crewID/libfreefare
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
libfreefare/libfreefare/mifare_classic.c

735 lines
21 KiB
C
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*-
* Copyright (C) 2009, 2010, Romain Tartiere, Romuald Conty.
*
* This program is free software: you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published by the
* Free Software Foundation, either version 3 of the License, or (at your
* option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
* $Id$
*/
/*
* This implementation was written based on information provided by the
* following documents:
*
* MF1ICS50 Functional specification
* Rev. 5.3 — 29 January 2008
*
* Making the Best of Mifare Classic
* Wouter Teepe (Radboud University Nijmegen)
* October 6, 2008
*/
#include "config.h"
#if defined(HAVE_SYS_ENDIAN_H)
# include <sys/endian.h>
#endif
#if defined(HAVE_ENDIAN_H)
# define _BSD_SOURCE
# include <endian.h>
#endif
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <nfc/nfc.h>
#include <freefare.h>
#include "freefare_internal.h"
union mifare_classic_block {
unsigned char data[16];
struct {
uint32_t value;
uint32_t value_;
uint32_t value__;
MifareClassicBlockNumber address;
MifareClassicBlockNumber address_;
MifareClassicBlockNumber address__;
MifareClassicBlockNumber address___;
} value;
struct {
MifareClassicKey key_a;
uint8_t access_bits[3];
uint8_t gpb;
MifareClassicKey key_b;
} trailer;
};
typedef unsigned char MifareClassicAccessBits;
unsigned char mifare_data_access_permissions[] = {
/*
* [ Key A ] [ Key B ]
* | |
* ,----------- r(ead) |
* |,---------- w(rite) |
* ||,--------- d(ecrement) |
* |||,-------- i(ncrement) |
* |||| |
* |||| ,------------------------ r
* ,----- C3 |||| |,----------------------- w
* |,---- C2 |||| ||,---------------------- d
* ||,--- C1 |||| |||,--------------------- i
* ||| |||| ||||
* 0b000 0b 1111 1111 */ 0xff, /* Default (blank card) */
/* 0b001 0b 1000 1100 */ 0x8c,
/* 0b010 0b 1000 1000 */ 0x88,
/* 0b011 0b 1010 1111 */ 0xaf,
/* 0b100 0b 1010 1010 */ 0xaa,
/* 0b101 0b 0000 1000 */ 0x08,
/* 0b110 0b 0000 1100 */ 0x0c,
/* 0b111 0b 0000 0000 */ 0x00
};
uint16_t mifare_trailer_access_permissions[] = {
/*
* [ Key A ] [ Access bits ] [ Key B ]
* | | |
* ,----------- read A | |
* |,---------- read B | |
* ||,--------- write A | |
* |||,-------- write B | |
* |||| | |
* |||| ,----------------------- read A |
* |||| |,---------------------- read B |
* |||| ||,--------------------- write A |
* |||| |||,-------------------- write B |
* |||| |||| |
* |||| |||| ,----------------------------------- read A
* ,----- C3 |||| |||| |,---------------------------------- read B
* |,---- C2 |||| |||| ||,--------------------------------- write A
* ||,--- C1 |||| |||| |||,-------------------------------- write B
* ||| |||| |||| ||||
* 0b000 0b 0010 1000 1010*/ 0x28a,
/* 0b001 0b 0001 1100 0000*/ 0x1c0,
/* 0b010 0b 0000 1000 1000*/ 0x088,
/* 0b011 0b 0000 1100 0000*/ 0x0c0,
/* 0b100 0b 0010 1010 1010*/ 0x2aa, /* Default (blank card) */
/* 0b101 0b 0000 1101 0000*/ 0x0d0,
/* 0b110 0b 0001 1101 0001*/ 0x1d1,
/* 0b111 0b 0000 1100 0000*/ 0x0c0
};
/*
* Private functions
*/
int get_block_access_bits_shift (MifareClassicBlockNumber block, MifareClassicBlockNumber trailer);
int get_block_access_bits (MifareTag tag, const MifareClassicBlockNumber block, MifareClassicAccessBits *block_access_bits);
/*
* Memory management functions.
*/
/*
* Allocates and initialize a MIFARE Classic tag.
*/
MifareTag
mifare_classic_tag_new (void)
{
return malloc (sizeof (struct mifare_classic_tag));
}
/*
* Free the provided tag.
*/
void
mifare_classic_tag_free (MifareTag tag)
{
free (tag);
}
/*
* MIFARE card communication preparation functions
*
* The following functions send NFC commands to the initiator to prepare
* communication with a MIFARE card, and perform required cleanups after using
* the target.
*/
/*
* Establish connection to the provided tag.
*/
int
mifare_classic_connect (MifareTag tag)
{
ASSERT_INACTIVE (tag);
ASSERT_MIFARE_CLASSIC (tag);
nfc_target_info_t pnti;
if (nfc_initiator_select_tag (tag->device, NM_ISO14443A_106, tag->info.abtUid, 4, &pnti)) {
tag->active = 1;
} else {
errno = EIO;
return -1;
}
return 0;
}
/*
* Terminate connection with the provided tag.
*/
int
mifare_classic_disconnect (MifareTag tag)
{
ASSERT_ACTIVE (tag);
ASSERT_MIFARE_CLASSIC (tag);
if (nfc_initiator_deselect_tag (tag->device)) {
tag->active = 0;
} else {
errno = EIO;
return -1;
}
return 0;
}
/*
* Card manipulation functions
*
* The following functions perform direct communication with the connected
* MIFARE card.
*/
/*
* Send an authentification command to the provided MIFARE target.
*/
int
mifare_classic_authenticate (MifareTag tag, const MifareClassicBlockNumber block, const MifareClassicKey key, const MifareClassicKeyType key_type)
{
ASSERT_ACTIVE (tag);
ASSERT_MIFARE_CLASSIC (tag);
unsigned char command[12];
command[0] = (key_type == MFC_KEY_A) ? MC_AUTH_A : MC_AUTH_B;
command[1] = block;
memcpy (&(command[2]), key, 6);
memcpy (&(command[8]), tag->info.abtUid, 4);
// Send command
size_t n;
if (!(nfc_initiator_transceive_dep_bytes (tag->device, command, sizeof (command), NULL, &n))) {
tag->active = false; /* Tag is no more active if authentication failed. */
errno = EIO;
return -1;
}
MIFARE_CLASSIC(tag)->cached_access_bits.sector_trailer_block_number = -1;
MIFARE_CLASSIC(tag)->cached_access_bits.sector_access_bits = 0x00;
MIFARE_CLASSIC(tag)->last_authentication_key_type = key_type;
// No result. The MIFARE tag just ACKed.
return 0;
}
/*
* Read data from the provided MIFARE target.
*/
int
mifare_classic_read (MifareTag tag, const MifareClassicBlockNumber block, MifareClassicBlock *data)
{
ASSERT_ACTIVE (tag);
ASSERT_MIFARE_CLASSIC (tag);
unsigned char command[2];
command[0] = MC_READ;
command[1] = block;
// Send command
size_t n;
if (!(nfc_initiator_transceive_dep_bytes (tag->device, command, sizeof (command), *data, &n))) {
errno = EIO;
return -1;
}
return 0;
}
int
mifare_classic_init_value (MifareTag tag, const MifareClassicBlockNumber block, const int32_t value, const MifareClassicBlockNumber adr)
{
union mifare_classic_block b;
b.value.value = value;
b.value.value_ = ~value;
b.value.value__ = value;
b.value.address = adr;
b.value.address_ = ~adr;
b.value.address__ = adr;
b.value.address___ = ~adr;
if (mifare_classic_write (tag, block, b.data) < 0)
return -1;
return 0;
}
int
mifare_classic_read_value (MifareTag tag, const MifareClassicBlockNumber block, int32_t *value, MifareClassicBlockNumber *adr)
{
MifareClassicBlock data;
if (mifare_classic_read (tag, block, &data) < 0)
return -1;
union mifare_classic_block b = *((union mifare_classic_block *)(&data));
if ((b.value.value != (~b.value.value_)) || (b.value.value != b.value.value__)) {
errno = EIO;
return -1;
}
if ((b.value.address != (unsigned char)(~b.value.address_)) || (b.value.address != b.value.address__) || (b.value.address_ != b.value.address___)) {
errno = EIO;
return -1;
}
if (value)
*value = le32toh (b.value.value);
if (adr)
*adr = b.value.address;
return 0;
}
/*
* Write data to the provided MIFARE target.
*/
int
mifare_classic_write (MifareTag tag, const MifareClassicBlockNumber block, const MifareClassicBlock data)
{
ASSERT_ACTIVE (tag);
ASSERT_MIFARE_CLASSIC (tag);
unsigned char command[2 + sizeof (MifareClassicBlock)];
command[0] = MC_WRITE;
command[1] = block;
memcpy (&(command[2]), data, sizeof (MifareClassicBlock));
// Send command
size_t n;
if (!(nfc_initiator_transceive_dep_bytes (tag->device, command, sizeof (command), NULL, &n))) {
errno = EIO;
return -1;
}
// No result. The MIFARE tag just ACKed.
return 0;
}
/*
* Increment the given value block by the provided amount into the internal
* data register.
*/
int
mifare_classic_increment (MifareTag tag, const MifareClassicBlockNumber block, const uint32_t amount)
{
ASSERT_ACTIVE (tag);
ASSERT_MIFARE_CLASSIC (tag);
unsigned char command[6];
command[0] = MC_INCREMENT;
command[1] = block;
int32_t le_amount = htole32 (amount);
memcpy(&(command[2]), &le_amount, sizeof (le_amount));
// Send command
size_t n;
if (!(nfc_initiator_transceive_dep_bytes (tag->device, command, sizeof (command), NULL, &n))) {
errno = EIO;
return -1;
}
// No result. The MIFARE tag just ACKed.
return 0;
}
/*
* Decrement the given value block by the provided amount into the internal
* data register.
*/
int
mifare_classic_decrement (MifareTag tag, const MifareClassicBlockNumber block, const uint32_t amount)
{
ASSERT_ACTIVE (tag);
ASSERT_MIFARE_CLASSIC (tag);
unsigned char command[6];
command[0] = MC_DECREMENT;
command[1] = block;
int32_t le_amount = htole32 (amount);
memcpy(&(command[2]), &le_amount, sizeof (le_amount));
// Send command
size_t n;
if (!(nfc_initiator_transceive_dep_bytes (tag->device, command, sizeof (command), NULL, &n))) {
errno = EIO;
return -1;
}
// No result. The MIFARE tag just ACKed.
return 0;
}
/*
* Store the provided block to the internal data register.
*/
int
mifare_classic_restore (MifareTag tag, const MifareClassicBlockNumber block)
{
ASSERT_ACTIVE (tag);
ASSERT_MIFARE_CLASSIC (tag);
/*
* Same length as the increment and decrement commands but only the first
* two bytes are actually used. The 4 bytes after the block number are
* meaningless but required (thus left uninitialized).
*/
unsigned char command[6];
/* XXX Should be MC_RESTORE according to the MIFARE documentation. */
command[0] = MC_STORE;
command[1] = block;
// Send command
size_t n;
if (!(nfc_initiator_transceive_dep_bytes (tag->device, command, sizeof (command), NULL, &n))) {
errno = EIO;
return -1;
}
// No result. The MIFARE tag just ACKed.
return 0;
}
/*
* Store the internal data register to the provided block.
*/
int
mifare_classic_transfer (MifareTag tag, const MifareClassicBlockNumber block)
{
ASSERT_ACTIVE (tag);
ASSERT_MIFARE_CLASSIC (tag);
unsigned char command[2];
command[0] = MC_TRANSFER;
command[1] = block;
// Send command
size_t n;
unsigned char buffer[1];
if (!(nfc_initiator_transceive_dep_bytes (tag->device, command, sizeof (command), buffer, &n))) {
errno = EIO;
return -1;
}
// FIXME: The receive command returns data. Should be checked.
return 0;
}
/*
* Access bit manipulation functions
*
* The following functions provide a convenient API for reading MIFARE card
* access bits. A cache system makes these functions query a single time the
* MIFARE card regardless of the number of information requested between two
* authentications (i.e. for the current sector).
*/
/*
* Given a block, determine the rank of applicable access bits in the trailer
* block.
*
* For 4 blocks sectors, each access bit applies to a single block; but for 16
* blocks sectors (second part of MIFARE Classic 4k), the first 3 access bits
* apply to 5 blocks, and the last access bits apply to the trailer block:
*
* Sector | Access bits | Shift
* -------------------------------------+--------------+-------
* 4, 128, 129, 130, 131, 132, 144 | ---x---x---x | 0
* 1, 5, 133, 134, 135, 136, 137 | --x---x---x- | 1
* 2, 6, 138, 138, 140, 141, 142 | -x---x---x-- | 2
* 3, 7, 143 | x---x---x--- | 3
*
*/
int
get_block_access_bits_shift (MifareClassicBlockNumber block, MifareClassicBlockNumber trailer)
{
if (block == trailer) {
return 3;
} else {
if (block < 128)
return block % 4;
else
return ((block - 128) % 16) / 5;
}
}
/*
* Fetch access bits for a given block from the block's sector's trailing
* block.
*/
int
get_block_access_bits (MifareTag tag, const MifareClassicBlockNumber block, MifareClassicAccessBits *block_access_bits)
{
/*
* The first block which holds the manufacturer block seems to have
* inconsistent access bits.
*/
if (block == 0) {
errno = EINVAL;
return -1;
}
uint16_t sector_access_bits, sector_access_bits_;
MifareClassicBlockNumber trailer = mifare_classic_last_sector_block (block);
/*
* The trailer block contains access bits for the whole sector in a 3 bytes
* structure that holds 2 times the permissions (once inverted, once
* not-inverted).
*
* First we get these bytes, and check the inverted and non-inverted
* permissions match. A cache mechanism prevents many read access to the
* NFC target if the function is called multiple times on the same block.
*/
if (MIFARE_CLASSIC(tag)->cached_access_bits.sector_trailer_block_number == trailer) {
/* cache hit! */
sector_access_bits = MIFARE_CLASSIC(tag)->cached_access_bits.sector_access_bits;
} else {
MifareClassicBlock trailer_data;
if (mifare_classic_read (tag, trailer, &trailer_data) < 0) {
return -1;
}
sector_access_bits_ = trailer_data[6] | ((trailer_data[7] & 0x0f) << 8) | 0xf000;
sector_access_bits = ((trailer_data[7] & 0xf0) >> 4) | (trailer_data[8] << 4);
if (sector_access_bits != (uint16_t) ~sector_access_bits_) {
/* Sector locked */
errno = EIO;
return -1;
}
MIFARE_CLASSIC(tag)->cached_access_bits.sector_trailer_block_number = trailer;
MIFARE_CLASSIC(tag)->cached_access_bits.block_number = -1;
MIFARE_CLASSIC(tag)->cached_access_bits.sector_access_bits = sector_access_bits;
}
/*
* To ease permissions lookup, related permission bits which are not
* contiguous are assembled in a quartet.
*/
if (MIFARE_CLASSIC(tag)->cached_access_bits.block_number == block) {
/* cache hit! */
*block_access_bits = MIFARE_CLASSIC(tag)->cached_access_bits.block_access_bits;
} else {
*block_access_bits = 0;
/* ,-------C3
* |,------C2
* ||,---- C1
* ||| */
uint16_t block_access_bits_mask = 0x0111 << get_block_access_bits_shift (block, trailer);
/* |||
* ||`---------------.
* |`---------------.|
* `---------------.||
* ||| */
if (sector_access_bits & block_access_bits_mask & 0x000f) *block_access_bits |= 0x01; /* C1 */
if (sector_access_bits & block_access_bits_mask & 0x00f0) *block_access_bits |= 0x02; /* C2 */
if (sector_access_bits & block_access_bits_mask & 0x0f00) *block_access_bits |= 0x04; /* C3 */
MIFARE_CLASSIC(tag)->cached_access_bits.block_number = block;
MIFARE_CLASSIC(tag)->cached_access_bits.block_access_bits = *block_access_bits;
}
return 0;
}
/*
* Get information about the trailer block.
*/
int
mifare_classic_get_trailer_block_permission (MifareTag tag, const MifareClassicBlockNumber block, const uint16_t permission, const MifareClassicKeyType key_type)
{
MifareClassicAccessBits access_bits;
if (get_block_access_bits (tag, block, &access_bits) < 0) {
return -1;
}
if (MIFARE_CLASSIC(tag)->cached_access_bits.sector_trailer_block_number == block) {
return (mifare_trailer_access_permissions[access_bits] & (permission) << ((key_type == MFC_KEY_A) ? 1 : 0)) ? 1 : 0;
} else {
errno = EINVAL;
return -1;
}
}
/*
* Get information about data blocks.
*/
int
mifare_classic_get_data_block_permission (MifareTag tag, const MifareClassicBlockNumber block, const unsigned char permission, const MifareClassicKeyType key_type)
{
MifareClassicAccessBits access_bits;
if (get_block_access_bits (tag, block, &access_bits) < 0) {
return -1;
}
if (MIFARE_CLASSIC(tag)->cached_access_bits.sector_trailer_block_number != block) {
return ((mifare_data_access_permissions[access_bits] & (permission << ( (key_type == MFC_KEY_A) ? 4 : 0 ))) ? 1 : 0);
} else {
errno = EINVAL;
return -1;
}
}
/*
* Miscellaneous functions
*/
/*
* Reset a MIFARE target sector to factory default.
*/
int
mifare_classic_format_sector (MifareTag tag, const MifareClassicBlockNumber block)
{
MifareClassicBlockNumber first_sector_block = mifare_classic_first_sector_block (block);
MifareClassicBlockNumber last_sector_block = mifare_classic_last_sector_block (block);
/*
* Check that the current key allow us to rewrite data and trailer blocks.
*/
if (first_sector_block == 0) {
/* First block is read-only */
first_sector_block = 1;
}
for (int n = first_sector_block; n < last_sector_block; n++) {
if (mifare_classic_get_data_block_permission(tag, n, MCAB_W, MIFARE_CLASSIC(tag)->last_authentication_key_type) != 1) {
return errno = EPERM, -1;
}
}
if ((mifare_classic_get_trailer_block_permission(tag, last_sector_block, MCAB_WRITE_KEYA, MIFARE_CLASSIC(tag)->last_authentication_key_type) != 1) ||
(mifare_classic_get_trailer_block_permission(tag, last_sector_block, MCAB_WRITE_ACCESS_BITS, MIFARE_CLASSIC(tag)->last_authentication_key_type) != 1) ||
(mifare_classic_get_trailer_block_permission(tag, last_sector_block, MCAB_WRITE_KEYB, MIFARE_CLASSIC(tag)->last_authentication_key_type) != 1)) {
return errno = EPERM, -1;
}
MifareClassicBlock empty_data_block;
memset (empty_data_block, '\x00', sizeof (empty_data_block));
MifareClassicBlock default_trailer_block = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* Key A */
0xff, 0x07, 0x80, /* Access bits */
0x69, /* GPB */
0xff, 0xff, 0xff, 0xff, 0xff, 0xff /* Key B */
};
for (int n = first_sector_block; n < last_sector_block; n++) {
if (mifare_classic_write (tag, n, empty_data_block) < 0) {
return errno = EIO, -1;
}
}
if (mifare_classic_write (tag, last_sector_block, default_trailer_block) < 0) {
return errno = EIO, -1;
}
return 0;
}
/*
* UID accessor
*/
char*
mifare_classic_get_uid(MifareTag tag)
{
char* uid = malloc((4 * 2) + 1);
snprintf(uid, 9, "%02x%02x%02x%02x", tag->info.abtUid[0], tag->info.abtUid[1], tag->info.abtUid[2], tag->info.abtUid[3]);
uid[8] = '\0';
return uid;
}
/*
* Get the sector's first block number in the provided block's sector.
*/
MifareClassicBlockNumber
mifare_classic_first_sector_block (MifareClassicBlockNumber block)
{
int res;
if (block < 128) {
res = (block / 4) * 4;
} else {
res = ((block - 128) / 16) * 16 + 128;
}
return res;
}
/*
* Get the sector's last block number (aka trailer block) in the provided
* block's sector.
*/
MifareClassicBlockNumber
mifare_classic_last_sector_block (MifareClassicBlockNumber block)
{
int res;
if (block < 128) {
res = (block / 4) * 4 + 3;
} else {
res = ((block - 128) / 16) * 16 + 15 + 128;
}
return res;
}
/*
* Generates a MIFARE trailer block.
*/
void
mifare_classic_trailer_block (MifareClassicBlock *block, const MifareClassicKey key_a, uint8_t ab_0, uint8_t ab_1, uint8_t ab_2, uint8_t ab_tb, const uint8_t gpb, const MifareClassicKey key_b)
{
union mifare_classic_block *b = (union mifare_classic_block *)block; // *((union mifare_classic_block *)(&block));
ab_0 = DB_AB(ab_0);
ab_1 = DB_AB(ab_1);
ab_2 = DB_AB(ab_2);
ab_tb = TB_AB(ab_tb);
memcpy (b->trailer.key_a, key_a, sizeof (MifareClassicKey));
uint32_t access_bits = ((((( ab_0 & 0x4) >> 2) << 8) | (((ab_0 & 0x2) >> 1) << 4) | (ab_0 & 0x1)) |
(((((ab_1 & 0x4) >> 2) << 8) | (((ab_1 & 0x2) >> 1) << 4) | (ab_1 & 0x1)) << 1) |
(((((ab_2 & 0x4) >> 2) << 8) | (((ab_2 & 0x2) >> 1) << 4) | (ab_2 & 0x1)) << 2) |
(((((ab_tb & 0x4) >> 2) << 8) | (((ab_tb & 0x2) >> 1) << 4) | (ab_tb & 0x1)) << 3));
uint32_t access_bits_ = ((~access_bits) & 0x00000fff);
uint32_t ab = htole32(((access_bits << 12) | access_bits_));
memcpy (&(b->trailer.access_bits), &ab, 3);
b->trailer.gpb = gpb;
memcpy (b->trailer.key_b, key_b, sizeof (MifareClassicKey));
}
Reference in a new issue View git blame Copy permalink