal_picopass.h +++ b/rfal_picopass.h @@ -3,16 +3,41 @@ #include #define RFAL_PICOPASS_UID_LEN 8 -#define RFAL_PICOPASS_MAX_BLOCK_LEN 8 +#define RFAL_PICOPASS_BLOCK_LEN 8 enum { + // PicoPass command bytes: + // Low nibble used for command + // High nibble used for options and checksum (MSB) + // The only option we care about in 15693 mode is the key + // which is only used by READCHECK, so for simplicity we + // don't bother breaking down the command and flags into parts + + // READ: ADDRESS(1) CRC16(2) -> DATA(8) CRC16(2) + // IDENTIFY: No args -> ASNB(8) CRC16(2) + RFAL_PICOPASS_CMD_READ_OR_IDENTIFY = 0x0C, + // ADDRESS(1) CRC16(2) -> DATA(32) CRC16(2) + RFAL_PICOPASS_CMD_READ4 = 0x06, + // ADDRESS(1) DATA(8) SIGN(4)|CRC16(2) -> DATA(8) CRC16(2) + RFAL_PICOPASS_CMD_UPDATE = 0x87, + // ADDRESS(1) -> DATA(8) + RFAL_PICOPASS_CMD_READCHECK_KD = 0x88, + // ADDRESS(1) -> DATA(8) + RFAL_PICOPASS_CMD_READCHECK_KC = 0x18, + // CHALLENGE(4) READERSIGNATURE(4) -> CHIPRESPONSE(4) + RFAL_PICOPASS_CMD_CHECK = 0x05, + // No args -> SOF RFAL_PICOPASS_CMD_ACTALL = 0x0A, - RFAL_PICOPASS_CMD_IDENTIFY = 0x0C, + // No args -> SOF + RFAL_PICOPASS_CMD_ACT = 0x8E, + // ASNB(8)|SERIALNB(8) -> SERIALNB(8) CRC16(2) RFAL_PICOPASS_CMD_SELECT = 0x81, - RFAL_PICOPASS_CMD_READCHECK = 0x88, - RFAL_PICOPASS_CMD_CHECK = 0x05, - RFAL_PICOPASS_CMD_READ = 0x0C, - RFAL_PICOPASS_CMD_WRITE = 0x87, + // No args -> SERIALNB(8) CRC16(2) + RFAL_PICOPASS_CMD_DETECT = 0x0F, + // No args -> SOF + RFAL_PICOPASS_CMD_HALT = 0x00, + // PAGE(1) CRC16(2) -> BLOCK1(8) CRC16(2) + RFAL_PICOPASS_CMD_PAGESEL = 0x84, }; typedef struct { @@ -34,10 +59,12 @@ typedef struct { } rfalPicoPassCheckRes; typedef struct { - uint8_t data[RFAL_PICOPASS_MAX_BLOCK_LEN]; + uint8_t data[RFAL_PICOPASS_BLOCK_LEN]; uint8_t crc[2]; } rfalPicoPassReadBlockRes; +uint16_t rfalPicoPassCalculateCcitt(uint16_t preloadValue, const uint8_t* buf, uint16_t length); + FuriHalNfcReturn rfalPicoPassPollerInitialize(void); FuriHalNfcReturn rfalPicoPassPollerCheckPresence(void); FuriHalNfcReturn rfalPicoPassPollerIdentify(rfalPicoPassIdentifyRes* idRes); diff --git a/scenes/picopass_scene_config.h b/scenes/picopass_scene_config.h index 8ea97049856..3241c234411 100644 --- a/scenes/picopass_scene_config.h +++ b/scenes/picopass_scene_config.h @@ -11,7 +11,11 @@ ADD_SCENE(picopass, delete, Delete) ADD_SCENE(picopass, delete_success, DeleteSuccess) ADD_SCENE(picopass, write_card, WriteCard) ADD_SCENE(picopass, write_card_success, WriteCardSuccess) +ADD_SCENE(picopass, write_card_failure, WriteCardFailure) ADD_SCENE(picopass, read_factory_success, ReadFactorySuccess) ADD_SCENE(picopass, write_key, WriteKey) ADD_SCENE(picopass, key_menu, KeyMenu) ADD_SCENE(picopass, elite_dict_attack, EliteDictAttack) +ADD_SCENE(picopass, emulate, Emulate) +ADD_SCENE(picopass, loclass, Loclass) +ADD_SCENE(picopass, key_input, KeyInput) diff --git a/scenes/picopass_scene_device_info.c b/scenes/picopass_scene_device_info.c index bb149aa6b37..41d0bad817d 100644 --- a/scenes/picopass_scene_device_info.c +++ b/scenes/picopass_scene_device_info.c @@ -26,9 +26,9 @@ void picopass_scene_device_info_on_enter(void* context) { PicopassPacs* pacs = &picopass->dev->dev_data.pacs; Widget* widget = picopass->widget; - uint8_t csn[PICOPASS_BLOCK_LEN] = {0}; - memcpy(csn, AA1[PICOPASS_CSN_BLOCK_INDEX].data, PICOPASS_BLOCK_LEN); - for(uint8_t i = 0; i < PICOPASS_BLOCK_LEN; i++) { + uint8_t csn[RFAL_PICOPASS_BLOCK_LEN] = {0}; + memcpy(csn, AA1[PICOPASS_CSN_BLOCK_INDEX].data, RFAL_PICOPASS_BLOCK_LEN); + for(uint8_t i = 0; i < RFAL_PICOPASS_BLOCK_LEN; i++) { furi_string_cat_printf(csn_str, "%02X ", csn[i]); } @@ -42,7 +42,7 @@ void picopass_scene_device_info_on_enter(void* context) { bytesLength++; } furi_string_set(credential_str, ""); - for(uint8_t i = PICOPASS_BLOCK_LEN - bytesLength; i < PICOPASS_BLOCK_LEN; i++) { + for(uint8_t i = RFAL_PICOPASS_BLOCK_LEN - bytesLength; i < RFAL_PICOPASS_BLOCK_LEN; i++) { furi_string_cat_printf(credential_str, " %02X", pacs->credential[i]); } diff --git a/scenes/picopass_scene_emulate.c b/scenes/picopass_scene_emulate.c new file mode 100644 index 00000000000..4e0ed073b0f --- /dev/null +++ b/scenes/picopass_scene_emulate.c @@ -0,0 +1,58 @@ +#include "../picopass_i.h" +#include + +void picopass_emulate_worker_callback(PicopassWorkerEvent event, void* context) { + furi_assert(context); + Picopass* picopass = context; + view_dispatcher_send_custom_event(picopass->view_dispatcher, event); +} + +void picopass_scene_emulate_on_enter(void* context) { + Picopass* picopass = context; + dolphin_deed(DolphinDeedNfcEmulate); + + Widget* widget = picopass->widget; + widget_reset(widget); + widget_add_icon_element(widget, 0, 3, &I_RFIDDolphinSend_97x61); + widget_add_string_element(widget, 89, 32, AlignCenter, AlignTop, FontPrimary, "Emulating"); + widget_add_string_element(widget, 89, 42, AlignCenter, AlignTop, FontPrimary, "PicoPass"); + + // Setup view + view_dispatcher_switch_to_view(picopass->view_dispatcher, PicopassViewWidget); + + // Start worker + picopass_worker_start( + picopass->worker, + PicopassWorkerStateEmulate, + &picopass->dev->dev_data, + picopass_emulate_worker_callback, + picopass); + + picopass_blink_emulate_start(picopass); +} + +bool picopass_scene_emulate_on_event(void* context, SceneManagerEvent event) { + Picopass* picopass = context; + bool consumed = false; + + if(event.type == SceneManagerEventTypeCustom) { + if(event.event == PicopassCustomEventWorkerExit) { + consumed = true; + } + } else if(event.type == SceneManagerEventTypeBack) { + consumed = scene_manager_previous_scene(picopass->scene_manager); + } + return consumed; +} + +void picopass_scene_emulate_on_exit(void* context) { + Picopass* picopass = context; + + picopass_blink_stop(picopass); + + // Stop worker + picopass_worker_stop(picopass->worker); + + // Clear view + widget_reset(picopass->widget); +} diff --git a/scenes/picopass_scene_key_input.c b/scenes/picopass_scene_key_input.c new file mode 100644 index 00000000000..97db466531f --- /dev/null +++ b/scenes/picopass_scene_key_input.c @@ -0,0 +1,48 @@ +#include "../picopass_i.h" +#include +#include +#include + +void picopass_scene_key_input_text_input_callback(void* context) { + Picopass* picopass = context; + + picopass->dev->dev_data.pacs.elite_kdf = true; + memcpy(picopass->dev->dev_data.pacs.key, picopass->byte_input_store, RFAL_PICOPASS_BLOCK_LEN); + view_dispatcher_send_custom_event(picopass->view_dispatcher, PicopassCustomEventByteInputDone); +} + +void picopass_scene_key_input_on_enter(void* context) { + Picopass* picopass = context; + + ByteInput* byte_input = picopass->byte_input; + byte_input_set_header_text(byte_input, "Enter The Key In Hex"); + byte_input_set_result_callback( + byte_input, + picopass_scene_key_input_text_input_callback, + NULL, + picopass, + picopass->byte_input_store, + RFAL_PICOPASS_BLOCK_LEN); + view_dispatcher_switch_to_view(picopass->view_dispatcher, PicopassViewByteInput); +} + +bool picopass_scene_key_input_on_event(void* context, SceneManagerEvent event) { + Picopass* picopass = context; + bool consumed = false; + + if(event.type == SceneManagerEventTypeCustom) { + if(event.event == PicopassCustomEventByteInputDone) { + scene_manager_next_scene(picopass->scene_manager, PicopassSceneWriteKey); + consumed = true; + } + } + return consumed; +} + +void picopass_scene_key_input_on_exit(void* context) { + Picopass* picopass = context; + + // Clear view + byte_input_set_result_callback(picopass->byte_input, NULL, NULL, NULL, NULL, 0); + byte_input_set_header_text(picopass->byte_input, ""); +} diff --git a/scenes/picopass_scene_key_menu.c b/scenes/picopass_scene_key_menu.c index 15a32ff4418..21d8a526dea 100644 --- a/scenes/picopass_scene_key_menu.c +++ b/scenes/picopass_scene_key_menu.c @@ -6,7 +6,7 @@ enum SubmenuIndex { SubmenuIndexWriteiCE, SubmenuIndexWriteiCL, SubmenuIndexWriteiCS, - SubmenuIndexWriteCustom, //TODO: user input of key + SubmenuIndexWriteCustom, }; void picopass_scene_key_menu_submenu_callback(void* context, uint32_t index) { @@ -43,6 +43,12 @@ void picopass_scene_key_menu_on_enter(void* context) { SubmenuIndexWriteiCS, picopass_scene_key_menu_submenu_callback, picopass); + submenu_add_item( + submenu, + "Write Elite", + SubmenuIndexWriteCustom, + picopass_scene_key_menu_submenu_callback, + picopass); submenu_set_selected_item( picopass->submenu, @@ -59,31 +65,37 @@ bool picopass_scene_key_menu_on_event(void* context, SceneManagerEvent event) { if(event.event == SubmenuIndexWriteStandard) { scene_manager_set_scene_state( picopass->scene_manager, PicopassSceneKeyMenu, SubmenuIndexWriteStandard); - memcpy(picopass->dev->dev_data.pacs.key, picopass_iclass_key, PICOPASS_BLOCK_LEN); + memcpy(picopass->dev->dev_data.pacs.key, picopass_iclass_key, RFAL_PICOPASS_BLOCK_LEN); picopass->dev->dev_data.pacs.elite_kdf = false; scene_manager_next_scene(picopass->scene_manager, PicopassSceneWriteKey); consumed = true; } else if(event.event == SubmenuIndexWriteiCE) { scene_manager_set_scene_state( picopass->scene_manager, PicopassSceneKeyMenu, SubmenuIndexWriteiCE); - memcpy(picopass->dev->dev_data.pacs.key, picopass_xice_key, PICOPASS_BLOCK_LEN); + memcpy(picopass->dev->dev_data.pacs.key, picopass_xice_key, RFAL_PICOPASS_BLOCK_LEN); picopass->dev->dev_data.pacs.elite_kdf = true; scene_manager_next_scene(picopass->scene_manager, PicopassSceneWriteKey); consumed = true; } else if(event.event == SubmenuIndexWriteiCL) { scene_manager_set_scene_state( picopass->scene_manager, PicopassSceneKeyMenu, SubmenuIndexWriteiCL); - memcpy(picopass->dev->dev_data.pacs.key, picopass_xicl_key, PICOPASS_BLOCK_LEN); + memcpy(picopass->dev->dev_data.pacs.key, picopass_xicl_key, RFAL_PICOPASS_BLOCK_LEN); picopass->dev->dev_data.pacs.elite_kdf = false; scene_manager_next_scene(picopass->scene_manager, PicopassSceneWriteKey); consumed = true; } else if(event.event == SubmenuIndexWriteiCS) { scene_manager_set_scene_state( picopass->scene_manager, PicopassSceneKeyMenu, SubmenuIndexWriteiCS); - memcpy(picopass->dev->dev_data.pacs.key, picopass_xics_key, PICOPASS_BLOCK_LEN); + memcpy(picopass->dev->dev_data.pacs.key, picopass_xics_key, RFAL_PICOPASS_BLOCK_LEN); picopass->dev->dev_data.pacs.elite_kdf = false; scene_manager_next_scene(picopass->scene_manager, PicopassSceneWriteKey); consumed = true; + } else if(event.event == SubmenuIndexWriteCustom) { + scene_manager_set_scene_state( + picopass->scene_manager, PicopassSceneKeyMenu, SubmenuIndexWriteCustom); + // Key and elite_kdf = true are both set in key_input scene + scene_manager_next_scene(picopass->scene_manager, PicopassSceneKeyInput); + consumed = true; } } else if(event.type == SceneManagerEventTypeBack) { consumed = scene_manager_search_and_switch_to_previous_scene( diff --git a/scenes/picopass_scene_loclass.c b/scenes/picopass_scene_loclass.c new file mode 100644 index 00000000000..01e24555733 --- /dev/null +++ b/scenes/picopass_scene_loclass.c @@ -0,0 +1,80 @@ +#include "../picopass_i.h" +#include + +void picopass_loclass_worker_callback(PicopassWorkerEvent event, void* context) { + furi_assert(context); + Picopass* picopass = context; + view_dispatcher_send_custom_event(picopass->view_dispatcher, event); +} + +void picopass_loclass_result_callback(void* context) { + furi_assert(context); + Picopass* picopass = context; + view_dispatcher_send_custom_event(picopass->view_dispatcher, PicopassCustomEventViewExit); +} + +void picopass_scene_loclass_on_enter(void* context) { + Picopass* picopass = context; + dolphin_deed(DolphinDeedNfcEmulate); + + scene_manager_set_scene_state(picopass->scene_manager, PicopassSceneLoclass, 0); + + loclass_set_callback(picopass->loclass, picopass_loclass_result_callback, picopass); + + // Start worker + picopass_worker_start( + picopass->worker, + PicopassWorkerStateLoclass, + &picopass->dev->dev_data, + picopass_loclass_worker_callback, + picopass); + + picopass_blink_emulate_start(picopass); + + loclass_set_header(picopass->loclass, "Loclass"); + + view_dispatcher_switch_to_view(picopass->view_dispatcher, PicopassViewLoclass); +} + +bool picopass_scene_loclass_on_event(void* context, SceneManagerEvent event) { + Picopass* picopass = context; + bool consumed = false; + + uint32_t loclass_macs_collected = + scene_manager_get_scene_state(picopass->scene_manager, PicopassSceneLoclass); + + if(event.type == SceneManagerEventTypeCustom) { + if(event.event == PicopassWorkerEventLoclassGotMac) { + loclass_macs_collected++; + scene_manager_set_scene_state( + picopass->scene_manager, PicopassSceneLoclass, loclass_macs_collected); + loclass_set_num_macs(picopass->loclass, loclass_macs_collected); + if(loclass_macs_collected >= LOCLASS_MACS_TO_COLLECT) { + scene_manager_previous_scene(picopass->scene_manager); + } + consumed = true; + } else if(event.event == PicopassWorkerEventLoclassGotStandardKey) { + loclass_set_header(picopass->loclass, "Loclass (Got Std Key)"); + consumed = true; + } else if(event.event == PicopassCustomEventViewExit) { + consumed = scene_manager_previous_scene(picopass->scene_manager); + } + } else if(event.type == SceneManagerEventTypeBack) { + consumed = scene_manager_previous_scene(picopass->scene_manager); + } + return consumed; +} + +void picopass_scene_loclass_on_exit(void* context) { + Picopass* picopass = context; + + picopass_blink_stop(picopass); + + // Stop worker + picopass_worker_stop(picopass->worker); + + loclass_reset(picopass->loclass); + + // Clear view + widget_reset(picopass->widget); +} diff --git a/scenes/picopass_scene_read_card.c b/scenes/picopass_scene_read_card.c index c1cc7249c42..fabce52b66a 100644 --- a/scenes/picopass_scene_read_card.c +++ b/scenes/picopass_scene_read_card.c @@ -38,7 +38,7 @@ bool picopass_scene_read_card_on_event(void* context, SceneManagerEvent event) { if(memcmp( picopass->dev->dev_data.pacs.key, picopass_factory_debit_key, - PICOPASS_BLOCK_LEN) == 0) { + RFAL_PICOPASS_BLOCK_LEN) == 0) { scene_manager_next_scene(picopass->scene_manager, PicopassSceneReadFactorySuccess); } else { scene_manager_next_scene(picopass->scene_manager, PicopassSceneReadCardSuccess); diff --git a/scenes/picopass_scene_read_card_success.c b/scenes/picopass_scene_read_card_success.c index ffe7195b792..2f80cd7b9a0 100644 --- a/scenes/picopass_scene_read_card_success.c +++ b/scenes/picopass_scene_read_card_success.c @@ -31,15 +31,15 @@ void picopass_scene_read_card_success_on_enter(void* context) { PicopassPacs* pacs = &picopass->dev->dev_data.pacs; Widget* widget = picopass->widget; - uint8_t csn[PICOPASS_BLOCK_LEN] = {0}; - memcpy(csn, AA1[PICOPASS_CSN_BLOCK_INDEX].data, PICOPASS_BLOCK_LEN); - for(uint8_t i = 0; i < PICOPASS_BLOCK_LEN; i++) { + uint8_t csn[RFAL_PICOPASS_BLOCK_LEN] = {0}; + memcpy(csn, AA1[PICOPASS_CSN_BLOCK_INDEX].data, RFAL_PICOPASS_BLOCK_LEN); + for(uint8_t i = 0; i < RFAL_PICOPASS_BLOCK_LEN; i++) { furi_string_cat_printf(csn_str, "%02X", csn[i]); } - bool no_key = picopass_is_memset(pacs->key, 0x00, PICOPASS_BLOCK_LEN); - bool empty = - picopass_is_memset(AA1[PICOPASS_PACS_CFG_BLOCK_INDEX].data, 0xFF, PICOPASS_BLOCK_LEN); + bool no_key = picopass_is_memset(pacs->key, 0x00, RFAL_PICOPASS_BLOCK_LEN); + bool empty = picopass_is_memset( + AA1[PICOPASS_ICLASS_PACS_CFG_BLOCK_INDEX].data, 0xFF, RFAL_PICOPASS_BLOCK_LEN); if(no_key) { furi_string_cat_printf(wiegand_str, "Read Failed"); @@ -78,7 +78,7 @@ void picopass_scene_read_card_success_on_enter(void* context) { } else { size_t bytesLength = 1 + pacs->record.bitLength / 8; furi_string_set(credential_str, ""); - for(uint8_t i = PICOPASS_BLOCK_LEN - bytesLength; i < PICOPASS_BLOCK_LEN; i++) { + for(uint8_t i = RFAL_PICOPASS_BLOCK_LEN - bytesLength; i < RFAL_PICOPASS_BLOCK_LEN; i++) { furi_string_cat_printf(credential_str, " %02X", pacs->credential[i]); } @@ -99,9 +99,9 @@ void picopass_scene_read_card_success_on_enter(void* context) { } furi_string_cat_printf(sio_str, "Key: "); - uint8_t key[PICOPASS_BLOCK_LEN]; - memcpy(key, &pacs->key, PICOPASS_BLOCK_LEN); - for(uint8_t i = 0; i < PICOPASS_BLOCK_LEN; i++) { + uint8_t key[RFAL_PICOPASS_BLOCK_LEN]; + memcpy(key, &pacs->key, RFAL_PICOPASS_BLOCK_LEN); + for(uint8_t i = 0; i < RFAL_PICOPASS_BLOCK_LEN; i++) { furi_string_cat_printf(sio_str, "%02X", key[i]); } } diff --git a/scenes/picopass_scene_read_factory_success.c b/scenes/picopass_scene_read_factory_success.c index f5fcd10fda1..2ee6b253a65 100644 --- a/scenes/picopass_scene_read_factory_success.c +++ b/scenes/picopass_scene_read_factory_success.c @@ -64,7 +64,7 @@ bool picopass_scene_read_factory_success_on_event(void* context, SceneManagerEve if(event.event == GuiButtonTypeLeft) { consumed = scene_manager_previous_scene(picopass->scene_manager); } else if(event.event == GuiButtonTypeCenter) { - memcpy(picopass->dev->dev_data.pacs.key, picopass_iclass_key, PICOPASS_BLOCK_LEN); + memcpy(picopass->dev->dev_data.pacs.key, picopass_iclass_key, RFAL_PICOPASS_BLOCK_LEN); scene_manager_next_scene(picopass->scene_manager, PicopassSceneWriteKey); consumed = true; } diff --git a/scenes/picopass_scene_saved_menu.c b/scenes/picopass_scene_saved_menu.c index 90a27ee8167..401f43f9b28 100644 --- a/scenes/picopass_scene_saved_menu.c +++ b/scenes/picopass_scene_saved_menu.c @@ -4,6 +4,7 @@ enum SubmenuIndex { SubmenuIndexDelete, SubmenuIndexInfo, SubmenuIndexWrite, + SubmenuIndexEmulate, }; void picopass_scene_saved_menu_submenu_callback(void* context, uint32_t index) { @@ -26,6 +27,12 @@ void picopass_scene_saved_menu_on_enter(void* context) { submenu, "Info", SubmenuIndexInfo, picopass_scene_saved_menu_submenu_callback, picopass); submenu_add_item( submenu, "Write", SubmenuIndexWrite, picopass_scene_saved_menu_submenu_callback, picopass); + submenu_add_item( + submenu, + "Emulate", + SubmenuIndexEmulate, + picopass_scene_saved_menu_submenu_callback, + picopass); submenu_set_selected_item( picopass->submenu, @@ -51,6 +58,9 @@ bool picopass_scene_saved_menu_on_event(void* context, SceneManagerEvent event) } else if(event.event == SubmenuIndexWrite) { scene_manager_next_scene(picopass->scene_manager, PicopassSceneWriteCard); consumed = true; + } else if(event.event == SubmenuIndexEmulate) { + scene_manager_next_scene(picopass->scene_manager, PicopassSceneEmulate); + consumed = true; } } diff --git a/scenes/picopass_scene_start.c b/scenes/picopass_scene_start.c index 8f7b627aaf3..d6b394b3f59 100644 --- a/scenes/picopass_scene_start.c +++ b/scenes/picopass_scene_start.c @@ -3,6 +3,7 @@ enum SubmenuIndex { SubmenuIndexRead, SubmenuIndexEliteDictAttack, SubmenuIndexSaved, + SubmenuIndexLoclass, }; void picopass_scene_start_submenu_callback(void* context, uint32_t index) { @@ -24,6 +25,9 @@ void picopass_scene_start_on_enter(void* context) { submenu_add_item( submenu, "Saved", SubmenuIndexSaved, picopass_scene_start_submenu_callback, picopass); + submenu_add_item( + submenu, "Loclass", SubmenuIndexLoclass, picopass_scene_start_submenu_callback, picopass); + submenu_set_selected_item( submenu, scene_manager_get_scene_state(picopass->scene_manager, PicopassSceneStart)); picopass_device_clear(picopass->dev); @@ -52,6 +56,11 @@ bool picopass_scene_start_on_event(void* context, SceneManagerEvent event) { picopass->scene_manager, PicopassSceneStart, SubmenuIndexEliteDictAttack); scene_manager_next_scene(picopass->scene_manager, PicopassSceneEliteDictAttack); consumed = true; + } else if(event.event == SubmenuIndexLoclass) { + scene_manager_set_scene_state( + picopass->scene_manager, PicopassSceneStart, PicopassSceneLoclass); + scene_manager_next_scene(picopass->scene_manager, PicopassSceneLoclass); + consumed = true; } } diff --git a/scenes/picopass_scene_write_card.c b/scenes/picopass_scene_write_card.c index ce396fc10e1..3c6eae296b9 100644 --- a/scenes/picopass_scene_write_card.c +++ b/scenes/picopass_scene_write_card.c @@ -4,7 +4,7 @@ void picopass_write_card_worker_callback(PicopassWorkerEvent event, void* context) { UNUSED(event); Picopass* picopass = context; - view_dispatcher_send_custom_event(picopass->view_dispatcher, PicopassCustomEventWorkerExit); + view_dispatcher_send_custom_event(picopass->view_dispatcher, event); } void picopass_scene_write_card_on_enter(void* context) { @@ -33,7 +33,10 @@ bool picopass_scene_write_card_on_event(void* context, SceneManagerEvent event) bool consumed = false; if(event.type == SceneManagerEventTypeCustom) { - if(event.event == PicopassCustomEventWorkerExit) { + if(event.event == PicopassWorkerEventFail) { + scene_manager_next_scene(picopass->scene_manager, PicopassSceneWriteCardFailure); + consumed = true; + } else if(event.event == PicopassWorkerEventSuccess) { scene_manager_next_scene(picopass->scene_manager, PicopassSceneWriteCardSuccess); consumed = true; } diff --git a/scenes/picopass_scene_write_card_failure.c b/scenes/picopass_scene_write_card_failure.c new file mode 100644 index 00000000000..4aae21996fa --- /dev/null +++ b/scenes/picopass_scene_write_card_failure.c @@ -0,0 +1,65 @@ +#include "../picopass_i.h" +#include + +void picopass_scene_write_card_failure_widget_callback( + GuiButtonType result, + InputType type, + void* context) { + furi_assert(context); + Picopass* picopass = context; + + if(type == InputTypeShort) { + view_dispatcher_send_custom_event(picopass->view_dispatcher, result); + } +} + +void picopass_scene_write_card_failure_on_enter(void* context) { + Picopass* picopass = context; + Widget* widget = picopass->widget; + FuriString* str = furi_string_alloc_set("Write Failure!"); + + widget_add_button_element( + widget, + GuiButtonTypeLeft, + "Retry", + picopass_scene_write_card_failure_widget_callback, + picopass); + + widget_add_button_element( + widget, + GuiButtonTypeRight, + "Menu", + picopass_scene_write_card_failure_widget_callback, + picopass); + + widget_add_string_element( + widget, 64, 5, AlignCenter, AlignCenter, FontSecondary, furi_string_get_cstr(str)); + + furi_string_free(str); + + view_dispatcher_switch_to_view(picopass->view_dispatcher, PicopassViewWidget); +} + +bool picopass_scene_write_card_failure_on_event(void* context, SceneManagerEvent event) { + Picopass* picopass = context; + bool consumed = false; + + if(event.type == SceneManagerEventTypeCustom) { + if(event.event == GuiButtonTypeLeft) { + consumed = scene_manager_previous_scene(picopass->scene_manager); + } else if(event.event == GuiButtonTypeRight) { + // Clear device name + picopass_device_set_name(picopass->dev, ""); + consumed = scene_manager_search_and_switch_to_previous_scene( + picopass->scene_manager, PicopassSceneStart); + } + } + return consumed; +} + +void picopass_scene_write_card_failure_on_exit(void* context) { + Picopass* picopass = context; + + // Clear view + widget_reset(picopass->widget); +} diff --git a/scenes/picopass_scene_write_card_success.c b/scenes/picopass_scene_write_card_success.c index cd760272fe9..52b403cfef9 100644 --- a/scenes/picopass_scene_write_card_success.c +++ b/scenes/picopass_scene_write_card_success.c @@ -55,8 +55,8 @@ bool picopass_scene_write_card_success_on_event(void* context, SceneManagerEvent } else if(event.event == GuiButtonTypeRight) { // Clear device name picopass_device_set_name(picopass->dev, ""); - scene_manager_next_scene(picopass->scene_manager, PicopassSceneCardMenu); - consumed = true; + consumed = scene_manager_search_and_switch_to_previous_scene( + picopass->scene_manager, PicopassSceneStart); } } return consumed; diff --git a/views/loclass.c b/views/loclass.c new file mode 100644 index 00000000000..4158019a83a --- /dev/null +++ b/views/loclass.c @@ -0,0 +1,106 @@ +#include "loclass.h" +#include "../picopass_worker_i.h" + +#include + +struct Loclass { + View* view; + LoclassCallback callback; + void* context; +}; + +typedef struct { + FuriString* header; + uint8_t num_macs; +} LoclassViewModel; + +static void loclass_draw_callback(Canvas* canvas, void* model) { + LoclassViewModel* m = model; + + char draw_str[32] = {}; + canvas_set_font(canvas, FontSecondary); + canvas_draw_str_aligned(canvas, 64, 0, AlignCenter, AlignTop, furi_string_get_cstr(m->header)); + + float progress = m->num_macs == 0 ? 0 : + (float)(m->num_macs) / (float)(LOCLASS_MACS_TO_COLLECT); + + if(progress > 1.0) { + progress = 1.0; + } + + snprintf(draw_str, sizeof(draw_str), "%d/%d", m->num_macs, LOCLASS_MACS_TO_COLLECT); + + elements_progress_bar_with_text(canvas, 0, 20, 128, progress, draw_str); + + elements_button_center(canvas, "Skip"); +} + +static bool loclass_input_callback(InputEvent* event, void* context) { + Loclass* loclass = context; + bool consumed = false; + if(event->type == InputTypeShort && event->key == InputKeyOk) { + if(loclass->callback) { + loclass->callback(loclass->context); + } + consumed = true; + } + return consumed; +} + +Loclass* loclass_alloc() { + Loclass* loclass = malloc(sizeof(Loclass)); + loclass->view = view_alloc(); + view_allocate_model(loclass->view, ViewModelTypeLocking, sizeof(LoclassViewModel)); + view_set_draw_callback(loclass->view, loclass_draw_callback); + view_set_input_callback(loclass->view, loclass_input_callback); + view_set_context(loclass->view, loclass); + with_view_model( + loclass->view, LoclassViewModel * model, { model->header = furi_string_alloc(); }, false); + return loclass; +} + +void loclass_free(Loclass* loclass) { + furi_assert(loclass); + with_view_model( + loclass->view, LoclassViewModel * model, { furi_string_free(model->header); }, false); + view_free(loclass->view); + free(loclass); +} + +void loclass_reset(Loclass* loclass) { + furi_assert(loclass); + with_view_model( + loclass->view, + LoclassViewModel * model, + { + model->num_macs = 0; + furi_string_reset(model->header); + }, + false); +} + +View* loclass_get_view(Loclass* loclass) { + furi_assert(loclass); + return loclass->view; +} + +void loclass_set_callback(Loclass* loclass, LoclassCallback callback, void* context) { + furi_assert(loclass); + furi_assert(callback); + loclass->callback = callback; + loclass->context = context; +} + +void loclass_set_header(Loclass* loclass, const char* header) { + furi_assert(loclass); + furi_assert(header); + + with_view_model( + loclass->view, LoclassViewModel * model, { furi_string_set(model->header, header); }, true); +} + +void loclass_set_num_macs(Loclass* loclass, uint16_t num_macs) { + furi_assert(loclass); + with_view_model( + loclass->view, LoclassViewModel * model, { model->num_macs = num_macs; }, true); +} diff --git a/views/loclass.h b/views/loclass.h new file mode 100644 index 00000000000..0e39b6083b0 --- /dev/null +++ b/views/loclass.h @@ -0,0 +1,22 @@ +#pragma once +#include +#include +#include + +typedef struct Loclass Loclass; + +typedef void (*LoclassCallback)(void* context); + +Loclass* loclass_alloc(); + +void loclass_free(Loclass* loclass); + +void loclass_reset(Loclass* loclass); + +View* loclass_get_view(Loclass* loclass); + +void loclass_set_callback(Loclass* loclass, LoclassCallback callback, void* context); + +void loclass_set_header(Loclass* loclass, const char* header); + +void loclass_set_num_macs(Loclass* loclass, uint16_t num_macs);