github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 05:43:48 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Merge pull request #1590 from merlokk/cip_key

Browse source 
Cipurse key update
This commit is contained in:
Oleg Moiseenko 2022-02-08 01:30:49 +02:00 committed by GitHub
commit 137a029d6f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 402 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

10
client/src/cipurse/cipursecore.c
View file

@ -212,6 +212,14 @@ int CIPURSEUpdateBinary(uint16_t offset, uint8_t *data, uint16_t datalen, uint8_
return CIPURSEExchange((sAPDU_t) {0x00, 0xd6, (offset >> 8) & 0x7f, offset & 0xff, datalen, data}, result, max_result_len, result_len, sw);
}
int CIPURSEUpdateKeyAttrib(uint8_t key_num, uint8_t key_attrib, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw) {
return CIPURSEExchangeEx(false, true, (sAPDU_t) {0x80, 0x4e, 0x00, key_num, 1, &key_attrib}, false, 0, result, max_result_len, result_len, sw);
}
int CIPURSEUpdateKey(uint8_t encrypt_key_num, uint8_t key_num, uint8_t *key, uint16_t key_len, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw) {
return CIPURSEExchangeEx(false, true, (sAPDU_t) {0x80, 0x52, encrypt_key_num, key_num, key_len, key}, false, 0, result, max_result_len, result_len, sw);
}
int CIPURSECommitTransaction(uint16_t *sw) {
uint8_t result[APDU_RES_LEN] = {0};
size_t result_len = 0;
@ -417,7 +425,7 @@ void CIPURSEPrintDGI(uint8_t *dgi, size_t dgilen) {
}
}
static void CIPURSEPrintKeySecurityAttributes(uint8_t attr) {
void CIPURSEPrintKeySecurityAttributes(uint8_t attr) {
PrintAndLogEx(INFO, " Update right: %s", (attr & 0x01) ? "self" : "any");
PrintAndLogEx(INFO, " Change key and rights: %s", (attr & 0x02) ? "ok" : "frozen");
PrintAndLogEx(INFO, " Use as key encryption key: %s", (attr & 0x04) ? "blocked" : "ok");

4
client/src/cipurse/cipursecore.h
View file

@ -55,6 +55,9 @@ int CIPURSEUpdateFileAttributes(uint8_t *data, uint16_t datalen, uint8_t *result
int CIPURSEReadBinary(uint16_t offset, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw);
int CIPURSEUpdateBinary(uint16_t offset, uint8_t *data, uint16_t datalen, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw);
int CIPURSEUpdateKey(uint8_t encrypt_key_num, uint8_t key_num, uint8_t *key, uint16_t key_len, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw);
int CIPURSEUpdateKeyAttrib(uint8_t key_num, uint8_t key_attrib, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw);
int CIPURSECommitTransaction(uint16_t *sw);
int CIPURSECancelTransaction(uint16_t *sw);
@ -71,5 +74,6 @@ void CIPURSEPrintFileUpdateAttr(uint8_t *attr, size_t len);
void CIPURSEPrintFileDescriptor(uint8_t desc);
void CIPURSEPrintDGIArray(uint8_t *dgi, size_t dgilen);
void CIPURSEPrintDGI(uint8_t *dgi, size_t dgilen);
void CIPURSEPrintKeySecurityAttributes(uint8_t attr);
#endif /* __CIPURSECORE_H__ */

358
client/src/cmdhfcipurse.c
View file

@ -39,6 +39,7 @@
#include "cmdtrace.h"
#include "util.h"
#include "fileutils.h" // laodFileJSONroot
#include "crypto/libpcrypto.h"
const uint8_t PxSE_AID[] = {0xA0, 0x00, 0x00, 0x05, 0x07, 0x01, 0x00};
#define PxSE_AID_LENGTH 7
@ -73,6 +74,21 @@ static const APDUSpcCodeDescription_t DeleteAPDUCodeDescriptions[] = {
{0x6A82, "File not found" }
};
static const APDUSpcCodeDescription_t UAPDpdateKeyAttrCodeDescriptions[] = {
{0x6581, "Transaction mechanism capabilities exceeded" },
{0x6982, "Key is frozen or only the key itself has the rights to update" },
{0x6985, "Deactivated file" },
{0x6A88, "Invalid key number (outside the range supported by the current DF)" }
};
static const APDUSpcCodeDescription_t UAPDpdateKeyCodeDescriptions[] = {
{0x6982, "Key is frozen or only the key itself has the rights to update" },
{0x6984, "key enc key is blocked or invalid" },
{0x6985, "Deactivated file" },
{0x6A80, "invalid algo, key length or kvv" },
{0x6A88, "Invalid key number (outside the range supported by the current DF)" }
};
static uint8_t defaultKeyId = 1;
static uint8_t defaultKey[CIPURSE_AES_KEY_LENGTH] = CIPURSE_DEFAULT_KEY;
#define CIPURSE_MAX_AID_LENGTH 16
@ -1429,6 +1445,346 @@ static int CmdHFCipurseDeleteFile(const char *Cmd) {
return PM3_SUCCESS;
}
static int CmdHFCipurseUpdateKey(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf cipurse updakey",
"Update key. ",
"hf cipurse updkey --aid 4144204631 --newkeyn 2 --newkeya 00 --newkey 73737373737373737373737373737373 -> update default application key 2 with default value 73..73\n"
"hf cipurse updkey --newkeyn 1 --newkeya 00 --newkey 0102030405060708090a0b0c0d0e0f10 --commit -> for key 1");
void *argtable[] = {
arg_param_begin,
arg_lit0("a", "apdu", "show APDU requests and responses"),
arg_lit0("v", "verbose", "show technical data"),
arg_int0("n", NULL, "<dec>", "key ID for authentication"),
arg_str0("k", "key", "<hex>", "Auth key"),
arg_str0(NULL, "aid", "<hex 1..16 bytes>", "application ID (AID)"),
arg_str0(NULL, "fid", "<hex 2 bytes>", "file ID (FID)"),
arg_lit0(NULL, "mfd", "select masterfile by empty id"),
arg_int0(NULL, "newkeyn", "<dec>", "target key ID"),
arg_str0(NULL, "newkey", "<hex 16 byte>", "new key"),
arg_str0(NULL, "newkeya", "<hex 1 byte>", "new key additional info. 0x00 by default"),
arg_int0(NULL, "enckeyn", "<dec>", "encrypt key ID (must be equal to the key on the card)"),
arg_str0(NULL, "enckey", "<hex 16 byte>", "encrypt key (must be equal to the key on the card)"),
arg_str0(NULL, "sreq", "<plain|mac(default)|encode>", "communication reader-PICC security level"),
arg_str0(NULL, "sresp", "<plain|mac(default)|encode>", "communication PICC-reader security level"),
arg_lit0(NULL, "no-auth", "execute without authentication"),
arg_lit0(NULL, "commit", "commit "),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
bool APDULogging = arg_get_lit(ctx, 1);
bool verbose = arg_get_lit(ctx, 2);
uint8_t keyId = arg_get_int_def(ctx, 3, defaultKeyId);
CipurseChannelSecurityLevel sreq = CPSMACed;
CipurseChannelSecurityLevel sresp = CPSMACed;
uint8_t key[CIPURSE_AES_KEY_LENGTH] = {0};
uint8_t aid[16] = {0};
size_t aidLen = 0;
bool useAID = false;
uint16_t fileId = defaultFileId;
bool useFID = false;
int res = CLIParseCommandParameters(ctx, 4, 5, 6, 13, 14, key, aid, &aidLen, &useAID, &fileId, &useFID, &sreq, &sresp);
if (res) {
CLIParserFree(ctx);
return PM3_EINVARG;
}
bool selmfd = arg_get_lit(ctx, 7);
uint8_t newKeyId = arg_get_int_def(ctx, 8, 0);
if (newKeyId == 0) {
PrintAndLogEx(ERR, _RED_("ERROR:") " new key id must be specified.");
CLIParserFree(ctx);
return PM3_EINVARG;
}
uint8_t hdata[250] = {0};
int hdatalen = sizeof(hdata);
CLIGetHexWithReturn(ctx, 9, hdata, &hdatalen);
if (hdatalen != 16) {
PrintAndLogEx(ERR, _RED_("ERROR:") " new key must be 16 bytes only and must be specified.");
CLIParserFree(ctx);
return PM3_EINVARG;
}
uint8_t newKey[CIPURSE_AES_KEY_LENGTH] = {0};
memcpy(newKey, hdata, CIPURSE_AES_KEY_LENGTH);
hdatalen = sizeof(hdata);
CLIGetHexWithReturn(ctx, 10, hdata, &hdatalen);
if (hdatalen && hdatalen != 1) {
PrintAndLogEx(ERR, _RED_("ERROR:") " new key additional info must be 1 byte only.");
CLIParserFree(ctx);
return PM3_EINVARG;
}
uint8_t newKeyAInfo = (hdatalen) ? hdata[0] : 0x00;
uint8_t encKeyId = arg_get_int_def(ctx, 11, 0);
hdatalen = sizeof(hdata);
CLIGetHexWithReturn(ctx, 12, hdata, &hdatalen);
if (hdatalen && hdatalen != 16) {
PrintAndLogEx(ERR, _RED_("ERROR:") " encode key must be 16 bytes only and must be specified.");
CLIParserFree(ctx);
return PM3_EINVARG;
}
uint8_t encKey[CIPURSE_AES_KEY_LENGTH] = CIPURSE_DEFAULT_KEY;
if (hdatalen)
memcpy(encKey, hdata, CIPURSE_AES_KEY_LENGTH);
bool noauth = arg_get_lit(ctx, 15);
bool needCommit = arg_get_lit(ctx, 16);
CLIParserFree(ctx);
SetAPDULogging(APDULogging);
uint8_t kvv[CIPURSE_KVV_LENGTH] = {0};
CipurseCGetKVV(newKey, kvv);
uint8_t keydata[3 + 16 + 3] = {newKeyAInfo, 0x10, 0x09, 0x00};
memcpy(&keydata[3], newKey, 16);
memcpy(&keydata[3 + 16], kvv, 3);
if (verbose) {
PrintAndLogEx(INFO, "New key number: %d", newKeyId);
PrintAndLogEx(INFO, "New key additional info: 0x%02x", newKeyAInfo);
PrintAndLogEx(INFO, "New key: %s", sprint_hex_inrow(newKey, 16));
PrintAndLogEx(INFO, "New key kvv: %s", sprint_hex_inrow(kvv, 3));
PrintAndLogEx(INFO, "New key data: %s", sprint_hex_inrow(keydata, sizeof(keydata)));
if (encKeyId) {
PrintAndLogEx(INFO, "Encode key number: %d", encKeyId);
PrintAndLogEx(INFO, "Encode key: %s", sprint_hex_inrow(encKey, 16));
aes_encode(NULL, encKey, newKey, &keydata[3], CIPURSE_AES_KEY_LENGTH);
PrintAndLogEx(INFO, "Encoded new key data: %s", sprint_hex_inrow(keydata, sizeof(keydata)));
}
PrintAndLogEx(NORMAL, "");
}
uint8_t buf[APDU_RES_LEN] = {0};
size_t len = 0;
uint16_t sw = 0;
if (useAID || useFID || selmfd) {
res = SelectCommand(selmfd, useAID, aid, aidLen, useFID, fileId, verbose, buf, sizeof(buf), &len, &sw);
if (res != 0 || sw != 0x9000) {
PrintAndLogEx(ERR, "Select command ( " _RED_("error") " )");
DropField();
return PM3_ESOFT;
}
} else {
res = CIPURSESelectMFEx(true, true, buf, sizeof(buf), &len, &sw);
if (res != 0 || sw != 0x9000) {
PrintAndLogEx(ERR, "Cipurse masterfile select " _RED_("error") ". Card returns 0x%04x", sw);
DropField();
return PM3_ESOFT;
}
if (verbose)
PrintAndLogEx(INFO, "Cipurse masterfile " _GREEN_("selected"));
}
if (verbose) {
if (!noauth)
PrintAndLogEx(INFO, "key id " _YELLOW_("%d") " key " _YELLOW_("%s")
, keyId
, sprint_hex(key, CIPURSE_AES_KEY_LENGTH)
);
}
if (!noauth) {
bool bres = CIPURSEChannelAuthenticate(keyId, key, verbose);
if (bres == false) {
if (verbose)
PrintAndLogEx(ERR, "Authentication ( " _RED_("fail") " )");
DropField();
return PM3_ESOFT;
}
// set channel security levels
CIPURSECSetActChannelSecurityLevels(sreq, sresp);
}
res = CIPURSEUpdateKey(encKeyId, newKeyId, keydata, sizeof(keydata), buf, sizeof(buf), &len, &sw);
if (res != 0 || sw != 0x9000) {
PrintAndLogEx(ERR, "Update key command " _RED_("ERROR") ". Card returns:\n 0x%04x - %s", sw,
GetSpecificAPDUCodeDesc(UAPDpdateKeyCodeDescriptions, ARRAYLEN(UAPDpdateKeyCodeDescriptions), sw));
DropField();
return PM3_ESOFT;
}
PrintAndLogEx(INFO, "Key updated " _GREEN_("succesfully"));
if (needCommit) {
sw = 0;
res = CIPURSECommitTransaction(&sw);
if (res != 0 || sw != 0x9000)
PrintAndLogEx(WARNING, "Commit " _YELLOW_("ERROR") ". Card returns 0x%04x", sw);
if (verbose)
PrintAndLogEx(INFO, "Commit " _GREEN_("OK"));
}
DropField();
return PM3_SUCCESS;
}
static int CmdHFCipurseUpdateKeyAttr(const char *Cmd) {
CLIParserContext *ctx;
CLIParserInit(&ctx, "hf cipurse updakey",
"Update key attributes. Factory default - 0x02.\n"
"b0 - Update right - 1 self\n"
"b1 - Change key and rights - 0 frozen\n"
"b2 - Use as key encryption key - 1 blocked\n"
"b8 - Key validity - 0 valid",
"hf cipurse updakey --trgkeyn 2 --attr 80 -> block key 2 for lifetime (WARNING!)\n"
"hf cipurse updakey --trgkeyn 1 --attr 02 --commit -> for key 1");
void *argtable[] = {
arg_param_begin,
arg_lit0("a", "apdu", "show APDU requests and responses"),
arg_lit0("v", "verbose", "show technical data"),
arg_int0("n", NULL, "<dec>", "key ID for authentication"),
arg_str0("k", "key", "<hex>", "Auth key"),
arg_str0(NULL, "aid", "<hex 1..16 bytes>", "application ID (AID)"),
arg_str0(NULL, "fid", "<hex 2 bytes>", "file ID (FID)"),
arg_lit0(NULL, "mfd", "select masterfile by empty id"),
arg_int0(NULL, "trgkeyn", "<dec>", "target key ID"),
arg_str0(NULL, "attr", "<hex 1 byte>", "key attributes 1 byte"),
arg_str0(NULL, "sreq", "<plain|mac(default)|encode>", "communication reader-PICC security level"),
arg_str0(NULL, "sresp", "<plain|mac(default)|encode>", "communication PICC-reader security level"),
arg_lit0(NULL, "no-auth", "execute without authentication"),
arg_lit0(NULL, "commit", "commit "),
arg_param_end
};
CLIExecWithReturn(ctx, Cmd, argtable, false);
bool APDULogging = arg_get_lit(ctx, 1);
bool verbose = arg_get_lit(ctx, 2);
uint8_t keyId = arg_get_int_def(ctx, 3, defaultKeyId);
CipurseChannelSecurityLevel sreq = CPSMACed;
CipurseChannelSecurityLevel sresp = CPSMACed;
uint8_t key[CIPURSE_AES_KEY_LENGTH] = {0};
uint8_t aid[16] = {0};
size_t aidLen = 0;
bool useAID = false;
uint16_t fileId = defaultFileId;
bool useFID = false;
int res = CLIParseCommandParameters(ctx, 4, 5, 6, 10, 11, key, aid, &aidLen, &useAID, &fileId, &useFID, &sreq, &sresp);
if (res) {
CLIParserFree(ctx);
return PM3_EINVARG;
}
bool selmfd = arg_get_lit(ctx, 7);
uint8_t trgKeyId = arg_get_int_def(ctx, 8, 0);
if (trgKeyId == 0) {
PrintAndLogEx(ERR, _RED_("ERROR:") " target key id must be specified.");
CLIParserFree(ctx);
return PM3_EINVARG;
}
uint8_t hdata[250] = {0};
int hdatalen = sizeof(hdata);
CLIGetHexWithReturn(ctx, 9, hdata, &hdatalen);
if (hdatalen != 1) {
PrintAndLogEx(ERR, _RED_("ERROR:") " key attributes must be 1 bytes only and must be specified.");
CLIParserFree(ctx);
return PM3_EINVARG;
}
bool noauth = arg_get_lit(ctx, 12);
bool needCommit = arg_get_lit(ctx, 13);
CLIParserFree(ctx);
SetAPDULogging(APDULogging);
if (verbose && hdatalen == 1) {
PrintAndLogEx(INFO, "Decoded attributes:");
CIPURSEPrintKeySecurityAttributes(hdata[0]);
PrintAndLogEx(NORMAL, "");
}
uint8_t buf[APDU_RES_LEN] = {0};
size_t len = 0;
uint16_t sw = 0;
if (useAID || useFID || selmfd) {
res = SelectCommand(selmfd, useAID, aid, aidLen, useFID, fileId, verbose, buf, sizeof(buf), &len, &sw);
if (res != 0 || sw != 0x9000) {
PrintAndLogEx(ERR, "Select command ( " _RED_("error") " )");
DropField();
return PM3_ESOFT;
}
} else {
res = CIPURSESelectMFEx(true, true, buf, sizeof(buf), &len, &sw);
if (res != 0 || sw != 0x9000) {
PrintAndLogEx(ERR, "Cipurse masterfile select " _RED_("error") ". Card returns 0x%04x", sw);
DropField();
return PM3_ESOFT;
}
if (verbose)
PrintAndLogEx(INFO, "Cipurse masterfile " _GREEN_("selected"));
}
if (verbose) {
if (!noauth)
PrintAndLogEx(INFO, "key id " _YELLOW_("%d") " key " _YELLOW_("%s")
, keyId
, sprint_hex(key, CIPURSE_AES_KEY_LENGTH)
);
}
if (!noauth) {
bool bres = CIPURSEChannelAuthenticate(keyId, key, verbose);
if (bres == false) {
if (verbose)
PrintAndLogEx(ERR, "Authentication ( " _RED_("fail") " )");
DropField();
return PM3_ESOFT;
}
// set channel security levels
CIPURSECSetActChannelSecurityLevels(sreq, sresp);
}
res = CIPURSEUpdateKeyAttrib(trgKeyId, hdata[0], buf, sizeof(buf), &len, &sw);
if (res != 0 || sw != 0x9000) {
PrintAndLogEx(ERR, "Update key attributes command " _RED_("ERROR") ". Card returns:\n 0x%04x - %s", sw,
GetSpecificAPDUCodeDesc(UAPDpdateKeyAttrCodeDescriptions, ARRAYLEN(UAPDpdateKeyAttrCodeDescriptions), sw));
DropField();
return PM3_ESOFT;
}
PrintAndLogEx(INFO, "Key attributes updated " _GREEN_("succesfully"));
if (needCommit) {
sw = 0;
res = CIPURSECommitTransaction(&sw);
if (res != 0 || sw != 0x9000)
PrintAndLogEx(WARNING, "Commit " _YELLOW_("ERROR") ". Card returns 0x%04x", sw);
if (verbose)
PrintAndLogEx(INFO, "Commit " _GREEN_("OK"));
}
DropField();
return PM3_SUCCESS;
}
bool CheckCardCipurse(void) {
uint8_t buf[APDU_RES_LEN] = {0};
size_t len = 0;
@ -1518,6 +1874,8 @@ static command_t CommandTable[] = {
{"formatall", CmdHFCipurseFormatAll, IfPm3Iso14443a, "Erase all the data from chip"},
{"create", CmdHFCipurseCreateDGI, IfPm3Iso14443a, "Create file, application, key via DGI record"},
{"delete", CmdHFCipurseDeleteFile, IfPm3Iso14443a, "Delete file"},
{"updkey", CmdHFCipurseUpdateKey, IfPm3Iso14443a, "Update key"},
{"updakey", CmdHFCipurseUpdateKeyAttr, IfPm3Iso14443a, "Update key attributes"},
{"default", CmdHFCipurseDefault, IfPm3Iso14443a, "Set default key and file id for all the other commands"},
{"test", CmdHFCipurseTest, AlwaysAvailable, "Tests"},
{NULL, NULL, 0, NULL}

36
doc/cipurse.md
View file

@ -11,6 +11,13 @@
- [Card architecture](#card-architecture)
- [Card structure](#card-structure)
- [How to](#how-to)
- [How to select application or file](#how-to-select-application-or-file)
- [How to delete application or file](#how-to-delete-application-or-file)
- [How to read file](#how-to-read-file)
- [How to write file](#how-to-write-file)
- [How to read file attributes](#how-to-read-file-attributes)
- [How to set file attributes](#how-to-set-file-attributes)
- [How to update key](#how-to-update-key)
- [How to personalize card](#how-to-personalize-card)
@ -120,7 +127,7 @@ select it with display output in raw and tlv views options
```hf cipurse delete --aid 4144204631 --chfid 0102```
### How read file
### How to read file
^[Top](#top)
with default key and aid
@ -133,7 +140,7 @@ with default key and aid without authentication
```hf cipurse read --fid 0102 --no-auth```
### How write file
### How to write file
^[Top](#top)
with default key and aid
@ -149,7 +156,7 @@ with default key and aid, perform commit (works for files with transactions mech
```hf cipurse read --fid 0102 -d abbbccdd --commit```
### How read file attributes
### How to read file attributes
^[Top](#top)
read master file attributes
@ -173,7 +180,7 @@ or with default application
```hf cipurse aread --aid 4144204632 --chfid 0102```
### How set file attributes
### How to set file attributes
^[Top](#top)
set elementary file attributes (EF)
@ -191,6 +198,16 @@ set master file (MF) file attributes
```hf cipurse awrite --mfd -d 080000FFFFFFFFFFFFFFFFFF86023232 --commit``` (full access with/wo keys and tag 86 is set by `22`)
### How to update key
^[Top](#top)
update key for master application
```hf cipurse updakey --newkeyn 1 --newkeya 00 --newkey 73737373737373737373737373737373 --commit```
update key for application
```hf cipurse updakey --aid 4144204631 --newkeyn 1 --newkeya 00 --newkey 73737373737373737373737373737373 --commit```
### How to personalize card
^[Top](#top)
@ -260,7 +277,16 @@ or if file with transaction mechanism
**8. Set the keys and needed key attributes**
TBW
keys for application usually filled at create time with DGI `A00F`
keys for masterfile needs to be updated manually with command:
```hf cipurse updakey --newkeyn 1 --newkeya 00 --newkey 73737373737373737373737373737373 --commit```
update key for application (if needs)
```hf cipurse updakey --aid 4144204631 --newkeyn 1 --newkeya 00 --newkey 73737373737373737373737373737373 --commit```
update key attributes with default attributes
```hf cipurse updakey --aid 4144204631 --trgkeyn 1 --attr 02 -v --commit```
**8. Set the file attributes**