oeyek / proxmark3

Automatically exported from code.google.com/p/proxmark3
GNU General Public License v2.0
0 stars 0 forks source link

Iso15693 enhancements #20

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
The following patch contains a refactored code of the iso15693 implementation 
as well as several enhancements:

1) A new interface to send commands directly to a tag (on the shell via the "HF 
15 CMD ..." comands; via USB using the new CMD_ISO_15693_COMMAND and 
CMD_ISO_15693_COMMAND_DONE messages). This allows easy access to the command & 
data layer of a tag. (see examples below) 

2) A way to bruteforce the AFI (Application Family Identifier) of an tag, as 
there is no standardized way of reading. (there is only a way to set it in the 
ISO-Standard)

3) An easy to use memory dump function that reads out all memory pages.

4) A small database that detects the manufacturer and type of a tag based on 
the UID. (see client/cmdhf15.c)

5) So far the code only supported the hispeed reader-to-tag mode called "1of4". 
I've added the "1of256" mode. There is still a lot to be done: There are 4 
possible modes for a tag to send data back (hi/lowspeed with either ASK or 
FSK). We still only support one of them (hispeed ASK).

6) The iso15693 code has been refactored to better fit the coding guidelines, 
although there is still work left on that. Common definitions and code between 
client and armsrc have been moved to shared .h/.c files.

Some usage examples:

Send an INQUIRY Command to tags in range:

proxmark3> hf 15 cmd inquiry
UID=E00700001A0xxxxxx
Tag Info: Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit

Read page 2 from a specific tag:

proxmark3> hf 15 cmd read E0054000076xxxxx 2
Using UID E0054000076xxxxx
2E 80 53 42   ..SB

Read page 2 from a tag in range (automatically find tag via INQUIRY first)

proxmark3> hf 15 cmd read * 2
Using UID E0054000076xxxxx
2E 80 53 42   ..SB

Read page 2 from any tag in range - using unaddressed commands (not supported 
by all tags)

proxmark3> hf 15 cmd read u 2
2E 80 53 42   ..SB

Write data to page 20 on a tag:

proxmark3> hf 15 cmd read u 20
 00 00 00 00 

proxmark3> hf 15 cmd write -o u 20 1234ABCD
 no answer

proxmark3> hf 15 cmd read u 20
 12 34 AB CD    

Note: the OPTION-Flag (-o) is mandatory on all TI Hi-Tags HF-I.
Note: As writing takes longer then usual operations, we run into a timeout - 
but the data is still written.

Send raw data to a tag:

proxmark3> hf 15 cmd raw -2 -c 26 01 00
received 12 octets

where -2 turnes of 1of256 longrange/lowspeed mode and -c calculates the correct 
CRC and adds it.
To view the received data, you have to turn of debug mode, which will also give 
you other info as well:

proxmark3> hf 15 cmd debug 1
#db# Iso15693 Debug is now on

Read all the memory from a tag (shown as HEX and ASCII):

proxmark3> hf 15 dumpmemory
Reading memory from tag UID=E00700001A0xxxxx
Tag Info: Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit
Block  0   00 00 FC 2A    ...*
Block  1   00 00 00 00    ....
Block  2   0B B8 67 94    ..g.
Block  3   57 A8 2D A6    W.-.
...

Find the AFI of an Tag:

proxmark3> hf 15 findafi
#db# NoAFI UID=E00700001A0xxxxx
#db# AFI=0 UID=E00700001A0xxxxx
#db# AFI=20 UID=E00700001A0xxxxx
#db# AFI Bruteforcing done.

Note: a "SetAFI" command will be added soon.

Things left to be done:

*) writing to tags takes longer then reading: we miss the answer from the tag 
in most cases  -> tweak the timeout 

*) Add more tag commands to the client - for example SetAFI, SetDSFID or the 
famous KillTag-Command of TI.

*) signal decoding from the card is still a bit shaky, although I tweaked it a 
bit to make it more error resistant.

*) signal decoding is unable to detect collisions.

*) add anti-collision support for inventory-commands 

*) sniffing and simulation do only support one transmission mode. need to 
support all 8 transmission combinations - this is imho the only way to make the 
tag simulator work on all readers. Then add memory-simulation.

*) remove or refactor old code in the "deprecated"-section

*) document all the functions

Original issue reported on code.google.com by adr...@atrox.at on 27 Sep 2010 at 12:00

Attachments:

GoogleCodeExporter commented 8 years ago
Excellent work... I'm testing over the next couple of days and will commit if 
all OK...

Original comment by fnargwibble on 3 Oct 2010 at 4:38

GoogleCodeExporter commented 8 years ago
This patch adds:

a) a multi page read command

proxmark3> hf 15 cmd readmulti u 2 3
00 00 00 00 BA 14 1B DB 06 60 19 00    ........`..

b) a Tag-"system information" command:

proxmark3> hf 15 cmd sysinfo u
0E xx xx 18 0E 02 94 16 E0 00 32 08 94 
UID = E01694020E18xxxx
EM-Marin SA (Skidata)
DSFID not supported
AFI supported, set to 000
Tag provides info on memory layout (vendor dependent)
 9 (or 8) bytes/page x 51 pages 
IC reference given: 94

Some vendors haven’t read the specification carefully enough, so there are 
off-by-one errors possible in the memory layout information. (EM-Marin is doing 
it wrong, TI values the ISO standard)

c) added more vendors and types to UID database.

This patch changes:

a) The initialisation of the the iso 15693 reader mode often produces glitches 
that may confuse tags. I've tried to tighten Iso15693InitReader() a bit, to 
reduce the impact.

b) tried to remove some warnings in different places, but as there are dozens 
(at least on an ubuntu/64bit) so i've removed  -Werror  from the Makefile. 

c) amended linux compiling instructions and fixed some minor bugs in the 
iso-15k code

Original comment by adr...@atrox.at on 14 Oct 2011 at 10:55

GoogleCodeExporter commented 8 years ago
something limits the possible response length to about 16 bytes (incl 
header+crc) - this only takes effect when you read more than 3 or 4 pages at 
once.

still the additional functionality is useful. 

Original comment by adr...@atrox.at on 14 Oct 2011 at 11:34

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by dn3...@gmail.com on 29 May 2012 at 1:10

GoogleCodeExporter commented 8 years ago

Original comment by dn3...@gmail.com on 29 May 2012 at 1:10