From 61ffdb5269743c223ed713752e52bf079ce4c510 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Tue, 20 Jul 2021 13:58:05 +0300 Subject: [PATCH 1/5] add set config command and some verbosity --- client/src/cmdhfmfdes.c | 90 +++++++++++++++++++++++++++++++++ client/src/mifare/desfirecore.c | 33 ++++++++++-- client/src/mifare/desfirecore.h | 5 +- 3 files changed, 124 insertions(+), 4 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 8c59ff80f..61bd4ccab 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -4885,6 +4885,94 @@ static int CmdHF14ADesDefault(const char *Cmd) { return PM3_SUCCESS; } +static int CmdHF14ADesSetConfiguration(const char *Cmd) { + CLIParserContext *ctx; + CLIParserInit(&ctx, "hf mfdes setconfig", + "Set card configuration. Danger zone! Needs to provide card's master key and works if not blocked by config.", + "hf mfdes setconfig --param xxx --data yyy -> set parameter with data value"); + + void *argtable[] = { + arg_param_begin, + arg_lit0("a", "apdu", "show APDU requests and responses"), + arg_lit0("v", "verbose", "show technical data"), + arg_int0("n", "keyno", "", "Key number"), + arg_str0("t", "algo", "", "Crypt algo: DES, 2TDEA, 3TDEA, AES"), + arg_str0("k", "key", "", "Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)"), + arg_str0("f", "kdf", "", "Key Derivation Function (KDF): None, AN10922, Gallagher"), + arg_str0("i", "kdfi", "", "KDF input (HEX 1-31 bytes)"), + arg_str0("m", "cmode", "", "Communicaton mode: plain/mac/encrypt"), + arg_str0("c", "ccset", "", "Communicaton command set: native/niso/iso"), + arg_str0("s", "schann", "", "Secure channel: d40/ev1/ev2"), + arg_str0(NULL, "aid", "", "Application ID of application for some parameters (3 hex bytes, big endian)"), + arg_str0("p", "param", "", "Parameter id (HEX 1 byte)"), + arg_str0("d", "data", "", "Data for parameter (HEX 1..30 bytes)"), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, false); + + bool APDULogging = arg_get_lit(ctx, 1); + bool verbose = arg_get_lit(ctx, 2); + + DesfireContext dctx; + int securechann = defaultSecureChannel; + uint32_t appid = 0x000000; + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, DCMEncrypted, &appid); + if (res) { + CLIParserFree(ctx); + return res; + } + + uint32_t paramid = 0; + res = arg_get_u32_hexstr_def_nlen(ctx, 12, 0, ¶mid, 1, true); + if (res == 2) { + PrintAndLogEx(ERR, "Parameter ID must have 1 bytes length"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + + uint8_t param[250] = {0}; + int paramlen = sizeof(param); + CLIGetHexWithReturn(ctx, 13, param, ¶mlen); + if (paramlen == 0) { + PrintAndLogEx(ERR, "Parameter must have a data."); + return PM3_EINVARG; + } + if (paramlen > 50) { + PrintAndLogEx(ERR, "Parameter data length must be less than 50 instead of %d.", paramlen); + return PM3_EINVARG; + } + + SetAPDULogging(APDULogging); + CLIParserFree(ctx); + + if (verbose) { + if (appid == 0x000000) + PrintAndLogEx(INFO, _CYAN_("PICC") " param ID: 0x%02x param[%d]: %s", paramid, paramlen, sprint_hex(param, paramlen)); + else + PrintAndLogEx(INFO, _CYAN_("Application %06x") " param ID: 0x%02x param[%d]: %s", appid, paramid, paramlen, sprint_hex(param, paramlen)); + } + + res = DesfireSelectAndAuthenticate(&dctx, securechann, appid, verbose); + if (res != PM3_SUCCESS) { + DropField(); + return res; + } + + DesfireSetCommMode(&dctx, DCMEncryptedPlain); + res = DesfireSetConfiguration(&dctx, paramid, param, paramlen); + if (res == PM3_SUCCESS) { + PrintAndLogEx(SUCCESS, "Set configuration 0x%02x " _GREEN_("ok") " ", paramid); + } else { + PrintAndLogEx(FAILED, "Set configuration 0x%02x " _RED_("failed") " ", paramid); + } + DesfireSetCommMode(&dctx, DCMEncrypted); + + DropField(); + return res; +} + + + static int CmdHF14ADesChangeKey(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfdes changekey", @@ -5003,6 +5091,7 @@ static int CmdHF14ADesChangeKey(const char *Cmd) { } else { PrintAndLogEx(FAILED, "Change key " _RED_("failed") " "); } + DesfireSetCommMode(&dctx, DCMEncrypted); DropField(); return res; @@ -5885,6 +5974,7 @@ static command_t CommandTable[] = { {"formatpicc", CmdHF14ADesFormatPICC, IfPm3Iso14443a, "[new]Format PICC"}, {"freemem", CmdHF14ADesGetFreeMem, IfPm3Iso14443a, "[new]Get free memory size"}, {"getuid", CmdHF14ADesGetUID, IfPm3Iso14443a, "[new]Get uid from card"}, + {"setconfig", CmdHF14ADesSetConfiguration, IfPm3Iso14443a, "[new]Set card configuration"}, {"info", CmdHF14ADesInfo, IfPm3Iso14443a, "Tag information"}, {"list", CmdHF14ADesList, AlwaysAvailable, "List DESFire (ISO 14443A) history"}, // {"ndefread", CmdHF14aDesNDEFRead, IfPm3Iso14443a, "Prints NDEF records from card"}, diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index 47046095c..6441b8906 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -611,8 +611,10 @@ int DesfireSelectAndAuthenticate(DesfireContext *dctx, DesfireSecureChannel secu PrintAndLogEx(ERR, "Desfire select " _RED_("error") "."); return PM3_ESOFT; } + if (verbose) + PrintAndLogEx(INFO, "App %06x " _GREEN_("selected"), aid); - res = DesfireAuthenticate(dctx, secureChannel); + res = DesfireAuthenticate(dctx, secureChannel, verbose); if (res != PM3_SUCCESS) { PrintAndLogEx(ERR, "Desfire authenticate " _RED_("error") ". Result: %d", res); return PM3_ESOFT; @@ -628,7 +630,7 @@ int DesfireSelectAndAuthenticate(DesfireContext *dctx, DesfireSecureChannel secu return PM3_SUCCESS; } -int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel) { +int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel, bool verbose) { // 3 different way to authenticate AUTH (CRC16) , AUTH_ISO (CRC32) , AUTH_AES (CRC32) // 4 different crypto arg1 DES, 3DES, 3K3DES, AES // 3 different communication modes, PLAIN,MAC,CRYPTO @@ -695,6 +697,9 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel uint8_t respcode = 0; uint8_t recv_data[256] = {0}; + if (verbose) + PrintAndLogEx(INFO, _CYAN_("Auth:") " cmd: 0x%02x keynum: 0x%02x", subcommand, dctx->keyNum); + // Let's send our auth command int res = DesfireExchangeEx(false, dctx, subcommand, &dctx->keyNum, 1, &respcode, recv_data, &recv_len, false, 0); if (res != PM3_SUCCESS) { @@ -907,7 +912,8 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel memset(dctx->IV, 0, DESFIRE_MAX_KEY_SIZE); dctx->secureChannel = secureChannel; memcpy(dctx->sessionKeyMAC, dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType)); - PrintAndLogEx(INFO, "Session key : %s", sprint_hex(dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType))); + if (verbose) + PrintAndLogEx(INFO, _GREEN_("Session key") " : %s", sprint_hex(dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType))); return PM3_SUCCESS; } @@ -1003,6 +1009,10 @@ int DesfireChangeKeyCmd(DesfireContext *dctx, uint8_t *data, size_t len, uint8_t return DesfireCommand(dctx, MFDES_CHANGE_KEY, data, len, resp, resplen, -1); } +int DesfireSetConfigurationCmd(DesfireContext *dctx, uint8_t *data, size_t len, uint8_t *resp, size_t *resplen) { + return DesfireCommand(dctx, MFDES_CHANGE_CONFIGURATION, data, len, resp, resplen, -1); +} + uint8_t DesfireKeyAlgoToType(DesfireCryptoAlgorythm keyType) { switch (keyType) { case T_DES: @@ -1179,3 +1189,20 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke return res; } +int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *param, size_t paramlen) { + uint8_t data[200] = {0}; + data[0] = paramid; + memcpy(&data[1], param, paramlen); + size_t datalen = 1 + paramlen; + + // send command + uint8_t resp[257] = {0}; + size_t resplen = 0; + int res = DesfireChangeKeyCmd(dctx, data, datalen, resp, &resplen); + + // check response + if (res == 0 && resplen > 0) + res = -20; + + return res; +} diff --git a/client/src/mifare/desfirecore.h b/client/src/mifare/desfirecore.h index 611a3c8cd..d96ffc54f 100644 --- a/client/src/mifare/desfirecore.h +++ b/client/src/mifare/desfirecore.h @@ -38,7 +38,7 @@ int DesfireSelectAID(DesfireContext *ctx, uint8_t *aid1, uint8_t *aid2); int DesfireSelectAIDHex(DesfireContext *ctx, uint32_t aid1, bool select_two, uint32_t aid2); int DesfireSelectAndAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel, uint32_t aid, bool verbose); -int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel); +int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel, bool verbose); int DesfireFormatPICC(DesfireContext *dctx); int DesfireGetFreeMem(DesfireContext *dctx, uint32_t *freemem); @@ -58,4 +58,7 @@ uint8_t DesfireKeyAlgoToType(DesfireCryptoAlgorythm keyType); int DesfireChangeKeyCmd(DesfireContext *dctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen); int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newkeynum, DesfireCryptoAlgorythm newkeytype, uint32_t newkeyver, uint8_t *newkey, DesfireCryptoAlgorythm oldkeytype, uint8_t *oldkey, bool verbose); +int DesfireSetConfigurationCmd(DesfireContext *dctx, uint8_t *data, size_t len, uint8_t *resp, size_t *resplen); +int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *param, size_t paramlen); + #endif // __DESFIRECORE_H From b062ffa6cde51071633d960dc42f3650b135bb7a Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Tue, 20 Jul 2021 21:07:31 +0300 Subject: [PATCH 2/5] set config works --- client/src/cmdhfmfdes.c | 2 +- client/src/mifare/desfirecore.c | 23 +++++++++++++++++++++-- client/src/mifare/desfiresecurechan.c | 2 ++ 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 61bd4ccab..123d9d0d5 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -4889,7 +4889,7 @@ static int CmdHF14ADesSetConfiguration(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfdes setconfig", "Set card configuration. Danger zone! Needs to provide card's master key and works if not blocked by config.", - "hf mfdes setconfig --param xxx --data yyy -> set parameter with data value"); + "hf mfdes setconfig --param 03 --data 0428 -> set parameter with data value"); void *argtable[] = { arg_param_begin, diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index 6441b8906..9d126395a 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -1190,15 +1190,34 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke } int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *param, size_t paramlen) { - uint8_t data[200] = {0}; + uint8_t cdata[200] = {0}; + cdata[0] = MFDES_CHANGE_CONFIGURATION; + uint8_t *data = &cdata[1]; data[0] = paramid; memcpy(&data[1], param, paramlen); size_t datalen = 1 + paramlen; + + + // add crc + if (dctx->secureChannel == DACd40) { + iso14443a_crc_append(&data[1], datalen - 1); + datalen += 2; + } else { + desfire_crc32_append(cdata, datalen + 1); + datalen += 4; + } + + // dynamic length + if (paramid == 0x02) { + data[datalen] = 0x80; + datalen++; + } // send command uint8_t resp[257] = {0}; size_t resplen = 0; - int res = DesfireChangeKeyCmd(dctx, data, datalen, resp, &resplen); + PrintAndLogEx(INFO, "plain data[%d]: %s", datalen, sprint_hex(data, datalen)); + int res = DesfireSetConfigurationCmd(dctx, data, datalen, resp, &resplen); // check response if (res == 0 && resplen > 0) diff --git a/client/src/mifare/desfiresecurechan.c b/client/src/mifare/desfiresecurechan.c index f63659ec1..fdf292fca 100644 --- a/client/src/mifare/desfiresecurechan.c +++ b/client/src/mifare/desfiresecurechan.c @@ -126,6 +126,7 @@ static void DesfireSecureChannelEncodeD40(DesfireContext *ctx, uint8_t cmd, uint memcpy(dstdata, srcdata, hdrlen); DesfireCryptoEncDec(ctx, true, &data[hdrlen], rlen - hdrlen, &dstdata[hdrlen], true); *dstdatalen = rlen; + ctx->commMode = DCMEncrypted; break; case DCMNone: ; @@ -172,6 +173,7 @@ static void DesfireSecureChannelEncodeEV1(DesfireContext *ctx, uint8_t cmd, uint rlen = padded_data_length(srcdatalen - hdrlen, desfire_get_key_block_length(ctx->keyType)); DesfireCryptoEncDec(ctx, true, data, rlen, &dstdata[hdrlen], true); *dstdatalen = hdrlen + rlen; + ctx->commMode = DCMEncrypted; } } From 2f1611a7cfa63d2c3def5df58c1cf06d8ef14198 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Tue, 20 Jul 2021 21:10:42 +0300 Subject: [PATCH 3/5] text + remove debug --- client/src/cmdhfmfdes.c | 7 +++---- client/src/mifare/desfirecore.c | 1 - 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 123d9d0d5..c16995863 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -4888,8 +4888,9 @@ static int CmdHF14ADesDefault(const char *Cmd) { static int CmdHF14ADesSetConfiguration(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfdes setconfig", - "Set card configuration. Danger zone! Needs to provide card's master key and works if not blocked by config.", - "hf mfdes setconfig --param 03 --data 0428 -> set parameter with data value"); + "Set card configuration. WARNING! Danger zone! Needs to provide card's master key and works if not blocked by config.", + "hf mfdes setconfig --param 03 --data 0428 -> set parameter 03\n" + "hf mfdes setconfig --param 02 --data 0875778102637264 -> set parameter 02"); void *argtable[] = { arg_param_begin, @@ -4971,8 +4972,6 @@ static int CmdHF14ADesSetConfiguration(const char *Cmd) { return res; } - - static int CmdHF14ADesChangeKey(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfdes changekey", diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index 9d126395a..0b237762b 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -1216,7 +1216,6 @@ int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *para // send command uint8_t resp[257] = {0}; size_t resplen = 0; - PrintAndLogEx(INFO, "plain data[%d]: %s", datalen, sprint_hex(data, datalen)); int res = DesfireSetConfigurationCmd(dctx, data, datalen, resp, &resplen); // check response From a074b1f8126c172c9924c7322de1325f60639796 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Tue, 20 Jul 2021 21:11:32 +0300 Subject: [PATCH 4/5] remove todo --- client/src/cmdhfmfdes.c | 1 - 1 file changed, 1 deletion(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index c16995863..38079b304 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -6022,7 +6022,6 @@ int CmdHFMFDes(const char *Cmd) { Native Cmds ----------- - SetConfiguration ChangeFileSettings ISO/IEC 7816 Cmds From 10362d68cfb2cf3069939075b77af41d70375987 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Tue, 20 Jul 2021 21:20:55 +0300 Subject: [PATCH 5/5] make style --- client/src/cmdhfmfdes.c | 10 +++++----- client/src/mifare/desfirecore.c | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 38079b304..6f8c09046 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -4913,7 +4913,7 @@ static int CmdHF14ADesSetConfiguration(const char *Cmd) { bool APDULogging = arg_get_lit(ctx, 1); bool verbose = arg_get_lit(ctx, 2); - + DesfireContext dctx; int securechann = defaultSecureChannel; uint32_t appid = 0x000000; @@ -4922,7 +4922,7 @@ static int CmdHF14ADesSetConfiguration(const char *Cmd) { CLIParserFree(ctx); return res; } - + uint32_t paramid = 0; res = arg_get_u32_hexstr_def_nlen(ctx, 12, 0, ¶mid, 1, true); if (res == 2) { @@ -4930,7 +4930,7 @@ static int CmdHF14ADesSetConfiguration(const char *Cmd) { CLIParserFree(ctx); return PM3_EINVARG; } - + uint8_t param[250] = {0}; int paramlen = sizeof(param); CLIGetHexWithReturn(ctx, 13, param, ¶mlen); @@ -4942,7 +4942,7 @@ static int CmdHF14ADesSetConfiguration(const char *Cmd) { PrintAndLogEx(ERR, "Parameter data length must be less than 50 instead of %d.", paramlen); return PM3_EINVARG; } - + SetAPDULogging(APDULogging); CLIParserFree(ctx); @@ -4952,7 +4952,7 @@ static int CmdHF14ADesSetConfiguration(const char *Cmd) { else PrintAndLogEx(INFO, _CYAN_("Application %06x") " param ID: 0x%02x param[%d]: %s", appid, paramid, paramlen, sprint_hex(param, paramlen)); } - + res = DesfireSelectAndAuthenticate(&dctx, securechann, appid, verbose); if (res != PM3_SUCCESS) { DropField(); diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index 0b237762b..a0611120d 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -1108,7 +1108,7 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke uint8_t pckcdata[DESFIRE_MAX_KEY_SIZE + 10] = {0}; uint8_t *cdata = &pckcdata[2]; uint8_t keynodata = newkeynum & 0x3f; - + /* * Because new crypto methods can be setup only at application creation, * changing the card master key to one of them require a key_no tweak. @@ -1116,7 +1116,7 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke if (change_master_key) { keynodata |= (DesfireKeyAlgoToType(newkeytype) & 0x03) << 6; } - + pckcdata[0] = MFDES_CHANGE_KEY; // TODO pckcdata[1] = keynodata; @@ -1206,13 +1206,13 @@ int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *para desfire_crc32_append(cdata, datalen + 1); datalen += 4; } - + // dynamic length if (paramid == 0x02) { data[datalen] = 0x80; datalen++; - } - + } + // send command uint8_t resp[257] = {0}; size_t resplen = 0; @@ -1221,6 +1221,6 @@ int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *para // check response if (res == 0 && resplen > 0) res = -20; - + return res; }