github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-23 14:45:37 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

emrtd: Code cleanup, impl PRNG

Browse source
This commit is contained in:
Ave 2020-12-14 17:26:47 +03:00
commit 1e16b2d2d9
1 changed files with 20 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

37
client/src/cmdhfemrtd.c
View file

@ -26,6 +26,9 @@
#include "des.h" // mbedtls_des_key_set_parity #include "des.h" // mbedtls_des_key_set_parity
#include "cmdhf14b.h" // exchange_14b_apdu #include "cmdhf14b.h" // exchange_14b_apdu
#include "iso14b.h" // ISO14B_CONNECT etc #include "iso14b.h" // ISO14B_CONNECT etc
#include "crapto1/crapto1.h" // prng_successor
#include "commonutil.h" // num_to_bytes
#include "util_posix.h" // msclock
#define TIMEOUT 2000 #define TIMEOUT 2000
@ -62,6 +65,9 @@
// App IDs // App IDs
#define AID_MRTD "A0000002471001" #define AID_MRTD "A0000002471001"
uint8_t KENC_type[4] = {0x00, 0x00, 0x00, 0x01};
uint8_t KMAC_type[4] = {0x00, 0x00, 0x00, 0x02};
static int CmdHelp(const char *Cmd); static int CmdHelp(const char *Cmd);
static uint16_t get_sw(uint8_t *d, uint8_t n) { static uint16_t get_sw(uint8_t *d, uint8_t n) {
@ -481,16 +487,9 @@ static bool _secure_read_binary(uint8_t *kmac, uint8_t *ssc, int offset, int byt
PrintAndLogEx(DEBUG, "kmac: %s", sprint_hex_inrow(kmac, 20)); PrintAndLogEx(DEBUG, "kmac: %s", sprint_hex_inrow(kmac, 20));
// TODO: hacky // Set p1 and p2
char offsethex[5]; temp[2] = (uint8_t)(offset >> 8);
sprintf(offsethex, "%04X", offset); temp[3] = (uint8_t)(offset >> 0);
char offsetbuffer[8];
memcpy(offsetbuffer, offsethex, 2);
int p1 = (int)strtol(offsetbuffer, NULL, 16);
memcpy(offsetbuffer, offsethex + 2, 2);
int p2 = (int)strtol(offsetbuffer, NULL, 16);
temp[2] = p1;
temp[3] = p2;
int cmdlen = pad_block(temp, 4, cmd); int cmdlen = pad_block(temp, 4, cmd);
PrintAndLogEx(DEBUG, "cmd: %s", sprint_hex_inrow(cmd, cmdlen)); PrintAndLogEx(DEBUG, "cmd: %s", sprint_hex_inrow(cmd, cmdlen));
@ -523,7 +522,7 @@ static bool _secure_read_binary(uint8_t *kmac, uint8_t *ssc, int offset, int byt
memcpy(data + 3, do8e, 10); memcpy(data + 3, do8e, 10);
PrintAndLogEx(DEBUG, "data: %s", sprint_hex_inrow(data, lc)); PrintAndLogEx(DEBUG, "data: %s", sprint_hex_inrow(data, lc));
sprintf(command, "0C%s%02X%02X%02X%s00", READ_BINARY, p1, p2, lc, sprint_hex_inrow(data, lc)); sprintf(command, "0C%s%04X%02X%s00", READ_BINARY, offset, lc, sprint_hex_inrow(data, lc));
PrintAndLogEx(DEBUG, "command: %s", command); PrintAndLogEx(DEBUG, "command: %s", command);
if (exchange_commands(command, dataout, dataoutlen, false, true, use_14b) == false) { if (exchange_commands(command, dataout, dataoutlen, false, true, use_14b) == false) {
@ -727,6 +726,13 @@ static bool dump_file(uint8_t *ks_enc, uint8_t *ks_mac, uint8_t *ssc, const char
return true; return true;
} }
static void rng(int length, uint8_t *dataout) {
// Do very very secure prng operations
for (int i = 0; i < (length / 4); i++) {
num_to_bytes(prng_successor(msclock() + i, 32), 4, &dataout[i * 4]);
}
}
int dumpHF_EMRTD(char *documentnumber, char *dob, char *expiry) { int dumpHF_EMRTD(char *documentnumber, char *dob, char *expiry) {
uint8_t response[25000]; uint8_t response[25000];
uint8_t rnd_ic[8]; uint8_t rnd_ic[8];
@ -735,12 +741,9 @@ int dumpHF_EMRTD(char *documentnumber, char *dob, char *expiry) {
int resplen = 0; int resplen = 0;
// bool BAC = true; // bool BAC = true;
uint8_t S[32]; uint8_t S[32];
// TODO: Code sponsored jointly by duracell and sony uint8_t rnd_ifd[8], k_ifd[16];
uint8_t rnd_ifd[8] = {0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA}; rng(8, rnd_ifd);
uint8_t k_ifd[16] = {0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA}; rng(16, k_ifd);
// TODO: get these _types into a better spot
uint8_t KENC_type[4] = {0x00, 0x00, 0x00, 0x01};
uint8_t KMAC_type[4] = {0x00, 0x00, 0x00, 0x02};
bool use_14b = false; bool use_14b = false;