CHG: the "HF MFU" authentication changes.

CHG: name change from "hf 14a snoop" -> "hf 14a sniff"..
2025-08-20 13:23:51 -07:00 · 2015-05-16 15:34:01 +02:00 · 2015-05-16 15:34:01 +02:00 · 4d2e4eea58
commit 4d2e4eea58
parent 9926d131c4
5 changed files with 172 additions and 203 deletions
--- a/armsrc/appmain.c
+++ b/armsrc/appmain.c
@ -802,7 +802,7 @@ void UsbPacketReceived(uint8_t *packet, int len)

 #ifdef WITH_ISO14443a
 		case CMD_SNOOP_ISO_14443a:
-			SnoopIso14443a(c->arg[0]);
+			SniffIso14443a(c->arg[0]);
 			break;
 		case CMD_READER_ISO_14443a:
 			ReaderIso14443a(c);
@ -828,11 +828,8 @@ void UsbPacketReceived(uint8_t *packet, int len)
 		case CMD_MIFAREU_READBL:
 			MifareUReadBlock(c->arg[0],c->arg[1], c->d.asBytes);
 			break;
-		case CMD_MIFAREUC_AUTH1:
-			MifareUC_Auth1(c->arg[0],c->d.asBytes);
-			break;
-		case CMD_MIFAREUC_AUTH2:
-			MifareUC_Auth2(c->arg[0],c->d.asBytes);
+		case CMD_MIFAREUC_AUTH:
+			MifareUC_Auth(c->arg[0],c->d.asBytes);
 			break;
 		case CMD_MIFAREU_READCARD:
 		case CMD_MIFAREUC_READCARD:
--- a/armsrc/apps.h
+++ b/armsrc/apps.h
@ -157,7 +157,7 @@ void RAMFUNC SnoopIso14443(void);
 void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]);

 /// iso14443a.h
-void RAMFUNC SnoopIso14443a(uint8_t param);
+void RAMFUNC SniffIso14443a(uint8_t param);
 void SimulateIso14443aTag(int tagType, int uid_1st, int uid_2nd, byte_t* data);
 void ReaderIso14443a(UsbCommand * c);
 // Also used in iclass.c
@ -175,8 +175,7 @@ void ReaderMifare(bool first_try);
 int32_t dist_nt(uint32_t nt1, uint32_t nt2);
 void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
 void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
-void MifareUC_Auth1(uint8_t arg0, uint8_t *datain);
-void MifareUC_Auth2(uint32_t arg0, uint8_t *datain);
+void MifareUC_Auth(uint8_t arg0, uint8_t *datain);
 void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
 void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain);
--- a/armsrc/mifarecmd.c
+++ b/armsrc/mifarecmd.c
@ -16,8 +16,7 @@
 #include "mifarecmd.h"
 #include "apps.h"
 #include "util.h"
-//#include "../client/loclass/des.h"
-#include "des.h"
+
 #include "crc.h"

 //-----------------------------------------------------------------------------
@ -88,54 +87,32 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 }


-void MifareUC_Auth1(uint8_t arg0, uint8_t *datain){
+void MifareUC_Auth(uint8_t arg0, uint8_t *keybytes){

-	byte_t dataoutbuf[16] = {0x00};
-	uint8_t uid[10] = {0x00};
-	uint32_t cuid = 0x00;
+	bool turnOffField = (arg0 == 1);

 	LED_A_ON(); LED_B_OFF(); LED_C_OFF();
-    
 	clear_trace();
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);

-	if(!iso14443a_select_card(uid, NULL, &cuid)) {
+	if(!iso14443a_select_card(NULL, NULL, NULL)) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");
 		OnError(0);
 		return;
 	};
 	
-	if(mifare_ultra_auth1(dataoutbuf)){
-		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part1: Fail.");
+	if(mifare_ultra_auth(keybytes) == 1){
+		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication failed");
 		OnError(1);
 		return;
 	}
    
-	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");
+	cmd_send(CMD_ACK,1,0,0,0,0);

-    cmd_send(CMD_ACK,1,cuid,0,dataoutbuf,11);
-	LEDsoff();
-}
-void MifareUC_Auth2(uint32_t arg0, uint8_t *datain){
-
-	uint8_t key[16] = {0x00};
-	byte_t dataoutbuf[16] = {0x00};
-    
-	memcpy(key, datain, 16);
-    
-	LED_A_ON();	LED_B_OFF(); LED_C_OFF();
-	
-	if(mifare_ultra_auth2(key, dataoutbuf)){
-	    if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Authentication part2: Fail...");
-		OnError(1);
-		return;			
+	if (turnOffField) {
+		FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+		LEDsoff();
 	}	
-	
-	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 2 FINISHED");
-    
-	cmd_send(CMD_ACK,1,0,0,dataoutbuf,11);
-	FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-	LEDsoff();
 }

 // Arg0 = BlockNo,
@ -145,108 +122,42 @@ void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain)
 {
 	uint8_t blockNo = arg0;
 	byte_t dataout[16] = {0x00};
-	uint8_t uid[10] = {0x00};
-    bool usePwd = (arg1 == 1);
+	bool useKey = (arg1 == 1); //UL_C
+	bool usePwd = (arg1 == 2); //UL_EV1/NTAG

 	LEDsoff();	
 	LED_A_ON();    
 	clear_trace();
 	iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
    
-	int len = iso14443a_select_card(uid, NULL, NULL);
+	int len = iso14443a_select_card(NULL, NULL, NULL);
 	if(!len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);
 		OnError(1);
 		return;
 	}
       
-	 // authenticate here.
-	if ( usePwd ) {
-
+	// UL-C authentication
+	if ( useKey ) {
 		uint8_t key[16] = {0x00};	
-		memcpy(key, datain, 16);
+		memcpy(key, datain, sizeof(key) );

-		uint8_t random_a[8] = {1,1,1,1,1,1,1,1 };
-		uint8_t random_b[8] = {0x00};
-		uint8_t enc_random_b[8] = {0x00};
-		uint8_t rnd_ab[16] = {0x00};
-		uint8_t IV[8] = {0x00};
-		
-		uint16_t len;
-		uint8_t receivedAnswer[MAX_FRAME_SIZE];
-		uint8_t receivedAnswerPar[MAX_PARITY_SIZE];
-	
-		len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);
-		if (len != 11) {
-			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
+		if ( mifare_ultra_auth(key)  == 1 )	{
 			OnError(1);
 			return;			
 		}
+	}
 	
-		// tag nonce.
-		memcpy(enc_random_b,receivedAnswer+1,8);
+	// UL-EV1 / NTAG authentication
+	if (usePwd) { 
+		uint8_t pwd[4] = {0x00};
+		memcpy(pwd, datain, 4);
+		uint8_t pack[4] = {0,0,0,0};

-		// decrypt nonce.
-		tdes_2key_dec(random_b, enc_random_b, sizeof(random_b), key, IV );
-		rol(random_b,8);
-		memcpy(rnd_ab  ,random_a,8);
-		memcpy(rnd_ab+8,random_b,8);
-
-		if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
-			Dbprintf("enc_B: %02x %02x %02x %02x %02x %02x %02x %02x",
-				enc_random_b[0],enc_random_b[1],enc_random_b[2],enc_random_b[3],
-				enc_random_b[4],enc_random_b[5],enc_random_b[6],enc_random_b[7]);
-				
-			Dbprintf("    B: %02x %02x %02x %02x %02x %02x %02x %02x",
-				random_b[0],random_b[1],random_b[2],random_b[3],
-				random_b[4],random_b[5],random_b[6],random_b[7]);
-
-			Dbprintf("rnd_ab: %02x %02x %02x %02x %02x %02x %02x %02x",
-					rnd_ab[0],rnd_ab[1],rnd_ab[2],rnd_ab[3],
-					rnd_ab[4],rnd_ab[5],rnd_ab[6],rnd_ab[7]);
-					
-			Dbprintf("rnd_ab: %02x %02x %02x %02x %02x %02x %02x %02x",
-					rnd_ab[8],rnd_ab[9],rnd_ab[10],rnd_ab[11],
-					rnd_ab[12],rnd_ab[13],rnd_ab[14],rnd_ab[15] );
-		}
-		
-		// encrypt    out, in, length, key, iv
-		tdes_2key_enc(rnd_ab, rnd_ab, sizeof(rnd_ab), key, enc_random_b);
-
-		
-		len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, rnd_ab, receivedAnswer, receivedAnswerPar, NULL);
-		if (len != 11) {
-			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
+		if (mifare_ul_ev1_auth(pwd, pack) == 1){
 			OnError(1);
 			return;			
 		}
-
-		uint8_t enc_resp[8] = { 0 };
-		uint8_t resp_random_a[8] = { 0 };
-		memcpy(enc_resp, receivedAnswer+1, 8);
-	
-		// decrypt    out, in, length, key, iv 
-		tdes_2key_dec(resp_random_a, enc_resp, 8, key, enc_random_b);
-		if ( memcmp(resp_random_a, random_a, 8) != 0 )
-			Dbprintf("failed authentication");
-
-		if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
-			Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x", 
-					rnd_ab[0],rnd_ab[1],rnd_ab[2],rnd_ab[3],
-					rnd_ab[4],rnd_ab[5],rnd_ab[6],rnd_ab[7]);
-
-			Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x",
-					rnd_ab[8],rnd_ab[9],rnd_ab[10],rnd_ab[11],
-					rnd_ab[12],rnd_ab[13],rnd_ab[14],rnd_ab[15]);
-
-			Dbprintf("a: %02x %02x %02x %02x %02x %02x %02x %02x",
-					random_a[0],random_a[1],random_a[2],random_a[3],
-					random_a[4],random_a[5],random_a[6],random_a[7]);
-					
-			Dbprintf("b: %02x %02x %02x %02x %02x %02x %02x %02x",
-					resp_random_a[0],resp_random_a[1],resp_random_a[2],resp_random_a[3],
-					resp_random_a[4],resp_random_a[5],resp_random_a[6],resp_random_a[7]);
-		}
 	}
 		
 	if( mifare_ultra_readblock(blockNo, dataout) ) {
@ -301,7 +212,6 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 		if (MF_DBGLEVEL >= 1)	Dbprintf("Can't select card");
 	}
 	
-	
 	if(isOK && mifare_classic_auth(pcs, cuid, FirstBlockOfSector(sectorNo), keyType, ui64Key, AUTH_FIRST)) {
 		isOK = 0;
 		if (MF_DBGLEVEL >= 1)	Dbprintf("Auth error");
@ -342,9 +252,10 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 	// params
 	uint8_t blockNo = arg0;
 	uint16_t blocks = arg1;
-	bool useKey = (arg2 == 1);
-	int countpages = 0;
-	uint8_t dataout[176] = {0x00};;
+	bool useKey = (arg2 == 1); //UL_C
+	bool usePwd = (arg2 == 2); //UL_EV1/NTAG
+	int countblocks = 0;
+	uint8_t dataout[176] = {0x00};

 	LEDsoff();
 	LED_A_ON(); 
@ -358,59 +269,30 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 		return;
 	}
 	
-	// authenticate
+	 // UL-C authentication
 	if ( useKey ) {
-		
 		uint8_t key[16] = {0x00};	
-		memcpy(key, datain, 16);
+		memcpy(key, datain, sizeof(key) );

-		uint8_t random_a[8] = {1,1,1,1,1,1,1,1 };
-		uint8_t random_b[8] = {0x00};
-		uint8_t enc_random_b[8] = {0x00};
-		uint8_t rnd_ab[16] = {0x00};
-		uint8_t IV[8] = {0x00};
-		
-		uint16_t len;
-		uint8_t receivedAnswer[MAX_FRAME_SIZE];
-		uint8_t receivedAnswerPar[MAX_PARITY_SIZE];
-	
-		len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);
-		if (len != 11) {
-			if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
+		if ( mifare_ultra_auth(key)  == 1 )	{
 			OnError(1);
 			return;			
 		}
+	}

-		// tag nonce.
-		memcpy(enc_random_b,receivedAnswer+1,8);
+	// UL-EV1 / NTAG authentication
+	if (usePwd) { 
+		uint8_t pwd[4] = {0x00};
+		memcpy(pwd, datain, sizeof(pwd));
+		uint8_t pack[4] = {0,0,0,0};

-		// decrypt nonce.
-		tdes_2key_dec(random_b, enc_random_b, sizeof(random_b), key, IV );
-		rol(random_b,8);
-		memcpy(rnd_ab  ,random_a,8);
-		memcpy(rnd_ab+8,random_b,8);
-	
-		// encrypt    out, in, length, key, iv
-		tdes_2key_enc(rnd_ab, rnd_ab, sizeof(rnd_ab), key, enc_random_b);
-
-		len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, rnd_ab, receivedAnswer, receivedAnswerPar, NULL);
-		if (len != 11) {
+		if (mifare_ul_ev1_auth(pwd, pack) == 1){
 			OnError(1);
 			return;			
 		}
-
-		uint8_t enc_resp[8] = { 0 };
-		uint8_t resp_random_a[8] = { 0 };
-		memcpy(enc_resp, receivedAnswer+1, 8);
-	
-		// decrypt    out, in, length, key, iv 
-		tdes_2key_dec(resp_random_a, enc_resp, 8, key, enc_random_b);
-		if ( memcmp(resp_random_a, random_a, 8) != 0 )
-			Dbprintf("failed authentication");
 	}
 	
 	for (int i = 0; i < blocks; i++){
-	
 		len = mifare_ultra_readblock(blockNo * 4 + i, dataout + 4 * i);
 		
 		if (len) {
@ -418,17 +300,18 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
 			OnError(2);
 			return;
 		} else {
-			countpages++;
+			countblocks++;
 		}
 	}
 		
-	if (mifare_ultra_halt()) {
+	len = mifare_ultra_halt();
+	if (len) {
 		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Halt error");
 		OnError(3);
 		return;
 	}
 	
-	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("blocks read %d", countpages);
+	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) Dbprintf("Blocks read %d", countblocks);

 	len = blocks*4;

@ -509,6 +392,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 	LEDsoff();
 }

+
 void MifareUWriteBlock(uint8_t arg0, uint8_t *datain)
 {
    uint8_t blockNo = arg0;
--- a/armsrc/mifareutil.c
+++ b/armsrc/mifareutil.c
@ -18,6 +18,7 @@
 #include "iso14443a.h"
 #include "crapto1.h"
 #include "mifareutil.h"
+#include "des.h"

 int MF_DBGLEVEL = MF_DBG_ALL;

@ -110,6 +111,27 @@ int mifare_sendcmd_short_mfucauth(struct Crypto1State *pcs, uint8_t crypted, uin
 	return len;
 }

+int mifare_sendcmd_short_mfuev1auth(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing)
+{
+    uint8_t dcmd[7];
+	int len; 
+    dcmd[0] = cmd;
+    memcpy(dcmd+1,data,4);
+	AppendCrc14443a(dcmd, 5);
+	
+	ReaderTransmit(dcmd, sizeof(dcmd), timing);
+	len = ReaderReceive(answer, answer_parity);
+	if(!len) {
+        if (MF_DBGLEVEL >= MF_DBG_ERROR)   Dbprintf("Authentication failed. Card timeout.");
+        len = ReaderReceive(answer,answer_parity);
+    }
+    if(len==1)	{
+		if (MF_DBGLEVEL >= MF_DBG_ERROR)   Dbprintf("NAK - Authentication failed.");
+		return 1;
+        }
+	return len;
+}
+
 int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing)
 {
 	uint8_t dcmd[4], ecmd[4];
@ -288,47 +310,113 @@ int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blo
 }

 // mifare ultralight commands
-int mifare_ultra_auth1(uint8_t *blockData){
+int mifare_ul_ev1_auth(uint8_t *keybytes, uint8_t *pack){

 	uint16_t len;
-	uint8_t receivedAnswer[MAX_FRAME_SIZE];
-	uint8_t receivedAnswerPar[MAX_PARITY_SIZE];
+	uint8_t resp[4];
+	uint8_t respPar[1];
+	uint8_t key[4] = {0x00};	
+	memcpy(key, keybytes, 4);
 	
-	len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, receivedAnswer,receivedAnswerPar ,NULL);
-	if (len != 11) {
-		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
+	Dbprintf("EV1 Auth : %02x%02x%02x%02x",	key[0], key[1], key[2], key[3]);
+	len = mifare_sendcmd_short_mfuev1auth(NULL, 0, 0x1B, key, resp, respPar, NULL);
+	if (len != 4) {
+		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x %u", resp[0], len);
+		OnError(1);
 		return 1;
 	}
 	
-	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
-		Dbprintf("Auth1 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
-			receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3],receivedAnswer[4],
-			receivedAnswer[5],receivedAnswer[6],receivedAnswer[7],receivedAnswer[8],receivedAnswer[9],
-			receivedAnswer[10]);
-		}
-	memcpy(blockData, receivedAnswer, 11);
+	if (MF_DBGLEVEL >= MF_DBG_EXTENDED)
+		Dbprintf("Auth Resp: %02x%02x%02x%02x",	resp[0],resp[1],resp[2],resp[3]);
+	
+	memcpy(pack, resp, 4);
 	return 0;
 }

-int mifare_ultra_auth2(uint8_t *key, uint8_t *blockData){
+int mifare_ultra_auth(uint8_t *keybytes){
+
+	// 3des2k
+	uint8_t random_a[8] = {1,1,1,1,1,1,1,1};
+	uint8_t random_b[8] = {0x00};
+	uint8_t enc_random_b[8] = {0x00};
+	uint8_t rnd_ab[16] = {0x00};
+	uint8_t IV[8] = {0x00};
+	uint8_t key[16] = {0x00};	
+	memcpy(key, keybytes, 16);
 	
 	uint16_t len;
-	uint8_t receivedAnswer[MAX_FRAME_SIZE];
-	uint8_t receivedAnswerPar[MAX_PARITY_SIZE];
+	uint8_t resp[19] = {0x00};
+	uint8_t respPar[3] = {0,0,0};

-	len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, key, receivedAnswer, receivedAnswerPar, NULL);
+	// REQUEST AUTHENTICATION
+	len = mifare_sendcmd_short(NULL, 1, 0x1A, 0x00, resp, respPar ,NULL);
 	if (len != 11) {
-		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", receivedAnswer[0]);
+		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", resp[0]);
+		OnError(1);
+		return 1;
+	}
+
+	// tag nonce.
+	memcpy(enc_random_b,resp+1,8);
+
+	// decrypt nonce.
+	tdes_2key_dec(random_b, enc_random_b, sizeof(random_b), key, IV );
+	rol(random_b,8);
+	memcpy(rnd_ab  ,random_a,8);
+	memcpy(rnd_ab+8,random_b,8);
+	
+	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
+		Dbprintf("enc_B: %02x %02x %02x %02x %02x %02x %02x %02x",
+			enc_random_b[0],enc_random_b[1],enc_random_b[2],enc_random_b[3],enc_random_b[4],enc_random_b[5],enc_random_b[6],enc_random_b[7]);
+			
+		Dbprintf("    B: %02x %02x %02x %02x %02x %02x %02x %02x",
+			random_b[0],random_b[1],random_b[2],random_b[3],random_b[4],random_b[5],random_b[6],random_b[7]);
+
+		Dbprintf("rnd_ab: %02x %02x %02x %02x %02x %02x %02x %02x",
+				rnd_ab[0],rnd_ab[1],rnd_ab[2],rnd_ab[3],rnd_ab[4],rnd_ab[5],rnd_ab[6],rnd_ab[7]);
+				
+		Dbprintf("rnd_ab: %02x %02x %02x %02x %02x %02x %02x %02x",
+				rnd_ab[8],rnd_ab[9],rnd_ab[10],rnd_ab[11],rnd_ab[12],rnd_ab[13],rnd_ab[14],rnd_ab[15] );
+	}
+	
+	// encrypt    out, in, length, key, iv
+	tdes_2key_enc(rnd_ab, rnd_ab, sizeof(rnd_ab), key, enc_random_b);
+
+	len = mifare_sendcmd_short_mfucauth(NULL, 1, 0xAF, rnd_ab, resp, respPar, NULL);
+	if (len != 11) {
+		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Cmd Error: %02x", resp[0]);
+		OnError(1);
+		return 1;
+	}
+
+	uint8_t enc_resp[8] = { 0,0,0,0,0,0,0,0 };
+	uint8_t resp_random_a[8] = { 0,0,0,0,0,0,0,0 };
+	memcpy(enc_resp, resp+1, 8);
+	
+	// decrypt    out, in, length, key, iv 
+	tdes_2key_dec(resp_random_a, enc_resp, 8, key, enc_random_b);
+	if ( memcmp(resp_random_a, random_a, 8) != 0 ) {
+		if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("failed authentication");
 		return 1;
 	}	

 	if (MF_DBGLEVEL >= MF_DBG_EXTENDED) {
-		Dbprintf("Auth2 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
-			receivedAnswer[0],receivedAnswer[1],receivedAnswer[2],receivedAnswer[3],receivedAnswer[4],
-			receivedAnswer[5],receivedAnswer[6],receivedAnswer[7],receivedAnswer[8],receivedAnswer[9],
-			receivedAnswer[10]);
+		Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x", 
+				rnd_ab[0],rnd_ab[1],rnd_ab[2],rnd_ab[3],
+				rnd_ab[4],rnd_ab[5],rnd_ab[6],rnd_ab[7]);
+
+		Dbprintf("e_AB: %02x %02x %02x %02x %02x %02x %02x %02x",
+				rnd_ab[8],rnd_ab[9],rnd_ab[10],rnd_ab[11],
+				rnd_ab[12],rnd_ab[13],rnd_ab[14],rnd_ab[15]);
+
+		Dbprintf("a: %02x %02x %02x %02x %02x %02x %02x %02x",
+				random_a[0],random_a[1],random_a[2],random_a[3],
+				random_a[4],random_a[5],random_a[6],random_a[7]);
+				
+		Dbprintf("b: %02x %02x %02x %02x %02x %02x %02x %02x",
+				resp_random_a[0],resp_random_a[1],resp_random_a[2],resp_random_a[3],
+				resp_random_a[4],resp_random_a[5],resp_random_a[6],resp_random_a[7]);
 	}
-	memcpy(blockData, receivedAnswer, 11);
 	return 0;
 }

--- a/armsrc/mifareutil.h
+++ b/armsrc/mifareutil.h
@ -57,13 +57,14 @@ int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd,
 int mifare_sendcmd_short_special(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);

 int mifare_sendcmd_short_mfucauth(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing);
+int mifare_sendcmd_short_mfuev1auth(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t *data, uint8_t *answer, uint8_t *answer_parity, uint32_t *timing);
 int mifare_sendcmd_shortex(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd, uint8_t data, uint8_t* answer, uint8_t *answer_parity, uint32_t *timing);

 int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested);
 int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint8_t isNested, uint32_t * ntptr, uint32_t *timing);
 int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData); 
-int mifare_ultra_auth1(uint8_t *blockData);
-int mifare_ultra_auth2(uint8_t *key, uint8_t *blockData);
+int mifare_ul_ev1_auth(uint8_t *key, uint8_t *pack);
+int mifare_ultra_auth(uint8_t *key);
 int mifare_ultra_readblock(uint8_t blockNo, uint8_t *blockData);
 int mifare_classic_writeblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData);
 int mifare_ultra_writeblock(uint8_t blockNo, uint8_t *blockData);