From f606cc5fb50fd8e7c392f28e2a5516e88c247941 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 9 Jul 2021 18:03:34 +0300 Subject: [PATCH 01/14] added check channel --- client/src/mifare/desfiresecurechan.c | 75 +++++++++++++++++++++++++++ client/src/mifare/desfiresecurechan.h | 8 +++ include/protocols.h | 2 + 3 files changed, 85 insertions(+) diff --git a/client/src/mifare/desfiresecurechan.c b/client/src/mifare/desfiresecurechan.c index 2d47022cf..197769472 100644 --- a/client/src/mifare/desfiresecurechan.c +++ b/client/src/mifare/desfiresecurechan.c @@ -20,8 +20,42 @@ #include "crc16.h" // crc16 ccitt #include "crc32.h" #include "commonutil.h" +#include "protocols.h" #include "mifare/desfire_crypto.h" +AllowedChannelModesS AllowedChannelModes[] = { + {MFDES_CREATE_APPLICATION, DACd40, DCCNative, DCMPlain}, + {MFDES_DELETE_APPLICATION, DACd40, DCCNative, DCMPlain}, + {MFDES_GET_APPLICATION_IDS, DACd40, DCCNative, DCMPlain}, + {MFDES_GET_DF_NAMES, DACd40, DCCNative, DCMPlain}, + + {MFDES_READ_DATA, DACd40, DCCNative, DCMMACed}, + {MFDES_WRITE_DATA, DACd40, DCCNative, DCMMACed}, + {MFDES_GET_VALUE, DACd40, DCCNative, DCMMACed}, + {MFDES_CREDIT, DACd40, DCCNative, DCMMACed}, + {MFDES_DEBIT, DACd40, DCCNative, DCMMACed}, + {MFDES_LIMITED_CREDIT, DACd40, DCCNative, DCMMACed}, + {MFDES_READ_RECORDS, DACd40, DCCNative, DCMMACed}, + {MFDES_WRITE_RECORD, DACd40, DCCNative, DCMMACed}, + {MFDES_UPDATE_RECORD1, DACd40, DCCNative, DCMMACed}, + {MFDES_UPDATE_RECORD2, DACd40, DCCNativeISO, DCMMACed}, + {MFDES_INIT_KEY_SETTINGS, DACd40, DCCNative, DCMMACed}, + {MFDES_FINALIZE_KEY_SETTINGS, DACd40, DCCNative, DCMMACed}, + {MFDES_ROLL_KEY_SETTINGS, DACd40, DCCNative, DCMMACed}, + {MFDES_COMMIT_READER_ID, DACd40, DCCNative, DCMMACed}, + + {MFDES_GET_UID, DACd40, DCCNative, DCMEncrypted}, + {MFDES_READ_DATA, DACd40, DCCNative, DCMEncrypted}, + {MFDES_WRITE_DATA, DACd40, DCCNative, DCMEncrypted}, + + {MFDES_CREATE_APPLICATION, DACEV1, DCCNative, DCMMACed}, + {MFDES_DELETE_APPLICATION, DACEV1, DCCNative, DCMMACed}, + {MFDES_GET_APPLICATION_IDS, DACEV1, DCCNative, DCMMACed}, + {MFDES_GET_DF_NAMES, DACEV1, DCCNative, DCMMACed}, + + {MFDES_GET_UID, DACEV1, DCCNative, DCMEncrypted}, +}; + static void DesfireSecureChannelEncodeD40(DesfireContext *ctx, uint8_t cmd, uint8_t *srcdata, size_t srcdatalen, uint8_t *dstdata, size_t *dstdatalen) { memcpy(dstdata, srcdata, srcdatalen); *dstdatalen = srcdatalen; @@ -207,3 +241,44 @@ void DesfireSecureChannelDecode(DesfireContext *ctx, uint8_t *srcdata, size_t sr break; } } + +bool PrintChannelModeWarning(uint8_t cmd, DesfireSecureChannel secureChannel, DesfireCommandSet cmdSet, DesfireCommunicationMode commMode) { + if (commMode == DCMNone) { + PrintAndLogEx(WARNING, "Communication mode can't be NONE. command: %02x", cmd); + return false; + } + + // no security set + if (secureChannel == DACNone) + return true; + + bool found = false; + for (int i = 0; i < ARRAY_LENGTH(AllowedChannelModes); i++) + if (AllowedChannelModes[i].cmd == cmd) { + // full compare + if (AllowedChannelModes[i].secureChannel == secureChannel && + (AllowedChannelModes[i].cmdSet == cmdSet || (AllowedChannelModes[i].cmdSet == DCCNative && cmdSet == DCCNativeISO)) && + AllowedChannelModes[i].commMode == commMode){ + + found = true; + break; + } + + // ev1 plain and mac are the same + if (AllowedChannelModes[i].secureChannel == secureChannel && + AllowedChannelModes[i].secureChannel == DACEV1 && + (AllowedChannelModes[i].cmdSet == cmdSet || (AllowedChannelModes[i].cmdSet == DCCNative && cmdSet == DCCNativeISO)) && + (commMode == DCMPlain || commMode == DCMMACed)){ + + found = true; + break; + } + + } + + if (!found) + PrintAndLogEx(WARNING, "Wrong communication mode. Check settings. command: %02x", cmd); + + return found; +} + diff --git a/client/src/mifare/desfiresecurechan.h b/client/src/mifare/desfiresecurechan.h index 23810c791..aa056323a 100644 --- a/client/src/mifare/desfiresecurechan.h +++ b/client/src/mifare/desfiresecurechan.h @@ -19,8 +19,16 @@ #include "mifare/desfire_crypto.h" #include "mifare/mifare4.h" +typedef struct { + uint8_t cmd; + DesfireSecureChannel secureChannel; + DesfireCommandSet cmdSet; + DesfireCommunicationMode commMode; +} AllowedChannelModesS; + void DesfireSecureChannelEncode(DesfireContext *ctx, uint8_t cmd, uint8_t *srcdata, size_t srcdatalen, uint8_t *dstdata, size_t *dstdatalen); void DesfireSecureChannelDecode(DesfireContext *ctx, uint8_t *srcdata, size_t srcdatalen, uint8_t respcode, uint8_t *dstdata, size_t *dstdatalen); +bool PrintChannelModeWarning(uint8_t cmd, DesfireSecureChannel secureChannel, DesfireCommandSet cmdSet, DesfireCommunicationMode commMode); #endif // __DESFIRESECURECHAN_H diff --git a/include/protocols.h b/include/protocols.h index 66385bcb9..58bd7e90f 100644 --- a/include/protocols.h +++ b/include/protocols.h @@ -436,6 +436,7 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. #define MFDES_GET_FILE_IDS 0x6F #define MFDES_ABORT_TRANSACTION 0xA7 #define MFDES_ADDITIONAL_FRAME 0xAF +#define MFDES_UPDATE_RECORD1 0xBA #define MFDES_READ_RECORDS 0xBB #define MFDES_READ_DATA 0xBD #define MFDES_CREATE_CYCLIC_RECORD_FILE 0xC0 @@ -451,6 +452,7 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. #define MFDES_CREATE_STD_DATA_FILE 0xCD #define MFDES_CREATE_TRANS_MAC_FILE 0xCE #define MFDES_DELETE_APPLICATION 0xDA +#define MFDES_UPDATE_RECORD2 0xDB #define MFDES_DEBIT 0xDC #define MFDES_DELETE_FILE 0xDF #define MFDES_CLEAR_RECORD_FILE 0xEB From d67ea92e2ee22457bb647514e472ec9004047ff0 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 9 Jul 2021 18:04:27 +0300 Subject: [PATCH 02/14] implement check channel, add 2 new commands --- client/src/cmdhfmfdes.c | 20 +++++++++++++++++--- client/src/mifare/desfirecore.c | 13 ++++++++----- 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index b4c84e832..d10d910bb 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -31,6 +31,7 @@ #include "mifare/desfire_crypto.h" #include "mifare/desfirecore.h" #include "mifare/desfiretest.h" +#include "mifare/desfiresecurechan.h" #include "mifare/mifaredefault.h" // default keys #include "crapto1/crapto1.h" #include "fileutils.h" @@ -5143,6 +5144,16 @@ static int CmdHF14ADesDefault(const char *Cmd) { return PM3_SUCCESS; } +// {"chkeysetings", CmdHF14ADesChKeySettings, IfPm3Iso14443a, "Change Key Settings"}, +static int CmdHF14ADesChKeySettings(const char *Cmd) { + + return PM3_SUCCESS; +} + //{"getkeysetings", CmdHF14ADesGetKeySettings, IfPm3Iso14443a, "Get Key Settings"}, +static int CmdHF14ADesGetKeySettings(const char *Cmd) { + + return PM3_SUCCESS; +} static int CmdHF14ADesGetAIDs(const char *Cmd) { CLIParserContext *ctx; @@ -5170,7 +5181,7 @@ static int CmdHF14ADesGetAIDs(const char *Cmd) { bool verbose = arg_get_lit(ctx, 2); DesfireContext dctx; - int securechann = defaultSecureChannel; + int securechann = DCMPlain; int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, &securechann); if (res) { CLIParserFree(ctx); @@ -5252,7 +5263,7 @@ static int CmdHF14ADesGetAppNames(const char *Cmd) { bool verbose = arg_get_lit(ctx, 2); DesfireContext dctx; - int securechann = defaultSecureChannel; + int securechann = DCMPlain; int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, &securechann); if (res) { CLIParserFree(ctx); @@ -5323,7 +5334,6 @@ static command_t CommandTable[] = { {"-----------", CmdHelp, IfPm3Iso14443a, "---------------------- " _CYAN_("general") " ----------------------"}, {"default", CmdHF14ADesDefault, IfPm3Iso14443a, "[new]Set defaults for all the commands"}, {"auth", CmdHF14ADesAuth, IfPm3Iso14443a, "Tries a MIFARE DesFire Authentication"}, - {"changekey", CmdHF14ADesChangeKey, IfPm3Iso14443a, "Change Key"}, {"chk", CmdHF14aDesChk, IfPm3Iso14443a, "Check keys"}, {"enum", CmdHF14ADesEnumApplications, IfPm3Iso14443a, "Tries enumerate all applications"}, {"formatpicc", CmdHF14ADesFormatPICC, IfPm3Iso14443a, "Format PICC"}, @@ -5332,6 +5342,10 @@ static command_t CommandTable[] = { {"list", CmdHF14ADesList, AlwaysAvailable, "List DESFire (ISO 14443A) history"}, // {"ndefread", CmdHF14aDesNDEFRead, IfPm3Iso14443a, "Prints NDEF records from card"}, // {"mad", CmdHF14aDesMAD, IfPm3Iso14443a, "Prints MAD records from card"}, + {"-----------", CmdHelp, IfPm3Iso14443a, "------------------------ " _CYAN_("Keys") " -----------------------"}, + {"changekey", CmdHF14ADesChangeKey, IfPm3Iso14443a, "Change Key"}, + {"chkeysetings", CmdHF14ADesChKeySettings, IfPm3Iso14443a, "Change Key Settings"}, + {"getkeysetings", CmdHF14ADesGetKeySettings, IfPm3Iso14443a, "Get Key Settings"}, {"-----------", CmdHelp, IfPm3Iso14443a, "-------------------- " _CYAN_("Applications") " -------------------"}, {"bruteaid", CmdHF14ADesBruteApps, IfPm3Iso14443a, "Recover AIDs by bruteforce"}, {"createaid", CmdHF14ADesCreateApp, IfPm3Iso14443a, "Create Application ID"}, diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index ad4c6c545..540e5d6b8 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -523,6 +523,9 @@ static void DesfireSplitBytesToBlock(uint8_t *blockdata, size_t *blockdatacount, int DesfireExchangeEx(bool activate_field, DesfireContext *ctx, uint8_t cmd, uint8_t *data, size_t datalen, uint8_t *respcode, uint8_t *resp, size_t *resplen, bool enable_chaining, size_t splitbysize) { int res = PM3_SUCCESS; + + if (!PrintChannelModeWarning(cmd, ctx->secureChannel, ctx->cmdSet, ctx->commMode)) + DesfirePrintContext(ctx); uint8_t databuf[250 * 5] = {0}; size_t databuflen = 0; @@ -820,8 +823,8 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel Desfire_session_key_new(RndA, RndB, key, &sesskey); memcpy(dctx->sessionKeyEnc, sesskey.data, desfire_get_key_length(dctx->keyType)); - PrintAndLogEx(INFO, "encRndA : %s", sprint_hex(encRndA, rndlen)); - PrintAndLogEx(INFO, "IV : %s", sprint_hex(IV, rndlen)); + //PrintAndLogEx(INFO, "encRndA : %s", sprint_hex(encRndA, rndlen)); + //PrintAndLogEx(INFO, "IV : %s", sprint_hex(IV, rndlen)); if (dctx->keyType == T_DES) { if (secureChannel == DACd40) des_decrypt(encRndA, encRndA, key->data); @@ -839,8 +842,8 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel } rol(RndA, rndlen); - PrintAndLogEx(INFO, "Expected_RndA : %s", sprint_hex(RndA, rndlen)); - PrintAndLogEx(INFO, "Generated_RndA : %s", sprint_hex(encRndA, rndlen)); + //PrintAndLogEx(INFO, "Expected_RndA : %s", sprint_hex(RndA, rndlen)); + //PrintAndLogEx(INFO, "Generated_RndA : %s", sprint_hex(encRndA, rndlen)); for (uint32_t x = 0; x < rndlen; x++) { if (RndA[x] != encRndA[x]) { if (g_debugMode > 1) { @@ -867,7 +870,7 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel memset(dctx->IV, 0, DESFIRE_MAX_KEY_SIZE); dctx->secureChannel = secureChannel; memcpy(dctx->sessionKeyMAC, dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType)); - PrintAndLogEx(INFO, "sessionKeyEnc : %s", sprint_hex(dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType))); + PrintAndLogEx(INFO, "Session key : %s", sprint_hex(dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType))); return PM3_SUCCESS; } From cbffdd7552cbcd38450ddfc221c74c0fbeb55989 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 9 Jul 2021 19:26:15 +0300 Subject: [PATCH 03/14] add print keysettings --- client/src/mifare/desfirecore.c | 101 +++++++++++++++++++++++++- client/src/mifare/desfirecore.h | 5 ++ client/src/mifare/desfiresecurechan.c | 2 + 3 files changed, 106 insertions(+), 2 deletions(-) diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index 540e5d6b8..fd1fe6256 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -909,7 +909,7 @@ int DesfireCreateApplication(DesfireContext *dctx, uint8_t *appdata, size_t appd uint8_t respcode = 0xff; uint8_t resp[257] = {0}; size_t resplen = 0; - int res = DesfireExchangeEx(false, dctx, MFDES_CREATE_APPLICATION, appdata, appdatalen, &respcode, resp, &resplen, true, 24); + int res = DesfireExchangeEx(false, dctx, MFDES_CREATE_APPLICATION, appdata, appdatalen, &respcode, resp, &resplen, true, 0); if (res != PM3_SUCCESS) return res; if (respcode != MFDES_S_OPERATION_OK || resplen != 0) @@ -923,7 +923,7 @@ int DesfireDeleteApplication(DesfireContext *dctx, uint32_t aid) { DesfireAIDUintToByte(aid, data); uint8_t resp[257] = {0}; size_t resplen = 0; - int res = DesfireExchangeEx(false, dctx, MFDES_DELETE_APPLICATION, data, sizeof(data), &respcode, resp, &resplen, true, 24); + int res = DesfireExchangeEx(false, dctx, MFDES_DELETE_APPLICATION, data, sizeof(data), &respcode, resp, &resplen, true, 0); if (res != PM3_SUCCESS) return res; if (respcode != MFDES_S_OPERATION_OK || resplen != 0) @@ -931,3 +931,100 @@ int DesfireDeleteApplication(DesfireContext *dctx, uint32_t aid) { return PM3_SUCCESS; } +int DesfireGetKeySettings(DesfireContext *dctx, uint8_t *resp, size_t *resplen) { + uint8_t respcode = 0xff; + int res = DesfireExchange(dctx, MFDES_GET_KEY_SETTINGS, NULL, 0, &respcode, resp, resplen); + if (res != PM3_SUCCESS) + return res; + if (respcode != MFDES_S_OPERATION_OK) + return PM3_EAPDU_FAIL; + return PM3_SUCCESS; +} + +int DesfireGetKeyVersion(DesfireContext *dctx, uint8_t *resp, size_t *resplen) { + uint8_t respcode = 0xff; + int res = DesfireExchange(dctx, MFDES_GET_KEY_VERSION, NULL, 0, &respcode, resp, resplen); + if (res != PM3_SUCCESS) + return res; + if (respcode != MFDES_S_OPERATION_OK) + return PM3_EAPDU_FAIL; + return PM3_SUCCESS; +} + +int DesfireChangeKeySettings(DesfireContext *dctx, uint8_t *data, size_t len) { + uint8_t respcode = 0xff; + uint8_t resp[257] = {0}; + size_t resplen = 0; + int res = DesfireExchange(dctx, MFDES_CHANGE_KEY_SETTINGS, data, len, &respcode, resp, &resplen); + if (res != PM3_SUCCESS) + return res; + if (respcode != MFDES_S_OPERATION_OK || resplen != 0) + return PM3_EAPDU_FAIL; + return PM3_SUCCESS; +} + +static void PrintKeyType(uint8_t keytype) { + switch(keytype) { + case 00: + PrintAndLogEx(SUCCESS, "Key: 2TDEA"); + break; + case 01: + PrintAndLogEx(SUCCESS, "Key: 3TDEA"); + break; + case 02: + PrintAndLogEx(SUCCESS, "Key: AES"); + break; + default: + PrintAndLogEx(SUCCESS, "Key: unknown: 0x%02x", keytype); + break; + } +} + +static void PrintKeySettingsPICC(uint8_t keysettings, uint8_t numkeys) { + PrintAndLogEx(SUCCESS, "PICC level rights:"); + PrintAndLogEx(SUCCESS, "[%c...] CMK Configuration changeable : %s", (keysettings & (1 << 3)) ? '1' : '0', (keysettings & (1 << 3)) ? _GREEN_("YES") : "NO (frozen)"); + PrintAndLogEx(SUCCESS, "[.%c..] CMK required for create/delete : %s", (keysettings & (1 << 2)) ? '1' : '0', (keysettings & (1 << 2)) ? _GREEN_("NO") : "YES"); + PrintAndLogEx(SUCCESS, "[..%c.] Directory list access with CMK : %s", (keysettings & (1 << 1)) ? '1' : '0', (keysettings & (1 << 1)) ? _GREEN_("NO") : "YES"); + PrintAndLogEx(SUCCESS, "[...%c] CMK is changeable : %s", (keysettings & (1 << 0)) ? '1' : '0', (keysettings & (1 << 0)) ? _GREEN_("YES") : "NO (frozen)"); + + PrintAndLogEx(SUCCESS, "\nkey count: %d", numkeys & 0x0f); +} + +static void PrintKeySettingsApp(uint8_t keysettings, uint8_t numkeys) { + // Access rights. + PrintAndLogEx(SUCCESS, "Application level rights:"); + uint8_t rights = ((keysettings >> 4) & 0x0F); + switch (rights) { + case 0x0: + PrintAndLogEx(SUCCESS, "-- AMK authentication is necessary to change any key (default)"); + break; + case 0xE: + PrintAndLogEx(SUCCESS, "-- Authentication with the key to be changed (same KeyNo) is necessary to change a key"); + break; + case 0xF: + PrintAndLogEx(SUCCESS, "-- All keys (except AMK,see Bit0) within this application are frozen"); + break; + default: + PrintAndLogEx(SUCCESS, + "-- Authentication with the specified key is necessary to change any key.\n" + "A change key and a PICC master key (CMK) can only be changed after authentication with the master key.\n" + "For keys other then the master or change key, an authentication with the same key is needed." + ); + break; + } + + PrintAndLogEx(SUCCESS, "[%c...] AMK Configuration changeable : %s", (keysettings & (1 << 3)) ? '1' : '0', (keysettings & (1 << 3)) ? _GREEN_("YES") : "NO (frozen)"); + PrintAndLogEx(SUCCESS, "[.%c..] AMK required for create/delete : %s", (keysettings & (1 << 2)) ? '1' : '0', (keysettings & (1 << 2)) ? "NO" : "YES"); + PrintAndLogEx(SUCCESS, "[..%c.] Directory list access with AMK : %s", (keysettings & (1 << 1)) ? '1' : '0', (keysettings & (1 << 1)) ? "NO" : "YES"); + PrintAndLogEx(SUCCESS, "[...%c] AMK is changeable : %s", (keysettings & (1 << 0)) ? '1' : '0', (keysettings & (1 << 0)) ? _GREEN_("YES") : "NO (frozen)"); + + PrintKeyType(numkeys >> 6); + PrintAndLogEx(SUCCESS, "\nkey count: %d", numkeys & 0x0f); +} + +void PrintKeySettings(uint8_t keysettings, uint8_t numkeys, bool applevel) { + if (applevel) + PrintKeySettingsApp(keysettings, numkeys); + else + PrintKeySettingsPICC(keysettings, numkeys); +} diff --git a/client/src/mifare/desfirecore.h b/client/src/mifare/desfirecore.h index 080fed18d..8943fd971 100644 --- a/client/src/mifare/desfirecore.h +++ b/client/src/mifare/desfirecore.h @@ -46,4 +46,9 @@ int DesfireGetDFList(DesfireContext *dctx, uint8_t *resp, size_t *resplen); int DesfireCreateApplication(DesfireContext *dctx, uint8_t *appdata, size_t appdatalen); int DesfireDeleteApplication(DesfireContext *dctx, uint32_t aid); +int DesfireGetKeyVersion(DesfireContext *dctx, uint8_t *resp, size_t *resplen); +int DesfireGetKeySettings(DesfireContext *dctx, uint8_t *resp, size_t *resplen); +int DesfireChangeKeySettings(DesfireContext *dctx, uint8_t *data, size_t len); +void PrintKeySettings(uint8_t keysettings, uint8_t numkeys, bool applevel); + #endif // __DESFIRECORE_H diff --git a/client/src/mifare/desfiresecurechan.c b/client/src/mifare/desfiresecurechan.c index 197769472..607a42f25 100644 --- a/client/src/mifare/desfiresecurechan.c +++ b/client/src/mifare/desfiresecurechan.c @@ -28,6 +28,7 @@ AllowedChannelModesS AllowedChannelModes[] = { {MFDES_DELETE_APPLICATION, DACd40, DCCNative, DCMPlain}, {MFDES_GET_APPLICATION_IDS, DACd40, DCCNative, DCMPlain}, {MFDES_GET_DF_NAMES, DACd40, DCCNative, DCMPlain}, + {MFDES_GET_KEY_SETTINGS, DACd40, DCCNative, DCMPlain}, {MFDES_READ_DATA, DACd40, DCCNative, DCMMACed}, {MFDES_WRITE_DATA, DACd40, DCCNative, DCMMACed}, @@ -52,6 +53,7 @@ AllowedChannelModesS AllowedChannelModes[] = { {MFDES_DELETE_APPLICATION, DACEV1, DCCNative, DCMMACed}, {MFDES_GET_APPLICATION_IDS, DACEV1, DCCNative, DCMMACed}, {MFDES_GET_DF_NAMES, DACEV1, DCCNative, DCMMACed}, + {MFDES_GET_KEY_SETTINGS, DACEV1, DCCNative, DCMMACed}, {MFDES_GET_UID, DACEV1, DCCNative, DCMEncrypted}, }; From c8777ebea8e5eadf8d66a32746f45247d3fe8012 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 9 Jul 2021 19:26:41 +0300 Subject: [PATCH 04/14] add getkeysettings command --- client/src/cmdhfmfdes.c | 129 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 122 insertions(+), 7 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index d10d910bb..c2ab80b64 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -5014,7 +5014,9 @@ static int CmdDesGetSessionParameters(CLIParserContext *ctx, DesfireContext *dct uint8_t keynoid, uint8_t algoid, uint8_t keyid, uint8_t kdfid, uint8_t kdfiid, uint8_t cmodeid, uint8_t ccsetid, uint8_t schannid, - int *securechannel) { + uint8_t appid, + int *securechannel, + uint32_t *aid) { uint8_t keynum = defaultKeyNum; int algores = defaultAlgoId; @@ -5080,6 +5082,14 @@ static int CmdDesGetSessionParameters(CLIParserContext *ctx, DesfireContext *dct if (CLIGetOptionList(arg_get_str(ctx, schannid), DesfireSecureChannelOpts, &secchann)) return PM3_ESOFT; } + + if (appid && aid) { + *aid = 0x000000; + + //int arg_get_u32_hexstr_def_nlen(CLIParserContext *ctx, uint8_t paramnum, uint32_t def, uint32_t *out, uint8_t nlen, bool optional); + // if (arg_get_u32_hexstr_def_nlen(ctx, appid, 0x000000, aid, 3, true)) + // return PM3_ESOFT; + } DesfireSetKey(dctx, keynum, algores, key); DesfireSetKdf(dctx, kdfAlgo, kdfInput, kdfInputLen); @@ -5113,7 +5123,7 @@ static int CmdHF14ADesDefault(const char *Cmd) { DesfireContext dctx; int securechann = defaultSecureChannel; - int res = CmdDesGetSessionParameters(ctx, &dctx, 1, 2, 3, 4, 5, 6, 7, 8, &securechann); + int res = CmdDesGetSessionParameters(ctx, &dctx, 1, 2, 3, 4, 5, 6, 7, 8, 0, &securechann, NULL); if (res) { CLIParserFree(ctx); return res; @@ -5149,9 +5159,114 @@ static int CmdHF14ADesChKeySettings(const char *Cmd) { return PM3_SUCCESS; } - //{"getkeysetings", CmdHF14ADesGetKeySettings, IfPm3Iso14443a, "Get Key Settings"}, + static int CmdHF14ADesGetKeySettings(const char *Cmd) { + CLIParserContext *ctx; + CLIParserInit(&ctx, "hf mfdes getkeysetings", + "Get key settings for card level or application level.", + "hf mfdes getkeysetings -> execute with default factory setup"); + + void *argtable[] = { + arg_param_begin, + arg_lit0("a", "apdu", "show APDU requests and responses"), + arg_lit0("v", "verbose", "show technical data"), + arg_int0("n", "keyno", "", "Key number"), + arg_str0("t", "algo", "", "Crypt algo: DES, 2TDEA, 3TDEA, AES"), + arg_str0("k", "key", "", "Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)"), + arg_str0("f", "kdf", "", "Key Derivation Function (KDF): None, AN10922, Gallagher"), + arg_str0("i", "kdfi", "", "KDF input (HEX 1-31 bytes)"), + arg_str0("m", "cmode", "", "Communicaton mode: plain/mac/encrypt"), + arg_str0("c", "ccset", "", "Communicaton command set: native/niso/iso"), + arg_str0("s", "schann", "", "Secure channel: d40/ev1/ev2"), + arg_int0(NULL, "appid", "", "Application ID (HEX 3 bytes)"), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, false); + + bool APDULogging = arg_get_lit(ctx, 1); + bool verbose = arg_get_lit(ctx, 2); + + DesfireContext dctx; + int securechann = DCMPlain; + uint32_t appid = 0x000000; + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, &appid); + if (res) { + CLIParserFree(ctx); + return res; + } + + SetAPDULogging(APDULogging); + CLIParserFree(ctx); + + if (verbose) + DesfirePrintContext(&dctx); + + res = DesfireSelectAIDHex(&dctx, appid, false, 0); + if (res != PM3_SUCCESS) { + PrintAndLogEx(ERR, "Desfire select " _RED_("error") "."); + DropField(); + return PM3_ESOFT; + } + + res = DesfireAuthenticate(&dctx, securechann); + if (res != PM3_SUCCESS) { + PrintAndLogEx(ERR, "Desfire authenticate " _RED_("error") ". Result: %d", res); + DropField(); + return PM3_ESOFT; + } + + if (DesfireIsAuthenticated(&dctx)) { + if (verbose) + PrintAndLogEx(ERR, "Desfire " _GREEN_("authenticated")); + } else { + return PM3_ESOFT; + } + + uint8_t buf[APDU_RES_LEN] = {0}; + size_t buflen = 0; + + res = DesfireGetKeySettings(&dctx, buf, &buflen); + if (res != PM3_SUCCESS) { + PrintAndLogEx(ERR, "Desfire DesfireGetKeySettings command " _RED_("error") ". Result: %d", res); + DropField(); + return PM3_ESOFT; + } +// if (verbose) + PrintAndLogEx(INFO, "DesfireGetKeySettings[%d]: %s", buflen, sprint_hex(buf, buflen)); + + if (buflen < 2) { + PrintAndLogEx(ERR, "Command DesfireGetKeySettings returned wrong length: %d", buflen); + DropField(); + return PM3_ESOFT; + } + + PrintAndLogEx(INFO, "----------------------- " _CYAN_("Key settings") " -----------------------"); + PrintKeySettings(buf[0], buf[1], (appid != 0x000000)); + if (buflen > 2) + PrintAndLogEx(INFO, "ak ver: %d", buf[2]); + if (buflen > 3) + PrintAndLogEx(INFO, "num keysets: %d", buf[3]); + if (buflen > 4) + PrintAndLogEx(INFO, "max keysize: %d", buf[4]); + if (buflen > 5) + PrintAndLogEx(INFO, "app key settings: 0x%02x", buf[5]); + + + + /*if (buflen > 0) { + PrintAndLogEx(INFO, "----------------------- " _CYAN_("File list") " -----------------------"); + for (int i = 0; i < buflen; i++) + PrintAndLogEx(INFO, "AID: %06x ISO file id: %02x%02x ISO DF name[%" PRIu32 "]: %s", + DesfireAIDByteToUint(&buf[i * 24 + 1]), + buf[i * 24 + 1 + 3], buf[i * 24 + 1 + 4], + strlen((char *)&buf[i * 24 + 1 + 5]), + &buf[i * 24 + 1 + 5]); + } else { + PrintAndLogEx(INFO, "There is no applications on the card"); + }*/ + + DropField(); return PM3_SUCCESS; } @@ -5182,7 +5297,7 @@ static int CmdHF14ADesGetAIDs(const char *Cmd) { DesfireContext dctx; int securechann = DCMPlain; - int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, &securechann); + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 0, &securechann, NULL); if (res) { CLIParserFree(ctx); return res; @@ -5264,7 +5379,7 @@ static int CmdHF14ADesGetAppNames(const char *Cmd) { DesfireContext dctx; int securechann = DCMPlain; - int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, &securechann); + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 0, &securechann, NULL); if (res) { CLIParserFree(ctx); return res; @@ -5344,8 +5459,8 @@ static command_t CommandTable[] = { // {"mad", CmdHF14aDesMAD, IfPm3Iso14443a, "Prints MAD records from card"}, {"-----------", CmdHelp, IfPm3Iso14443a, "------------------------ " _CYAN_("Keys") " -----------------------"}, {"changekey", CmdHF14ADesChangeKey, IfPm3Iso14443a, "Change Key"}, - {"chkeysetings", CmdHF14ADesChKeySettings, IfPm3Iso14443a, "Change Key Settings"}, - {"getkeysetings", CmdHF14ADesGetKeySettings, IfPm3Iso14443a, "Get Key Settings"}, + {"chkeysetings", CmdHF14ADesChKeySettings, IfPm3Iso14443a, "[new]Change Key Settings"}, + {"getkeysetings", CmdHF14ADesGetKeySettings, IfPm3Iso14443a, "[new]Get Key Settings"}, {"-----------", CmdHelp, IfPm3Iso14443a, "-------------------- " _CYAN_("Applications") " -------------------"}, {"bruteaid", CmdHF14ADesBruteApps, IfPm3Iso14443a, "Recover AIDs by bruteforce"}, {"createaid", CmdHF14ADesCreateApp, IfPm3Iso14443a, "Create Application ID"}, From 67d7d29d740c0dbe8e5f997e2b55539bf7f15454 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 10 Jul 2021 15:07:51 +0300 Subject: [PATCH 05/14] CmdHF14ADesGetKeySettings works --- client/src/cmdhfmfdes.c | 14 +++++++++----- client/src/mifare/desfirecore.c | 6 ++++-- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index c2ab80b64..ac4fbb1b5 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -5085,10 +5085,14 @@ static int CmdDesGetSessionParameters(CLIParserContext *ctx, DesfireContext *dct if (appid && aid) { *aid = 0x000000; - - //int arg_get_u32_hexstr_def_nlen(CLIParserContext *ctx, uint8_t paramnum, uint32_t def, uint32_t *out, uint8_t nlen, bool optional); - // if (arg_get_u32_hexstr_def_nlen(ctx, appid, 0x000000, aid, 3, true)) - // return PM3_ESOFT; + int res = arg_get_u32_hexstr_def_nlen(ctx, appid, 0x000000, aid, 3, true); + if (res == 0) + return PM3_ESOFT; + if (res == 2) { + PrintAndLogEx(ERR, "AID length must have 3 bytes length"); + return PM3_EINVARG; + } + PrintAndLogEx(INFO, "--aid: %x", *aid); } DesfireSetKey(dctx, keynum, algores, key); @@ -5178,7 +5182,7 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { arg_str0("m", "cmode", "", "Communicaton mode: plain/mac/encrypt"), arg_str0("c", "ccset", "", "Communicaton command set: native/niso/iso"), arg_str0("s", "schann", "", "Secure channel: d40/ev1/ev2"), - arg_int0(NULL, "appid", "", "Application ID (HEX 3 bytes)"), + arg_str0(NULL, "appid", "", "Application ID (HEX 3 bytes)"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index fd1fe6256..3d09fc58a 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -986,8 +986,9 @@ static void PrintKeySettingsPICC(uint8_t keysettings, uint8_t numkeys) { PrintAndLogEx(SUCCESS, "[.%c..] CMK required for create/delete : %s", (keysettings & (1 << 2)) ? '1' : '0', (keysettings & (1 << 2)) ? _GREEN_("NO") : "YES"); PrintAndLogEx(SUCCESS, "[..%c.] Directory list access with CMK : %s", (keysettings & (1 << 1)) ? '1' : '0', (keysettings & (1 << 1)) ? _GREEN_("NO") : "YES"); PrintAndLogEx(SUCCESS, "[...%c] CMK is changeable : %s", (keysettings & (1 << 0)) ? '1' : '0', (keysettings & (1 << 0)) ? _GREEN_("YES") : "NO (frozen)"); + PrintAndLogEx(SUCCESS, ""); - PrintAndLogEx(SUCCESS, "\nkey count: %d", numkeys & 0x0f); + PrintAndLogEx(SUCCESS, "key count: %d", numkeys & 0x0f); } static void PrintKeySettingsApp(uint8_t keysettings, uint8_t numkeys) { @@ -1017,9 +1018,10 @@ static void PrintKeySettingsApp(uint8_t keysettings, uint8_t numkeys) { PrintAndLogEx(SUCCESS, "[.%c..] AMK required for create/delete : %s", (keysettings & (1 << 2)) ? '1' : '0', (keysettings & (1 << 2)) ? "NO" : "YES"); PrintAndLogEx(SUCCESS, "[..%c.] Directory list access with AMK : %s", (keysettings & (1 << 1)) ? '1' : '0', (keysettings & (1 << 1)) ? "NO" : "YES"); PrintAndLogEx(SUCCESS, "[...%c] AMK is changeable : %s", (keysettings & (1 << 0)) ? '1' : '0', (keysettings & (1 << 0)) ? _GREEN_("YES") : "NO (frozen)"); + PrintAndLogEx(SUCCESS, ""); PrintKeyType(numkeys >> 6); - PrintAndLogEx(SUCCESS, "\nkey count: %d", numkeys & 0x0f); + PrintAndLogEx(SUCCESS, "key count: %d", numkeys & 0x0f); } void PrintKeySettings(uint8_t keysettings, uint8_t numkeys, bool applevel) { From b6e6070bfe6cb93518a214ba0e01f7cfb5646a50 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 10 Jul 2021 15:08:39 +0300 Subject: [PATCH 06/14] remove debug --- client/src/cmdhfmfdes.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index ac4fbb1b5..81a5d8a16 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -5092,7 +5092,6 @@ static int CmdDesGetSessionParameters(CLIParserContext *ctx, DesfireContext *dct PrintAndLogEx(ERR, "AID length must have 3 bytes length"); return PM3_EINVARG; } - PrintAndLogEx(INFO, "--aid: %x", *aid); } DesfireSetKey(dctx, keynum, algores, key); @@ -5236,7 +5235,7 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { return PM3_ESOFT; } -// if (verbose) + if (verbose) PrintAndLogEx(INFO, "DesfireGetKeySettings[%d]: %s", buflen, sprint_hex(buf, buflen)); if (buflen < 2) { From e54f0e3a33faad679287a2d620f47f5ce1b2fb99 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 10 Jul 2021 15:10:15 +0300 Subject: [PATCH 07/14] move crc to new file --- client/src/mifare/desfire_crypto.c | 28 ---------------------------- client/src/mifare/desfire_crypto.h | 6 ------ client/src/mifare/desfirecrypto.c | 28 ++++++++++++++++++++++++++++ client/src/mifare/desfirecrypto.h | 6 ++++++ 4 files changed, 34 insertions(+), 34 deletions(-) diff --git a/client/src/mifare/desfire_crypto.c b/client/src/mifare/desfire_crypto.c index 23c8b1fd9..fd3cb427d 100644 --- a/client/src/mifare/desfire_crypto.c +++ b/client/src/mifare/desfire_crypto.c @@ -967,31 +967,3 @@ void mifare_cypher_blocks_chained(desfiretag_t tag, desfirekey_t key, uint8_t *i offset += block_size; } } - -void desfire_crc32(const uint8_t *data, const size_t len, uint8_t *crc) { - crc32_ex(data, len, crc); -} - -void desfire_crc32_append(uint8_t *data, const size_t len) { - crc32_ex(data, len, data + len); -} - -bool desfire_crc32_check(uint8_t *data, const size_t len, uint8_t *crc) { - uint8_t ccrc[4] = {0}; - desfire_crc32(data, len, ccrc); - return (memcmp(ccrc, crc, 4) == 0); -} - -void iso14443a_crc_append(uint8_t *data, size_t len) { - return compute_crc(CRC_14443_A, data, len, data + len, data + len + 1); -} - -void iso14443a_crc(uint8_t *data, size_t len, uint8_t *pbtCrc) { - return compute_crc(CRC_14443_A, data, len, pbtCrc, pbtCrc + 1); -} - -bool iso14443a_crc_check(uint8_t *data, const size_t len, uint8_t *crc) { - uint8_t ccrc[2] = {0}; - iso14443a_crc(data, len, ccrc); - return (memcmp(ccrc, crc, 2) == 0); -} diff --git a/client/src/mifare/desfire_crypto.h b/client/src/mifare/desfire_crypto.h index 689c0d56c..c4c879ef3 100644 --- a/client/src/mifare/desfire_crypto.h +++ b/client/src/mifare/desfire_crypto.h @@ -147,10 +147,4 @@ void cmac(const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t l void mifare_kdf_an10922(const desfirekey_t key, const uint8_t *data, size_t len); -void desfire_crc32(const uint8_t *data, const size_t len, uint8_t *crc); -void desfire_crc32_append(uint8_t *data, const size_t len); -bool desfire_crc32_check(uint8_t *data, const size_t len, uint8_t *crc); -void iso14443a_crc_append(uint8_t *data, size_t len); -void iso14443a_crc(uint8_t *data, size_t len, uint8_t *pbtCrc); -bool iso14443a_crc_check(uint8_t *data, const size_t len, uint8_t *crc); #endif diff --git a/client/src/mifare/desfirecrypto.c b/client/src/mifare/desfirecrypto.c index 64773c229..04c6d7dfb 100644 --- a/client/src/mifare/desfirecrypto.c +++ b/client/src/mifare/desfirecrypto.c @@ -308,3 +308,31 @@ void DesfireCryptoCMAC(DesfireContext *ctx, uint8_t *data, size_t len, uint8_t * memcpy(cmac, ctx->IV, kbs); } + +void desfire_crc32(const uint8_t *data, const size_t len, uint8_t *crc) { + crc32_ex(data, len, crc); +} + +void desfire_crc32_append(uint8_t *data, const size_t len) { + crc32_ex(data, len, data + len); +} + +bool desfire_crc32_check(uint8_t *data, const size_t len, uint8_t *crc) { + uint8_t ccrc[4] = {0}; + desfire_crc32(data, len, ccrc); + return (memcmp(ccrc, crc, 4) == 0); +} + +void iso14443a_crc_append(uint8_t *data, size_t len) { + return compute_crc(CRC_14443_A, data, len, data + len, data + len + 1); +} + +void iso14443a_crc(uint8_t *data, size_t len, uint8_t *pbtCrc) { + return compute_crc(CRC_14443_A, data, len, pbtCrc, pbtCrc + 1); +} + +bool iso14443a_crc_check(uint8_t *data, const size_t len, uint8_t *crc) { + uint8_t ccrc[2] = {0}; + iso14443a_crc(data, len, ccrc); + return (memcmp(ccrc, crc, 2) == 0); +} diff --git a/client/src/mifare/desfirecrypto.h b/client/src/mifare/desfirecrypto.h index 824225b39..6bffa376e 100644 --- a/client/src/mifare/desfirecrypto.h +++ b/client/src/mifare/desfirecrypto.h @@ -101,5 +101,11 @@ void DesfireCryptoEncDec(DesfireContext *ctx, bool use_session_key, uint8_t *src void DesfireCryptoEncDecEx(DesfireContext *ctx, bool use_session_key, uint8_t *srcdata, size_t srcdatalen, uint8_t *dstdata, bool encode, uint8_t *iv); void DesfireCryptoCMAC(DesfireContext *ctx, uint8_t *srcdata, size_t srcdatalen, uint8_t *cmac); +void desfire_crc32(const uint8_t *data, const size_t len, uint8_t *crc); +void desfire_crc32_append(uint8_t *data, const size_t len); +bool desfire_crc32_check(uint8_t *data, const size_t len, uint8_t *crc); +void iso14443a_crc_append(uint8_t *data, size_t len); +void iso14443a_crc(uint8_t *data, size_t len, uint8_t *pbtCrc); +bool iso14443a_crc_check(uint8_t *data, const size_t len, uint8_t *crc); #endif // __DESFIRECRYPTO_H From 1cd467e1f35fc139bea84608f61ef1d70a5c124f Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 10 Jul 2021 15:16:06 +0300 Subject: [PATCH 08/14] change param name --- client/src/cmdhfmfdes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 81a5d8a16..71b224264 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -5181,7 +5181,7 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { arg_str0("m", "cmode", "", "Communicaton mode: plain/mac/encrypt"), arg_str0("c", "ccset", "", "Communicaton command set: native/niso/iso"), arg_str0("s", "schann", "", "Secure channel: d40/ev1/ev2"), - arg_str0(NULL, "appid", "", "Application ID (HEX 3 bytes)"), + arg_str0(NULL, "aid", "", "Application ID (3 hex bytes, big endian)"), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, false); From 5367cb4e23999d832722acc8294365853d803d7f Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 10 Jul 2021 16:05:40 +0300 Subject: [PATCH 09/14] CmdHF14ADesChKeySettings command --- client/src/cmdhfmfdes.c | 85 +++++++++++++++++++++++++++++++-- client/src/mifare/desfirecore.c | 19 ++++---- client/src/mifare/desfirecore.h | 2 +- 3 files changed, 94 insertions(+), 12 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 71b224264..2f11f2f5b 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -5157,8 +5157,86 @@ static int CmdHF14ADesDefault(const char *Cmd) { return PM3_SUCCESS; } -// {"chkeysetings", CmdHF14ADesChKeySettings, IfPm3Iso14443a, "Change Key Settings"}, + static int CmdHF14ADesChKeySettings(const char *Cmd) { + CLIParserContext *ctx; + CLIParserInit(&ctx, "hf mfdes chkeysetings", + "Change key settings for card level or application level. WARNING: card level changes may block card!", + "hf mfdes chkeysetings -d 0e -> set picc key settings with default key/channel setup\n"\ + "hf mfdes chkeysetings --aid 123456 -d 0e -> set app 123456 key settings with default key/channel setup"); + + void *argtable[] = { + arg_param_begin, + arg_lit0("a", "apdu", "show APDU requests and responses"), + arg_lit0("v", "verbose", "show technical data"), + arg_int0("n", "keyno", "", "Key number"), + arg_str0("t", "algo", "", "Crypt algo: DES, 2TDEA, 3TDEA, AES"), + arg_str0("k", "key", "", "Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)"), + arg_str0("f", "kdf", "", "Key Derivation Function (KDF): None, AN10922, Gallagher"), + arg_str0("i", "kdfi", "", "KDF input (HEX 1-31 bytes)"), + arg_str0("m", "cmode", "", "Communicaton mode: plain/mac/encrypt"), + arg_str0("c", "ccset", "", "Communicaton command set: native/niso/iso"), + arg_str0("s", "schann", "", "Secure channel: d40/ev1/ev2"), + arg_str0(NULL, "aid", "", "Application ID (3 hex bytes, big endian)"), + arg_str0("d", "data", "", "Key settings (HEX 1 byte)"), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, true); + + bool APDULogging = arg_get_lit(ctx, 1); + bool verbose = arg_get_lit(ctx, 2); + + DesfireContext dctx; + int securechann = DCMPlain; + uint32_t appid = 0x000000; + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, &appid); + if (res) { + CLIParserFree(ctx); + return res; + } + + uint32_t ksett32 = 0; + res = arg_get_u32_hexstr_def_nlen(ctx, 12, 0x000000, &ksett32, 1, false); + if (res == 0) + return PM3_ESOFT; + if (res == 2) { + PrintAndLogEx(ERR, "Key settings must have 1 byte length"); + return PM3_EINVARG; + } + + SetAPDULogging(APDULogging); + CLIParserFree(ctx); + + if (verbose) { + DesfirePrintContext(&dctx); + PrintAndLogEx(SUCCESS, "\nNew key settings:"); + PrintKeySettings(ksett32, 0, (appid != 0x000000), false); + } + + res = DesfireSelectAIDHex(&dctx, appid, false, 0); + if (res != PM3_SUCCESS) { + PrintAndLogEx(ERR, "Desfire select " _RED_("error") "."); + DropField(); + return PM3_ESOFT; + } + + res = DesfireAuthenticate(&dctx, securechann); + if (res != PM3_SUCCESS) { + PrintAndLogEx(ERR, "Desfire authenticate " _RED_("error") ". Result: %d", res); + DropField(); + return PM3_ESOFT; + } + + if (DesfireIsAuthenticated(&dctx)) { + if (verbose) + PrintAndLogEx(ERR, "Desfire " _GREEN_("authenticated")); + } else { + return PM3_ESOFT; + } + + + + return PM3_SUCCESS; } @@ -5167,7 +5245,8 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfdes getkeysetings", "Get key settings for card level or application level.", - "hf mfdes getkeysetings -> execute with default factory setup"); + "hf mfdes getkeysetings -> get picc key settings with default key/channel setup\n"\ + "hf mfdes getkeysetings --aid 123456 -> get app 123456 key settings with default key/channel setup"); void *argtable[] = { arg_param_begin, @@ -5245,7 +5324,7 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { } PrintAndLogEx(INFO, "----------------------- " _CYAN_("Key settings") " -----------------------"); - PrintKeySettings(buf[0], buf[1], (appid != 0x000000)); + PrintKeySettings(buf[0], buf[1], (appid != 0x000000), true); if (buflen > 2) PrintAndLogEx(INFO, "ak ver: %d", buf[2]); if (buflen > 3) diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index 3d09fc58a..29454e018 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -980,7 +980,7 @@ static void PrintKeyType(uint8_t keytype) { } } -static void PrintKeySettingsPICC(uint8_t keysettings, uint8_t numkeys) { +static void PrintKeySettingsPICC(uint8_t keysettings, uint8_t numkeys, bool print2ndbyte) { PrintAndLogEx(SUCCESS, "PICC level rights:"); PrintAndLogEx(SUCCESS, "[%c...] CMK Configuration changeable : %s", (keysettings & (1 << 3)) ? '1' : '0', (keysettings & (1 << 3)) ? _GREEN_("YES") : "NO (frozen)"); PrintAndLogEx(SUCCESS, "[.%c..] CMK required for create/delete : %s", (keysettings & (1 << 2)) ? '1' : '0', (keysettings & (1 << 2)) ? _GREEN_("NO") : "YES"); @@ -988,10 +988,11 @@ static void PrintKeySettingsPICC(uint8_t keysettings, uint8_t numkeys) { PrintAndLogEx(SUCCESS, "[...%c] CMK is changeable : %s", (keysettings & (1 << 0)) ? '1' : '0', (keysettings & (1 << 0)) ? _GREEN_("YES") : "NO (frozen)"); PrintAndLogEx(SUCCESS, ""); - PrintAndLogEx(SUCCESS, "key count: %d", numkeys & 0x0f); + if (print2ndbyte) + PrintAndLogEx(SUCCESS, "key count: %d", numkeys & 0x0f); } -static void PrintKeySettingsApp(uint8_t keysettings, uint8_t numkeys) { +static void PrintKeySettingsApp(uint8_t keysettings, uint8_t numkeys, bool print2ndbyte) { // Access rights. PrintAndLogEx(SUCCESS, "Application level rights:"); uint8_t rights = ((keysettings >> 4) & 0x0F); @@ -1020,13 +1021,15 @@ static void PrintKeySettingsApp(uint8_t keysettings, uint8_t numkeys) { PrintAndLogEx(SUCCESS, "[...%c] AMK is changeable : %s", (keysettings & (1 << 0)) ? '1' : '0', (keysettings & (1 << 0)) ? _GREEN_("YES") : "NO (frozen)"); PrintAndLogEx(SUCCESS, ""); - PrintKeyType(numkeys >> 6); - PrintAndLogEx(SUCCESS, "key count: %d", numkeys & 0x0f); + if (print2ndbyte) { + PrintKeyType(numkeys >> 6); + PrintAndLogEx(SUCCESS, "key count: %d", numkeys & 0x0f); + } } -void PrintKeySettings(uint8_t keysettings, uint8_t numkeys, bool applevel) { +void PrintKeySettings(uint8_t keysettings, uint8_t numkeys, bool applevel, bool print2ndbyte) { if (applevel) - PrintKeySettingsApp(keysettings, numkeys); + PrintKeySettingsApp(keysettings, numkeys, print2ndbyte); else - PrintKeySettingsPICC(keysettings, numkeys); + PrintKeySettingsPICC(keysettings, numkeys, print2ndbyte); } diff --git a/client/src/mifare/desfirecore.h b/client/src/mifare/desfirecore.h index 8943fd971..bdabc11fd 100644 --- a/client/src/mifare/desfirecore.h +++ b/client/src/mifare/desfirecore.h @@ -49,6 +49,6 @@ int DesfireDeleteApplication(DesfireContext *dctx, uint32_t aid); int DesfireGetKeyVersion(DesfireContext *dctx, uint8_t *resp, size_t *resplen); int DesfireGetKeySettings(DesfireContext *dctx, uint8_t *resp, size_t *resplen); int DesfireChangeKeySettings(DesfireContext *dctx, uint8_t *data, size_t len); -void PrintKeySettings(uint8_t keysettings, uint8_t numkeys, bool applevel); +void PrintKeySettings(uint8_t keysettings, uint8_t numkeys, bool applevel, bool print2ndbyte); #endif // __DESFIRECORE_H From 3f7f343f6fd2359faa8c46286ce333d673731579 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 10 Jul 2021 16:11:44 +0300 Subject: [PATCH 10/14] DesfireChangeKeySettings works --- client/src/cmdhfmfdes.c | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 2f11f2f5b..6f63e7a5b 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -5229,14 +5229,20 @@ static int CmdHF14ADesChKeySettings(const char *Cmd) { if (DesfireIsAuthenticated(&dctx)) { if (verbose) - PrintAndLogEx(ERR, "Desfire " _GREEN_("authenticated")); + PrintAndLogEx(INFO, "Desfire " _GREEN_("authenticated")); } else { return PM3_ESOFT; } + uint8_t keysett = ksett32 & 0x0f; + res = DesfireChangeKeySettings(&dctx, &keysett, 1); + if (res != PM3_SUCCESS) { + PrintAndLogEx(ERR, "Desfire DesfireChangeKeySettings command " _RED_("error") ". Result: %d", res); + DropField(); + return PM3_ESOFT; + } - - + PrintAndLogEx(INFO, "Key settings " _GREEN_("changed")); return PM3_SUCCESS; } @@ -5299,7 +5305,7 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { if (DesfireIsAuthenticated(&dctx)) { if (verbose) - PrintAndLogEx(ERR, "Desfire " _GREEN_("authenticated")); + PrintAndLogEx(INFO, "Desfire " _GREEN_("authenticated")); } else { return PM3_ESOFT; } @@ -5334,20 +5340,6 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { if (buflen > 5) PrintAndLogEx(INFO, "app key settings: 0x%02x", buf[5]); - - - /*if (buflen > 0) { - PrintAndLogEx(INFO, "----------------------- " _CYAN_("File list") " -----------------------"); - for (int i = 0; i < buflen; i++) - PrintAndLogEx(INFO, "AID: %06x ISO file id: %02x%02x ISO DF name[%" PRIu32 "]: %s", - DesfireAIDByteToUint(&buf[i * 24 + 1]), - buf[i * 24 + 1 + 3], buf[i * 24 + 1 + 4], - strlen((char *)&buf[i * 24 + 1 + 5]), - &buf[i * 24 + 1 + 5]); - } else { - PrintAndLogEx(INFO, "There is no applications on the card"); - }*/ - DropField(); return PM3_SUCCESS; } @@ -5407,7 +5399,7 @@ static int CmdHF14ADesGetAIDs(const char *Cmd) { if (DesfireIsAuthenticated(&dctx)) { if (verbose) - PrintAndLogEx(ERR, "Desfire " _GREEN_("authenticated")); + PrintAndLogEx(INFO, "Desfire " _GREEN_("authenticated")); } else { return PM3_ESOFT; } @@ -5489,7 +5481,7 @@ static int CmdHF14ADesGetAppNames(const char *Cmd) { if (DesfireIsAuthenticated(&dctx)) { if (verbose) - PrintAndLogEx(ERR, "Desfire " _GREEN_("authenticated")); + PrintAndLogEx(INFO, "Desfire " _GREEN_("authenticated")); } else { return PM3_ESOFT; } From d8a8c015bcfe7a4368671f05361511b3e9b24d2d Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sun, 11 Jul 2021 18:14:27 +0300 Subject: [PATCH 11/14] channel d40/encode works --- client/src/cmdhfmfdes.c | 5 ++++- client/src/mifare/desfirecrypto.c | 9 ++++++--- client/src/mifare/desfiresecurechan.c | 22 ++++++++++++++-------- 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 6f63e7a5b..88152b932 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -5029,6 +5029,8 @@ static int CmdDesGetSessionParameters(CLIParserContext *ctx, DesfireContext *dct int commmode = defaultCommMode; int commset = defaultCommSet; int secchann = defaultSecureChannel; + if (securechannel) + secchann = *securechannel; if (keynoid) { keynum = arg_get_int_def(ctx, keynoid, keynum); @@ -5079,6 +5081,7 @@ static int CmdDesGetSessionParameters(CLIParserContext *ctx, DesfireContext *dct } if (schannid) { + if (CLIGetOptionList(arg_get_str(ctx, schannid), DesfireSecureChannelOpts, &secchann)) return PM3_ESOFT; } @@ -5187,7 +5190,7 @@ static int CmdHF14ADesChKeySettings(const char *Cmd) { bool verbose = arg_get_lit(ctx, 2); DesfireContext dctx; - int securechann = DCMPlain; + int securechann = DCMEncrypted; uint32_t appid = 0x000000; int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, &appid); if (res) { diff --git a/client/src/mifare/desfirecrypto.c b/client/src/mifare/desfirecrypto.c index 04c6d7dfb..d3955f92d 100644 --- a/client/src/mifare/desfirecrypto.c +++ b/client/src/mifare/desfirecrypto.c @@ -215,8 +215,11 @@ void DesfireCryptoEncDecEx(DesfireContext *ctx, bool use_session_key, uint8_t *s uint8_t data[1024] = {0}; uint8_t xiv[DESFIRE_MAX_CRYPTO_BLOCK_SIZE] = {0}; - if (ctx->secureChannel == DACd40) + bool xencode = encode; + if (ctx->secureChannel == DACd40) { memset(ctx->IV, 0, DESFIRE_MAX_CRYPTO_BLOCK_SIZE); + xencode = false; + } size_t block_size = desfire_get_key_block_length(ctx->keyType); @@ -228,9 +231,9 @@ void DesfireCryptoEncDecEx(DesfireContext *ctx, bool use_session_key, uint8_t *s size_t offset = 0; while (offset < srcdatalen) { if (use_session_key) - DesfireCryptoEncDecSingleBlock(ctx->sessionKeyMAC, ctx->keyType, srcdata + offset, data + offset, xiv, encode, encode); + DesfireCryptoEncDecSingleBlock(ctx->sessionKeyMAC, ctx->keyType, srcdata + offset, data + offset, xiv, encode, xencode); else - DesfireCryptoEncDecSingleBlock(ctx->key, ctx->keyType, srcdata + offset, data + offset, xiv, encode, encode); + DesfireCryptoEncDecSingleBlock(ctx->key, ctx->keyType, srcdata + offset, data + offset, xiv, encode, xencode); offset += block_size; } diff --git a/client/src/mifare/desfiresecurechan.c b/client/src/mifare/desfiresecurechan.c index 607a42f25..4104b32ef 100644 --- a/client/src/mifare/desfiresecurechan.c +++ b/client/src/mifare/desfiresecurechan.c @@ -46,6 +46,7 @@ AllowedChannelModesS AllowedChannelModes[] = { {MFDES_COMMIT_READER_ID, DACd40, DCCNative, DCMMACed}, {MFDES_GET_UID, DACd40, DCCNative, DCMEncrypted}, + {MFDES_CHANGE_KEY_SETTINGS, DACd40, DCCNative, DCMEncrypted}, {MFDES_READ_DATA, DACd40, DCCNative, DCMEncrypted}, {MFDES_WRITE_DATA, DACd40, DCCNative, DCMEncrypted}, @@ -56,6 +57,7 @@ AllowedChannelModesS AllowedChannelModes[] = { {MFDES_GET_KEY_SETTINGS, DACEV1, DCCNative, DCMMACed}, {MFDES_GET_UID, DACEV1, DCCNative, DCMEncrypted}, + {MFDES_CHANGE_KEY_SETTINGS, DACEV1, DCCNative, DCMEncrypted}, }; static void DesfireSecureChannelEncodeD40(DesfireContext *ctx, uint8_t cmd, uint8_t *srcdata, size_t srcdatalen, uint8_t *dstdata, size_t *dstdatalen) { @@ -74,10 +76,9 @@ static void DesfireSecureChannelEncodeD40(DesfireContext *ctx, uint8_t cmd, uint if (srcdatalen == 0) break; - rlen = padded_data_length(srcdatalen, desfire_get_key_block_length(ctx->keyType)); + rlen = srcdatalen + DesfireGetMACLength(ctx); memcpy(data, srcdata, srcdatalen); - memset(ctx->IV, 0, sizeof(ctx->IV)); - DesfireCryptoEncDec(ctx, true, data, rlen, NULL, true); + DesfireCryptoEncDec(ctx, true, data, srcdatalen, NULL, true); memcpy(dstdata, srcdata, srcdatalen); memcpy(&dstdata[srcdatalen], ctx->IV, 4); *dstdatalen = rlen; @@ -89,7 +90,6 @@ static void DesfireSecureChannelEncodeD40(DesfireContext *ctx, uint8_t cmd, uint rlen = padded_data_length(srcdatalen + 2, desfire_get_key_block_length(ctx->keyType)); // 2 - crc16 memcpy(data, srcdata, srcdatalen); compute_crc(CRC_14443_A, data, srcdatalen, &data[srcdatalen], &data[srcdatalen + 1]); - memset(ctx->IV, 0, sizeof(ctx->IV)); DesfireCryptoEncDec(ctx, true, data, rlen, dstdata, true); *dstdatalen = rlen; break; @@ -100,7 +100,8 @@ static void DesfireSecureChannelEncodeD40(DesfireContext *ctx, uint8_t cmd, uint static void DesfireSecureChannelEncodeEV1(DesfireContext *ctx, uint8_t cmd, uint8_t *srcdata, size_t srcdatalen, uint8_t *dstdata, size_t *dstdatalen) { uint8_t data[1024] = {0}; - + size_t rlen = 0; + // we calc MAC anyway // if encypted channel and no data - we only calc MAC if (ctx->commMode == DCMPlain || ctx->commMode == DCMMACed || (ctx->commMode == DCMEncrypted && srcdatalen == 0)) { @@ -110,14 +111,19 @@ static void DesfireSecureChannelEncodeEV1(DesfireContext *ctx, uint8_t cmd, uint DesfireCryptoCMAC(ctx, data, srcdatalen + 1, cmac); memcpy(dstdata, srcdata, srcdatalen); + *dstdatalen = srcdatalen; if (srcdatalen != 0 && ctx->commMode == DCMMACed) { memcpy(&dstdata[srcdatalen], cmac, DesfireGetMACLength(ctx)); *dstdatalen = srcdatalen + DesfireGetMACLength(ctx); } } else if (ctx->commMode == DCMEncrypted) { - - - + rlen = padded_data_length(srcdatalen + 4, desfire_get_key_block_length(ctx->keyType)); + memcpy(data, srcdata, srcdatalen); + desfire_crc32_append(data, srcdatalen); + PrintAndLogEx(INFO, "decoded[%d]: %s", rlen, sprint_hex(data, rlen)); + DesfireCryptoEncDec(ctx, true, data, rlen, dstdata, true); + + *dstdatalen = rlen; } else { memcpy(dstdata, srcdata, srcdatalen); *dstdatalen = srcdatalen; From cc3883a770c9597e155dd80a64a06820727f9534 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sun, 11 Jul 2021 18:27:29 +0300 Subject: [PATCH 12/14] ev1/enc tx side works --- client/src/mifare/desfiresecurechan.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/client/src/mifare/desfiresecurechan.c b/client/src/mifare/desfiresecurechan.c index 4104b32ef..a56af3493 100644 --- a/client/src/mifare/desfiresecurechan.c +++ b/client/src/mifare/desfiresecurechan.c @@ -118,10 +118,11 @@ static void DesfireSecureChannelEncodeEV1(DesfireContext *ctx, uint8_t cmd, uint } } else if (ctx->commMode == DCMEncrypted) { rlen = padded_data_length(srcdatalen + 4, desfire_get_key_block_length(ctx->keyType)); - memcpy(data, srcdata, srcdatalen); - desfire_crc32_append(data, srcdatalen); - PrintAndLogEx(INFO, "decoded[%d]: %s", rlen, sprint_hex(data, rlen)); - DesfireCryptoEncDec(ctx, true, data, rlen, dstdata, true); + data[0] = cmd; + memcpy(&data[1], srcdata, srcdatalen); + desfire_crc32_append(data, srcdatalen + 1); + + DesfireCryptoEncDec(ctx, true, &data[1], rlen, dstdata, true); *dstdatalen = rlen; } else { From e4bdecf30ecaff4581bad90df274544fbf59579d Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sun, 11 Jul 2021 18:57:44 +0300 Subject: [PATCH 13/14] style --- client/src/mifare/desfirecore.c | 30 ++++++++++++------------- client/src/mifare/desfiresecurechan.c | 32 +++++++++++++-------------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index 29454e018..26c21494f 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -523,7 +523,7 @@ static void DesfireSplitBytesToBlock(uint8_t *blockdata, size_t *blockdatacount, int DesfireExchangeEx(bool activate_field, DesfireContext *ctx, uint8_t cmd, uint8_t *data, size_t datalen, uint8_t *respcode, uint8_t *resp, size_t *resplen, bool enable_chaining, size_t splitbysize) { int res = PM3_SUCCESS; - + if (!PrintChannelModeWarning(cmd, ctx->secureChannel, ctx->cmdSet, ctx->commMode)) DesfirePrintContext(ctx); @@ -964,19 +964,19 @@ int DesfireChangeKeySettings(DesfireContext *dctx, uint8_t *data, size_t len) { } static void PrintKeyType(uint8_t keytype) { - switch(keytype) { - case 00: - PrintAndLogEx(SUCCESS, "Key: 2TDEA"); - break; - case 01: - PrintAndLogEx(SUCCESS, "Key: 3TDEA"); - break; - case 02: - PrintAndLogEx(SUCCESS, "Key: AES"); - break; - default: - PrintAndLogEx(SUCCESS, "Key: unknown: 0x%02x", keytype); - break; + switch (keytype) { + case 00: + PrintAndLogEx(SUCCESS, "Key: 2TDEA"); + break; + case 01: + PrintAndLogEx(SUCCESS, "Key: 3TDEA"); + break; + case 02: + PrintAndLogEx(SUCCESS, "Key: AES"); + break; + default: + PrintAndLogEx(SUCCESS, "Key: unknown: 0x%02x", keytype); + break; } } @@ -1014,7 +1014,7 @@ static void PrintKeySettingsApp(uint8_t keysettings, uint8_t numkeys, bool print ); break; } - + PrintAndLogEx(SUCCESS, "[%c...] AMK Configuration changeable : %s", (keysettings & (1 << 3)) ? '1' : '0', (keysettings & (1 << 3)) ? _GREEN_("YES") : "NO (frozen)"); PrintAndLogEx(SUCCESS, "[.%c..] AMK required for create/delete : %s", (keysettings & (1 << 2)) ? '1' : '0', (keysettings & (1 << 2)) ? "NO" : "YES"); PrintAndLogEx(SUCCESS, "[..%c.] Directory list access with AMK : %s", (keysettings & (1 << 1)) ? '1' : '0', (keysettings & (1 << 1)) ? "NO" : "YES"); diff --git a/client/src/mifare/desfiresecurechan.c b/client/src/mifare/desfiresecurechan.c index a56af3493..ce24b22d2 100644 --- a/client/src/mifare/desfiresecurechan.c +++ b/client/src/mifare/desfiresecurechan.c @@ -101,7 +101,7 @@ static void DesfireSecureChannelEncodeD40(DesfireContext *ctx, uint8_t cmd, uint static void DesfireSecureChannelEncodeEV1(DesfireContext *ctx, uint8_t cmd, uint8_t *srcdata, size_t srcdatalen, uint8_t *dstdata, size_t *dstdatalen) { uint8_t data[1024] = {0}; size_t rlen = 0; - + // we calc MAC anyway // if encypted channel and no data - we only calc MAC if (ctx->commMode == DCMPlain || ctx->commMode == DCMMACed || (ctx->commMode == DCMEncrypted && srcdatalen == 0)) { @@ -121,9 +121,9 @@ static void DesfireSecureChannelEncodeEV1(DesfireContext *ctx, uint8_t cmd, uint data[0] = cmd; memcpy(&data[1], srcdata, srcdatalen); desfire_crc32_append(data, srcdatalen + 1); - + DesfireCryptoEncDec(ctx, true, &data[1], rlen, dstdata, true); - + *dstdatalen = rlen; } else { memcpy(dstdata, srcdata, srcdatalen); @@ -256,38 +256,38 @@ bool PrintChannelModeWarning(uint8_t cmd, DesfireSecureChannel secureChannel, De PrintAndLogEx(WARNING, "Communication mode can't be NONE. command: %02x", cmd); return false; } - + // no security set if (secureChannel == DACNone) return true; - + bool found = false; for (int i = 0; i < ARRAY_LENGTH(AllowedChannelModes); i++) if (AllowedChannelModes[i].cmd == cmd) { // full compare - if (AllowedChannelModes[i].secureChannel == secureChannel && - (AllowedChannelModes[i].cmdSet == cmdSet || (AllowedChannelModes[i].cmdSet == DCCNative && cmdSet == DCCNativeISO)) && - AllowedChannelModes[i].commMode == commMode){ + if (AllowedChannelModes[i].secureChannel == secureChannel && + (AllowedChannelModes[i].cmdSet == cmdSet || (AllowedChannelModes[i].cmdSet == DCCNative && cmdSet == DCCNativeISO)) && + AllowedChannelModes[i].commMode == commMode) { found = true; break; } - + // ev1 plain and mac are the same - if (AllowedChannelModes[i].secureChannel == secureChannel && - AllowedChannelModes[i].secureChannel == DACEV1 && - (AllowedChannelModes[i].cmdSet == cmdSet || (AllowedChannelModes[i].cmdSet == DCCNative && cmdSet == DCCNativeISO)) && - (commMode == DCMPlain || commMode == DCMMACed)){ + if (AllowedChannelModes[i].secureChannel == secureChannel && + AllowedChannelModes[i].secureChannel == DACEV1 && + (AllowedChannelModes[i].cmdSet == cmdSet || (AllowedChannelModes[i].cmdSet == DCCNative && cmdSet == DCCNativeISO)) && + (commMode == DCMPlain || commMode == DCMMACed)) { found = true; break; } - + } - + if (!found) PrintAndLogEx(WARNING, "Wrong communication mode. Check settings. command: %02x", cmd); - + return found; } From 88e573d0720cab89cdc4e22c4fc6b336d6803b86 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sun, 11 Jul 2021 18:58:26 +0300 Subject: [PATCH 14/14] add default channel settings to commands --- client/src/cmdhfmfdes.c | 49 +++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 88152b932..679619d10 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -5016,6 +5016,7 @@ static int CmdDesGetSessionParameters(CLIParserContext *ctx, DesfireContext *dct uint8_t cmodeid, uint8_t ccsetid, uint8_t schannid, uint8_t appid, int *securechannel, + DesfireCommunicationMode defcommmode, uint32_t *aid) { uint8_t keynum = defaultKeyNum; @@ -5027,10 +5028,10 @@ static int CmdDesGetSessionParameters(CLIParserContext *ctx, DesfireContext *dct uint8_t kdfInput[50] = {0}; memcpy(kdfInput, defaultKdfInput, defaultKdfInputLen); int commmode = defaultCommMode; + if (defcommmode != DCMNone) + commmode = defcommmode; int commset = defaultCommSet; int secchann = defaultSecureChannel; - if (securechannel) - secchann = *securechannel; if (keynoid) { keynum = arg_get_int_def(ctx, keynoid, keynum); @@ -5081,11 +5082,11 @@ static int CmdDesGetSessionParameters(CLIParserContext *ctx, DesfireContext *dct } if (schannid) { - + if (CLIGetOptionList(arg_get_str(ctx, schannid), DesfireSecureChannelOpts, &secchann)) return PM3_ESOFT; } - + if (appid && aid) { *aid = 0x000000; int res = arg_get_u32_hexstr_def_nlen(ctx, appid, 0x000000, aid, 3, true); @@ -5129,7 +5130,7 @@ static int CmdHF14ADesDefault(const char *Cmd) { DesfireContext dctx; int securechann = defaultSecureChannel; - int res = CmdDesGetSessionParameters(ctx, &dctx, 1, 2, 3, 4, 5, 6, 7, 8, 0, &securechann, NULL); + int res = CmdDesGetSessionParameters(ctx, &dctx, 1, 2, 3, 4, 5, 6, 7, 8, 0, &securechann, DCMNone, NULL); if (res) { CLIParserFree(ctx); return res; @@ -5190,9 +5191,9 @@ static int CmdHF14ADesChKeySettings(const char *Cmd) { bool verbose = arg_get_lit(ctx, 2); DesfireContext dctx; - int securechann = DCMEncrypted; + int securechann = defaultSecureChannel; uint32_t appid = 0x000000; - int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, &appid); + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, DCMEncrypted, &appid); if (res) { CLIParserFree(ctx); return res; @@ -5211,9 +5212,9 @@ static int CmdHF14ADesChKeySettings(const char *Cmd) { CLIParserFree(ctx); if (verbose) { - DesfirePrintContext(&dctx); - PrintAndLogEx(SUCCESS, "\nNew key settings:"); - PrintKeySettings(ksett32, 0, (appid != 0x000000), false); + DesfirePrintContext(&dctx); + PrintAndLogEx(SUCCESS, "\nNew key settings:"); + PrintKeySettings(ksett32, 0, (appid != 0x000000), false); } res = DesfireSelectAIDHex(&dctx, appid, false, 0); @@ -5246,7 +5247,7 @@ static int CmdHF14ADesChKeySettings(const char *Cmd) { } PrintAndLogEx(INFO, "Key settings " _GREEN_("changed")); - + return PM3_SUCCESS; } @@ -5272,15 +5273,15 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { arg_str0(NULL, "aid", "", "Application ID (3 hex bytes, big endian)"), arg_param_end }; - CLIExecWithReturn(ctx, Cmd, argtable, false); + CLIExecWithReturn(ctx, Cmd, argtable, true); bool APDULogging = arg_get_lit(ctx, 1); bool verbose = arg_get_lit(ctx, 2); DesfireContext dctx; - int securechann = DCMPlain; + int securechann = defaultSecureChannel; uint32_t appid = 0x000000; - int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, &appid); + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, DCMMACed, &appid); if (res) { CLIParserFree(ctx); return res; @@ -5322,10 +5323,10 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { DropField(); return PM3_ESOFT; } - + if (verbose) PrintAndLogEx(INFO, "DesfireGetKeySettings[%d]: %s", buflen, sprint_hex(buf, buflen)); - + if (buflen < 2) { PrintAndLogEx(ERR, "Command DesfireGetKeySettings returned wrong length: %d", buflen); DropField(); @@ -5342,7 +5343,7 @@ static int CmdHF14ADesGetKeySettings(const char *Cmd) { PrintAndLogEx(INFO, "max keysize: %d", buf[4]); if (buflen > 5) PrintAndLogEx(INFO, "app key settings: 0x%02x", buf[5]); - + DropField(); return PM3_SUCCESS; } @@ -5367,14 +5368,14 @@ static int CmdHF14ADesGetAIDs(const char *Cmd) { arg_str0("s", "schann", "", "Secure channel: d40/ev1/ev2"), arg_param_end }; - CLIExecWithReturn(ctx, Cmd, argtable, false); + CLIExecWithReturn(ctx, Cmd, argtable, true); bool APDULogging = arg_get_lit(ctx, 1); bool verbose = arg_get_lit(ctx, 2); DesfireContext dctx; - int securechann = DCMPlain; - int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 0, &securechann, NULL); + int securechann = defaultSecureChannel; + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 0, &securechann, DCMMACed, NULL); if (res) { CLIParserFree(ctx); return res; @@ -5393,7 +5394,7 @@ static int CmdHF14ADesGetAIDs(const char *Cmd) { return PM3_ESOFT; } - res = DesfireAuthenticate(&dctx, securechann); //DACd40 DACEV1 + res = DesfireAuthenticate(&dctx, securechann); if (res != PM3_SUCCESS) { PrintAndLogEx(ERR, "Desfire authenticate " _RED_("error") ". Result: %d", res); DropField(); @@ -5449,14 +5450,14 @@ static int CmdHF14ADesGetAppNames(const char *Cmd) { arg_str0("s", "schann", "", "Secure channel: d40/ev1/ev2"), arg_param_end }; - CLIExecWithReturn(ctx, Cmd, argtable, false); + CLIExecWithReturn(ctx, Cmd, argtable, true); bool APDULogging = arg_get_lit(ctx, 1); bool verbose = arg_get_lit(ctx, 2); DesfireContext dctx; - int securechann = DCMPlain; - int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 0, &securechann, NULL); + int securechann = defaultSecureChannel; + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 0, &securechann, DCMMACed, NULL); if (res) { CLIParserFree(ctx); return res;