From 61f3ef61defb1bcc236fdfb576046d32dfbaec2f Mon Sep 17 00:00:00 2001 From: Bjoern Kerler Date: Tue, 7 Apr 2020 18:27:46 +0200 Subject: [PATCH 01/28] Fix issue #646 --- client/cmdhfmfdes.c | 1 + 1 file changed, 1 insertion(+) diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index 46e22f07d..52fa191cf 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -300,6 +300,7 @@ static int get_desfire_keyversion(uint8_t curr_key, uint8_t *num_versions) { static int get_desfire_select_application(uint8_t *aid) { if (aid == NULL) return PM3_ESOFT; + DropField(); uint8_t c[] = {SELECT_APPLICATION, 0x00, 0x00, 0x03, aid[0], aid[1], aid[2], 0x00}; // 0x5a PacketResponseNG resp; int ret = SendDesfireCmd(c, sizeof(c), INIT, sizeof(c), 0, &resp, 3000); From 75943044a56b068be2535c219437c4fe5eeea7fb Mon Sep 17 00:00:00 2001 From: Uli Heilmeier Date: Tue, 7 Apr 2020 19:58:23 +0200 Subject: [PATCH 02/28] hf legic wrbl: fix Out-of-bounds check Check was off-by-one so that the last byte was not writable. --- client/cmdhflegic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index c6de1379d..901ec85d0 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -681,7 +681,7 @@ static int CmdLegicWrbl(const char *Cmd) { return PM3_EOUTOFBOUND; } - if (len + offset >= card.cardsize) { + if (len + offset > card.cardsize) { PrintAndLogEx(WARNING, "Out-of-bounds, Cardsize = %d, [offset+len = %d ]", card.cardsize, len + offset); return PM3_EOUTOFBOUND; } From 3833b8ee3b48f1c50fdbaaa47cd426ee41925534 Mon Sep 17 00:00:00 2001 From: Bjoern Kerler Date: Tue, 7 Apr 2020 21:30:12 +0200 Subject: [PATCH 03/28] Add Mifare Desfire GetDFNames and improve HF MFDES Enum output --- CHANGELOG.md | 2 ++ armsrc/desfire.h | 1 + client/cmdhflist.c | 3 +++ client/cmdhfmfdes.c | 63 ++++++++++++++++++++++++++++++++++++++------- include/protocols.h | 1 + 5 files changed, 61 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd11728cf..a878351b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Add Mifare Desfire GetDFNames and improve HF MFDES Enum output (@bkerler) + - Fix Mifare Desfire select appid handling (@bkerler) - Improved `hf 14a info` - card detection handling (@bkerler) - Updated helptext layout in all luascripts (@iceman1001) - Change `hf mfdes info` - output and logging (@bkerler) diff --git a/armsrc/desfire.h b/armsrc/desfire.h index 5fa7e8d48..e753106e7 100644 --- a/armsrc/desfire.h +++ b/armsrc/desfire.h @@ -150,6 +150,7 @@ enum DESFIRE_CMD { GET_FREE_MEMORY = 0x6e, GET_FILE_IDS = 0x6f, GET_FILE_SETTINGS = 0xf5, + GET_DF_NAMES = 0x6d, CHANGE_FILE_SETTINGS = 0x5f, CREATE_STD_DATA_FILE = 0xcd, CREATE_BACKUP_DATA_FILE = 0xcb, diff --git a/client/cmdhflist.c b/client/cmdhflist.c index 2a4d46a27..871cd68a3 100644 --- a/client/cmdhflist.c +++ b/client/cmdhflist.c @@ -768,6 +768,9 @@ void annotateMfDesfire(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { case MFDES_GET_FILE_IDS: snprintf(exp, size, "GET FILE IDS"); break; + case MFDES_GET_DF_NAMES: + snprintf(exp, size, "GET DF NAMES"); + break; case MFDES_GET_ISOFILE_IDS: snprintf(exp, size, "GET ISOFILE IDS"); break; diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index 52fa191cf..0c692bd33 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -345,6 +345,32 @@ static int get_desfire_appids(uint8_t *dest, uint8_t *app_ids_len) { return PM3_SUCCESS; } +typedef struct { + uint8_t aid[3]; + uint8_t fid[2]; + uint8_t name[16]; +} dfname_t; + +static int get_desfire_dfnames(dfname_t *dest, uint8_t* dfname_count) { + if (dest == NULL) return PM3_ESOFT; + uint8_t c[] = {MFDES_GET_DF_NAMES, 0x00, 0x00, 0x00}; //0x6d + PacketResponseNG resp; + int ret = SendDesfireCmd(c, sizeof(c), INIT, sizeof(c), 0, &resp, 3000); + if (ret != PM3_SUCCESS) return ret; + + uint8_t count=0; + memcpy(&dest[count], resp.data.asBytes+1, resp.length - 5); + if (resp.data.asBytes[resp.length - 3] == MFDES_ADDITIONAL_FRAME) { + c[0] = MFDES_ADDITIONAL_FRAME; //0xAF + ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 3000); + if (ret != PM3_SUCCESS) return ret; + count++; + memcpy(&dest[count], resp.data.asBytes+1, resp.length - 5); + } + *dfname_count=count-1; + return PM3_SUCCESS; +} + // none static int get_desfire_fileids(uint8_t *dest, uint8_t *file_ids_len) { @@ -562,9 +588,7 @@ void getKeySettings(uint8_t *aid) { if (memcmp(aid, "\x00\x00\x00", 3) == 0) { // CARD MASTER KEY - PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); - + //PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); if (get_desfire_select_application(aid) != PM3_SUCCESS) { PrintAndLogEx(WARNING, _RED_(" Can't select AID")); DropField(); @@ -627,9 +651,7 @@ void getKeySettings(uint8_t *aid) { } else { // AID - APPLICATION MASTER KEYS - PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); - + //PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); if (get_desfire_select_application(aid) != PM3_SUCCESS) { PrintAndLogEx(WARNING, _RED_(" Can't select AID")); DropField(); @@ -682,11 +704,21 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { uint8_t file_ids[33] = {0}; uint8_t file_ids_len = 0; + dfname_t dfnames[255] = {0}; + uint8_t dfname_count=0; + if (get_desfire_appids(app_ids, &app_ids_len) != PM3_SUCCESS) { PrintAndLogEx(ERR, "Can't get list of applications on tag"); return PM3_ESOFT; } + if (get_desfire_dfnames(dfnames,&dfname_count)!=PM3_SUCCESS) + { + PrintAndLogEx(WARNING, _RED_("Can't get DF Names")); + DropField(); + return PM3_ESOFT; + } + PrintAndLogEx(NORMAL, ""); PrintAndLogEx(INFO, "-- Mifare DESFire Enumerate applications --------------------"); PrintAndLogEx(INFO, "-------------------------------------------------------------"); @@ -698,7 +730,21 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { aid[1] = app_ids[i + 1]; aid[2] = app_ids[i + 2]; - PrintAndLogEx(SUCCESS, " AID %d : " _GREEN_("%02X %02X %02X"), i, app_ids[i], app_ids[i + 1], app_ids[i + 2]); + PrintAndLogEx(NORMAL, ""); + + if (memcmp(aid, "\x00\x00\x00", 3) == 0) { + // CARD MASTER KEY + PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); + } + else { + PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); + } + + if (i Date: Tue, 7 Apr 2020 21:52:59 +0200 Subject: [PATCH 04/28] Fix display of DF and minor bug --- client/cmdhfmfdes.c | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index 0c692bd33..de8ad2895 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -351,23 +351,23 @@ typedef struct { uint8_t name[16]; } dfname_t; -static int get_desfire_dfnames(dfname_t *dest, uint8_t* dfname_count) { +static int get_desfire_dfnames(dfname_t *dest, uint8_t *dfname_count) { if (dest == NULL) return PM3_ESOFT; uint8_t c[] = {MFDES_GET_DF_NAMES, 0x00, 0x00, 0x00}; //0x6d PacketResponseNG resp; int ret = SendDesfireCmd(c, sizeof(c), INIT, sizeof(c), 0, &resp, 3000); if (ret != PM3_SUCCESS) return ret; - uint8_t count=0; - memcpy(&dest[count], resp.data.asBytes+1, resp.length - 5); + uint8_t count = 1; + memcpy(&dest[count - 1], resp.data.asBytes + 1, resp.length - 5); if (resp.data.asBytes[resp.length - 3] == MFDES_ADDITIONAL_FRAME) { c[0] = MFDES_ADDITIONAL_FRAME; //0xAF ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 3000); if (ret != PM3_SUCCESS) return ret; count++; - memcpy(&dest[count], resp.data.asBytes+1, resp.length - 5); + memcpy(&dest[count - 1], resp.data.asBytes + 1, resp.length - 5); } - *dfname_count=count-1; + *dfname_count = count; return PM3_SUCCESS; } @@ -388,7 +388,7 @@ static int get_desfire_fileids(uint8_t *dest, uint8_t *file_ids_len) { return PM3_ESOFT; } -static int get_desfire_filesettings( uint8_t file_id, uint8_t *dest, uint8_t *destlen) { +static int get_desfire_filesettings(uint8_t file_id, uint8_t *dest, uint8_t *destlen) { uint8_t c[] = {MFDES_GET_FILE_SETTINGS, 0x00, 0x00, 0x01, file_id, 0x00}; // 0xF5 PacketResponseNG resp; int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); @@ -575,7 +575,7 @@ char *getVersionStr(uint8_t major, uint8_t minor) { else if (major == 0x12 && minor == 0x00) sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV2") ")", major, minor); // else if (major == 0x13 && minor == 0x00) -// sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV3") ")", major, minor); +// sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV3") ")", major, minor); else if (major == 0x30 && minor == 0x00) sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire Light") ")", major, minor); else @@ -705,15 +705,14 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { uint8_t file_ids_len = 0; dfname_t dfnames[255] = {0}; - uint8_t dfname_count=0; + uint8_t dfname_count = 0; if (get_desfire_appids(app_ids, &app_ids_len) != PM3_SUCCESS) { PrintAndLogEx(ERR, "Can't get list of applications on tag"); return PM3_ESOFT; } - if (get_desfire_dfnames(dfnames,&dfname_count)!=PM3_SUCCESS) - { + if (get_desfire_dfnames(dfnames, &dfname_count) != PM3_SUCCESS) { PrintAndLogEx(WARNING, _RED_("Can't get DF Names")); DropField(); return PM3_ESOFT; @@ -735,15 +734,15 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { if (memcmp(aid, "\x00\x00\x00", 3) == 0) { // CARD MASTER KEY PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); - } - else { + } else { PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); } - if (i Date: Wed, 8 Apr 2020 05:02:41 +0200 Subject: [PATCH 05/28] chg: use protocols.h for protocols defines --- client/cmdhfmfdes.c | 12 ++++++------ client/cmdhfmfdes.h | 40 ++-------------------------------------- 2 files changed, 8 insertions(+), 44 deletions(-) diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index de8ad2895..aebefe8fb 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -83,7 +83,7 @@ static desfire_cardtype_t getCardType(uint8_t major, uint8_t minor) { //ICEMAN: Turn on field method? //none static int test_desfire_authenticate() { - uint8_t c[] = {AUTHENTICATE, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x0A, KEY 0 + uint8_t c[] = {MFDES_AUTHENTICATE, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x0A, KEY 0 SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); PacketResponseNG resp; if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { @@ -96,7 +96,7 @@ static int test_desfire_authenticate() { } // none static int test_desfire_authenticate_iso() { - uint8_t c[] = {AUTHENTICATE_ISO, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x1A, KEY 0 + uint8_t c[] = {MFDES_AUTHENTICATE_ISO, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x1A, KEY 0 SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); PacketResponseNG resp; if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { @@ -117,7 +117,7 @@ static int test_desfire_authenticate_aes() { const static u08_t CustomKey3[16] = {0x79, 0x70, 0x25, 0x53, 0x79, 0x70, 0x25, 0x53, 0x79, 0x70, 0x25, 0x53, 0x79, 0x70, 0x25, 0x53}; */ - uint8_t c[] = {AUTHENTICATE_AES, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0xAA, KEY 0 + uint8_t c[] = {MFDES_AUTHENTICATE_AES, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0xAA, KEY 0 SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); PacketResponseNG resp; if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { @@ -137,7 +137,7 @@ static int desfire_print_freemem(uint32_t free_mem) { // init / disconnect static int get_desfire_freemem(uint32_t *free_mem) { - uint8_t c[] = {GET_FREE_MEMORY, 0x00, 0x00, 0x00}; // 0x6E + uint8_t c[] = {MFDES_GET_FREE_MEMORY, 0x00, 0x00, 0x00}; // 0x6E SendCommandMIX(CMD_HF_DESFIRE_COMMAND, (INIT | DISCONNECT), sizeof(c), 0, c, sizeof(c)); PacketResponseNG resp; if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { @@ -301,7 +301,7 @@ static int get_desfire_select_application(uint8_t *aid) { if (aid == NULL) return PM3_ESOFT; DropField(); - uint8_t c[] = {SELECT_APPLICATION, 0x00, 0x00, 0x03, aid[0], aid[1], aid[2], 0x00}; // 0x5a + uint8_t c[] = {MFDES_SELECT_APPLICATION, 0x00, 0x00, 0x03, aid[0], aid[1], aid[2], 0x00}; // 0x5a PacketResponseNG resp; int ret = SendDesfireCmd(c, sizeof(c), INIT, sizeof(c), 0, &resp, 3000); if (ret != PM3_SUCCESS) { @@ -322,7 +322,7 @@ static int get_desfire_select_application(uint8_t *aid) { // init / disconnect static int get_desfire_appids(uint8_t *dest, uint8_t *app_ids_len) { - uint8_t c[] = {GET_APPLICATION_IDS, 0x00, 0x00, 0x00}; //0x6a + uint8_t c[] = {MFDES_GET_APPLICATION_IDS, 0x00, 0x00, 0x00}; //0x6a PacketResponseNG resp; int ret = SendDesfireCmd(c, sizeof(c), INIT | CLEARTRACE | DISCONNECT, sizeof(c), 0, &resp, 1500); if (ret != PM3_SUCCESS) return ret; diff --git a/client/cmdhfmfdes.h b/client/cmdhfmfdes.h index 5c4dcb5e2..4f6605cff 100644 --- a/client/cmdhfmfdes.h +++ b/client/cmdhfmfdes.h @@ -19,50 +19,14 @@ char *getProtocolStr(uint8_t id); char *getVersionStr(uint8_t major, uint8_t minor); void getKeySettings(uint8_t *aid); -#define CREATE_APPLICATION 0xca -#define DELETE_APPLICATION 0xda -#define GET_APPLICATION_IDS 0x6a -#define SELECT_APPLICATION 0x5a -#define FORMAT_PICC 0xfc -#define GET_VERSION 0x60 -#define READ_DATA 0xbd -#define WRITE_DATA 0x3d -#define GET_VALUE 0x6c -#define CREDIT 0x0c -#define DEBIT 0xdc -#define LIMITED_CREDIT 0x1c -#define WRITE_RECORD 0x3b -#define READ_RECORDS 0xbb -#define CLEAR_RECORD_FILE 0xeb -#define COMMIT_TRANSACTION 0xc7 -#define ABORT_TRANSACTION 0xa7 -#define GET_FREE_MEMORY 0x6e -#define GET_FILE_IDS 0x6f -#define GET_ISOFILE_IDS 0x61 -#define GET_FILE_SETTINGS 0xf5 -#define CHANGE_FILE_SETTINGS 0x5f -#define CREATE_STD_DATA_FILE 0xcd -#define CREATE_BACKUP_DATA_FILE 0xcb -#define CREATE_VALUE_FILE 0xcc -#define CREATE_LINEAR_RECORD_FILE 0xc1 -#define CREATE_CYCLIC_RECORD_FILE 0xc0 -#define DELETE_FILE 0xdf -#define AUTHENTICATE 0x0a // AUTHENTICATE_NATIVE -#define AUTHENTICATE_ISO 0x1a // AUTHENTICATE_STANDARD -#define AUTHENTICATE_AES 0xaa -#define CHANGE_KEY_SETTINGS 0x54 -#define GET_KEY_SETTINGS 0x45 -#define CHANGE_KEY 0xc4 -#define GET_KEY_VERSION 0x64 -#define AUTHENTICATION_FRAME 0xAF - +// Ev1 card limits #define MAX_NUM_KEYS 0x0F #define MAX_APPLICATION_COUNT 28 #define MAX_FILE_COUNT 32 #define MAX_FRAME_SIZE 60 -#define NOT_YET_AUTHENTICATED 255 #define FRAME_PAYLOAD_SIZE (MAX_FRAME_SIZE - 5) +#define NOT_YET_AUTHENTICATED 0xFF // status- and error codes | #define OPERATION_OK 0x00 // Successful operation From 832770e3d903addbe6a0952e7831380a0615a886 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 05:02:57 +0200 Subject: [PATCH 06/28] chg: MIX --- client/cmdhf14a.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index d54e7fb91..60f54adaf 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -193,7 +193,7 @@ static int usage_hf_14a_sim(void) { PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sim t 1 u 11223344")); PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sim t 1 u 11223344556677")); // PrintAndLogEx(NORMAL, " hf 14a sim t 1 u 11223445566778899AA\n"); - return 0; + return PM3_SUCCESS; } static int usage_hf_14a_sniff(void) { PrintAndLogEx(NORMAL, "It get data from the field and saves it into command buffer."); @@ -203,7 +203,7 @@ static int usage_hf_14a_sniff(void) { PrintAndLogEx(NORMAL, "r - triggered by first 7-bit request from reader (REQ,WUP,...)"); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sniff c r")); - return 0; + return PM3_SUCCESS; } static int usage_hf_14a_raw(void) { PrintAndLogEx(NORMAL, "Usage: hf 14a raw [-h] [-r] [-c] [-p] [-a] [-T] [-t] [-b] <0A 0B 0C ... hex>"); @@ -217,7 +217,7 @@ static int usage_hf_14a_raw(void) { PrintAndLogEx(NORMAL, " -t timeout in ms"); PrintAndLogEx(NORMAL, " -T use Topaz protocol to send command"); PrintAndLogEx(NORMAL, " -3 ISO14443-3 select only (skip RATS)"); - return 0; + return PM3_SUCCESS; } static int usage_hf_14a_reader(void) { PrintAndLogEx(NORMAL, "Usage: hf 14a reader [k|s|x] [3]"); @@ -225,7 +225,7 @@ static int usage_hf_14a_reader(void) { PrintAndLogEx(NORMAL, " s silent (no messages)"); PrintAndLogEx(NORMAL, " x just drop the signal field"); PrintAndLogEx(NORMAL, " 3 ISO14443-3 select only (skip RATS)"); - return 0; + return PM3_SUCCESS; } static int CmdHF14AList(const char *Cmd) { @@ -580,7 +580,7 @@ int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leav if (resp.oldarg[0] == 2) { // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision // get ATS uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 - SendCommandOLD(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, 2, 0, rats, 2); + SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, 2, 0, rats, sizeof(rats)); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { if (!silentMode) PrintAndLogEx(ERR, "Proxmark3 connection timeout."); return 1; @@ -674,7 +674,7 @@ static int SelectCard14443_4(bool disconnect, iso14a_card_select_t *card) { if (resp.oldarg[0] == 2) { // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision // get ATS uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 - SendCommandOLD(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, sizeof(rats), 0, rats, sizeof(rats)); + SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, sizeof(rats), 0, rats, sizeof(rats)); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { PrintAndLogEx(ERR, "Proxmark3 connection timeout."); return 1; @@ -1237,7 +1237,7 @@ static command_t CommandTable[] = { static int CmdHelp(const char *Cmd) { (void)Cmd; // Cmd is not used so far CmdsHelp(CommandTable); - return 0; + return PM3_SUCCESS; } int CmdHF14A(const char *Cmd) { From e2370d78664c0399eafa173386258f18db0545c7 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 05:03:19 +0200 Subject: [PATCH 07/28] style --- client/cmdhfmfp.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/client/cmdhfmfp.c b/client/cmdhfmfp.c index 56963819c..7d705697a 100644 --- a/client/cmdhfmfp.c +++ b/client/cmdhfmfp.c @@ -10,12 +10,9 @@ //----------------------------------------------------------------------------- #include "cmdhfmfp.h" - #include - #include "cmdparser.h" // command_t #include "commonutil.h" // ARRAYLEN - #include "comms.h" #include "ui.h" #include "cmdhf14a.h" From d889a9a2d4ac74814ed77a055e6af80df784b888 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 05:03:27 +0200 Subject: [PATCH 08/28] style --- include/protocols.h | 81 ++++++++++++++++++++++++++------------------- 1 file changed, 47 insertions(+), 34 deletions(-) diff --git a/include/protocols.h b/include/protocols.h index 75be78ae9..76b891b9a 100644 --- a/include/protocols.h +++ b/include/protocols.h @@ -349,45 +349,58 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. // 6x xx = ERROR // MIFARE DESFire command set: -#define MFDES_CREATE_APPLICATION 0xca -#define MFDES_DELETE_APPLICATION 0xda -#define MFDES_GET_APPLICATION_IDS 0x6a -#define MFDES_SELECT_APPLICATION 0x5a -#define MFDES_FORMAT_PICC 0xfc + + #define MFDES_GET_VERSION 0x60 -#define MFDES_READ_DATA 0xbd -#define MFDES_WRITE_DATA 0x3d -#define MFDES_GET_VALUE 0x6c -#define MFDES_CREDIT 0x0c -#define MFDES_DEBIT 0xdc -#define MFDES_LIMITED_CREDIT 0x1c -#define MFDES_WRITE_RECORD 0x3b -#define MFDES_READ_RECORDS 0xbb -#define MFDES_CLEAR_RECORD_FILE 0xeb -#define MFDES_COMMIT_TRANSACTION 0xc7 -#define MFDES_ABORT_TRANSACTION 0xa7 -#define MFDES_GET_FREE_MEMORY 0x6e -#define MFDES_GET_FILE_IDS 0x6f -#define MFDES_GET_ISOFILE_IDS 0x61 -#define MFDES_GET_FILE_SETTINGS 0xf5 -#define MFDES_CHANGE_FILE_SETTINGS 0x5f -#define MFDES_CREATE_STD_DATA_FILE 0xcd -#define MFDES_CREATE_BACKUP_DATA_FILE 0xcb -#define MFDES_CREATE_VALUE_FILE 0xcc -#define MFDES_CREATE_LINEAR_RECORD_FILE 0xc1 -#define MFDES_CREATE_CYCLIC_RECORD_FILE 0xc0 -#define MFDES_DELETE_FILE 0xdf -#define MFDES_AUTHENTICATE 0x0a // AUTHENTICATE_NATIVE -#define MFDES_AUTHENTICATE_ISO 0x1a // AUTHENTICATE_STANDARD -#define MFDES_AUTHENTICATE_AES 0xaa -#define MFDES_CHANGE_KEY_SETTINGS 0x54 + +#define MFDES_AUTHENTICATE 0x0A // AUTHENTICATE_NATIVE +#define MFDES_AUTHENTICATE_ISO 0x1A // AUTHENTICATE_STANDARD +#define MFDES_AUTHENTICATE_AES 0xAA + +#define MFDES_CREDIT 0x0C +#define MFDES_LIMITED_CREDIT 0x1C +#define MFDES_DEBIT 0xDC + +#define MFDES_WRITE_RECORD 0x3B +#define MFDES_READSIG 0x3C +#define MFDES_WRITE_DATA 0x3D + #define MFDES_GET_KEY_SETTINGS 0x45 -#define MFDES_CHANGE_KEY 0xc4 +#define MFDES_CHANGE_KEY_SETTINGS 0x54 +#define MFDES_SELECT_APPLICATION 0x5A +#define MFDES_CHANGE_FILE_SETTINGS 0x5F +#define MFDES_GET_ISOFILE_IDS 0x61 #define MFDES_GET_KEY_VERSION 0x64 +#define MFDES_GET_APPLICATION_IDS 0x6A +#define MFDES_GET_VALUE 0x6C +#define MFDES_GET_FREE_MEMORY 0x6E +#define MFDES_GET_DF_NAMES 0x6D +#define MFDES_GET_FILE_IDS 0x6F + + +#define MFDES_ABORT_TRANSACTION 0xA7 #define MFDES_AUTHENTICATION_FRAME 0xAF #define MFDES_ADDITIONAL_FRAME 0xAF -#define MFDES_READSIG 0x3C -#define MFDES_GET_DF_NAMES 0x6D + +#define MFDES_READ_RECORDS 0xBB +#define MFDES_READ_DATA 0xBD + +#define MFDES_CREATE_CYCLIC_RECORD_FILE 0xC0 +#define MFDES_CREATE_LINEAR_RECORD_FILE 0xC1 +#define MFDES_CHANGE_KEY 0xC4 +#define MFDES_COMMIT_TRANSACTION 0xC7 +#define MFDES_CREATE_APPLICATION 0xCA +#define MFDES_CREATE_BACKUP_DATA_FILE 0xCB +#define MFDES_CREATE_VALUE_FILE 0xCC +#define MFDES_CREATE_STD_DATA_FILE 0xCD + +#define MFDES_CLEAR_RECORD_FILE 0xEB + +#define MFDES_DELETE_APPLICATION 0xDA +#define MFDES_DELETE_FILE 0xDF + +#define MFDES_GET_FILE_SETTINGS 0xF5 +#define MFDES_FORMAT_PICC 0xFC // LEGIC Commands #define LEGIC_MIM_22 0x0D From 5ef16fe01651268d5a05aa6ad0554325248e22ac Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 05:14:19 +0200 Subject: [PATCH 09/28] mix --- armsrc/epa.c | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/armsrc/epa.c b/armsrc/epa.c index f535b89a3..3a44502ba 100644 --- a/armsrc/epa.c +++ b/armsrc/epa.c @@ -263,7 +263,7 @@ static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return) { EPA_Finish(); // send the USB packet - reply_old(CMD_ACK, step, func_return, 0, 0, 0); + reply_mix(CMD_ACK, step, func_return, 0, 0, 0); } //----------------------------------------------------------------------------- @@ -280,12 +280,8 @@ void EPA_PACE_Collect_Nonce(PacketCommandNG *c) { * d: * Encrypted nonce */ - - // return value of a function - int func_return = 0; - // set up communication - func_return = EPA_Setup(); + int func_return = EPA_Setup(); if (func_return != 0) { EPA_PACE_Collect_Nonce_Abort(1, func_return); return; @@ -335,7 +331,7 @@ void EPA_PACE_Collect_Nonce(PacketCommandNG *c) { EPA_Finish(); // save received information - reply_old(CMD_ACK, 0, func_return, 0, nonce, func_return); + reply_mix(CMD_ACK, 0, func_return, 0, nonce, func_return); } //----------------------------------------------------------------------------- @@ -447,7 +443,7 @@ void EPA_PACE_Replay(PacketCommandNG *c) { if (c->oldarg[0] != 0) { // make sure it's not too big if (c->oldarg[2] > apdus_replay[c->oldarg[0] - 1].len) { - reply_old(CMD_ACK, 1, 0, 0, NULL, 0); + reply_mix(CMD_ACK, 1, 0, 0, NULL, 0); } memcpy(apdus_replay[c->oldarg[0] - 1].data + c->oldarg[1], c->data.asBytes, @@ -458,7 +454,7 @@ void EPA_PACE_Replay(PacketCommandNG *c) { } else { apdu_lengths_replay[c->oldarg[0] - 1] += c->oldarg[2]; } - reply_old(CMD_ACK, 0, 0, 0, NULL, 0); + reply_mix(CMD_ACK, 0, 0, 0, NULL, 0); return; } @@ -469,7 +465,7 @@ void EPA_PACE_Replay(PacketCommandNG *c) { func_return = EPA_Setup(); if (func_return != 0) { EPA_Finish(); - reply_old(CMD_ACK, 2, func_return, 0, NULL, 0); + reply_mix(CMD_ACK, 2, func_return, 0, NULL, 0); return; } @@ -492,12 +488,12 @@ void EPA_PACE_Replay(PacketCommandNG *c) { || response_apdu[func_return - 4] != 0x90 || response_apdu[func_return - 3] != 0x00)) { EPA_Finish(); - reply_old(CMD_ACK, 3 + i, func_return, 0, timings, 20); + reply_mix(CMD_ACK, 3 + i, func_return, 0, timings, 20); return; } } EPA_Finish(); - reply_old(CMD_ACK, 0, 0, 0, timings, 20); + reply_mix(CMD_ACK, 0, 0, 0, timings, 20); return; } @@ -506,14 +502,13 @@ void EPA_PACE_Replay(PacketCommandNG *c) { // Returns 0 on success or a non-zero error code on failure //----------------------------------------------------------------------------- int EPA_Setup() { - uint8_t uid[10]; - iso14a_card_select_t card_a_info; // first, look for type A cards // power up the field iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); - // select the card - int return_code = iso14443a_select_card(uid, &card_a_info, NULL, true, 0, false); + iso14a_card_select_t card_a_info; + int return_code = iso14443a_select_card(NULL, &card_a_info, NULL, true, 0, false); + if (return_code == 1) { uint8_t pps_response[3]; uint8_t pps_response_par[1]; @@ -528,12 +523,14 @@ int EPA_Setup() { return 0; } + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + // if we're here, there is no type A card, so we look for type B // power up the field iso14443b_setup(); iso14b_card_select_t card_b_info; - // select the card return_code = iso14443b_select_card(&card_b_info); + if (return_code == 0) { Dbprintf("ISO 14443 Type B"); iso_type = 'b'; From c155b62111409bfe02f27723b9a81fee25086c94 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 05:15:39 +0200 Subject: [PATCH 10/28] MIX --- armsrc/hitagS.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/armsrc/hitagS.c b/armsrc/hitagS.c index 78009496e..4268e82e5 100644 --- a/armsrc/hitagS.c +++ b/armsrc/hitagS.c @@ -1407,7 +1407,7 @@ void ReadHitagS(hitag_function htf, hitag_data *htd) { set_tracing(false); lf_finalize(); - reply_old(CMD_ACK, bSuccessful, 0, 0, 0, 0); + reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0); } /* @@ -1624,7 +1624,7 @@ void WritePageHitagS(hitag_function htf, hitag_data *htd, int page) { lf_finalize(); - reply_old(CMD_ACK, bSuccessful, 0, 0, 0, 0); + reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0); } /* @@ -1860,5 +1860,5 @@ void check_challenges(bool file_given, uint8_t *data) { set_tracing(false); lf_finalize(); - reply_old(CMD_ACK, bSuccessful, 0, 0, 0, 0); + reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0); } From a086754279732bd4c210e5bff5e3404e76368611 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 05:26:39 +0200 Subject: [PATCH 11/28] earlier test --- client/cmdhflegic.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index 901ec85d0..088800780 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -658,6 +658,14 @@ static int CmdLegicWrbl(const char *Cmd) { } } } + + // OUT-OF-BOUNDS checks + // UID 4+1 bytes can't be written to. + if (offset < 5) { + PrintAndLogEx(WARNING, "Out-of-bounds, bytes 0-1-2-3-4 can't be written to. Offset = %d", offset); + return PM3_EOUTOFBOUND; + } + //Validations if (errors || cmdp == 0) { if (data) @@ -674,13 +682,6 @@ static int CmdLegicWrbl(const char *Cmd) { legic_print_type(card.cardsize, 0); - // OUT-OF-BOUNDS checks - // UID 4+1 bytes can't be written to. - if (offset < 5) { - PrintAndLogEx(WARNING, "Out-of-bounds, bytes 0-1-2-3-4 can't be written to. Offset = %d", offset); - return PM3_EOUTOFBOUND; - } - if (len + offset > card.cardsize) { PrintAndLogEx(WARNING, "Out-of-bounds, Cardsize = %d, [offset+len = %d ]", card.cardsize, len + offset); return PM3_EOUTOFBOUND; From a42a817ff31b68aa4b813b038b7821193bedd12b Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 05:27:27 +0200 Subject: [PATCH 12/28] MIX, also removeed returning mem, since its not used. We use downloadEMbuffer instead --- armsrc/legicrf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/armsrc/legicrf.c b/armsrc/legicrf.c index 35b638298..b411efcaf 100644 --- a/armsrc/legicrf.c +++ b/armsrc/legicrf.c @@ -438,7 +438,7 @@ void LegicRfInfo(void) { } // OK - reply_old(CMD_ACK, 1, 0, 0, (uint8_t *)&card, sizeof(legic_card_select_t)); + reply_mix(CMD_ACK, 1, 0, 0, (uint8_t *)&card, sizeof(legic_card_select_t)); OUT: switch_off(); @@ -513,7 +513,7 @@ void LegicRfReader(uint16_t offset, uint16_t len, uint8_t iv) { } // OK - reply_old(CMD_ACK, 1, len, 0, legic_mem, len); + reply_mix(CMD_ACK, 1, len, 0, 0, 0); OUT: switch_off(); @@ -552,7 +552,7 @@ void LegicRfWriter(uint16_t offset, uint16_t len, uint8_t iv, uint8_t *data) { } // OK - reply_old(CMD_ACK, 1, len, 0, legic_mem, len); + reply_mix(CMD_ACK, 1, len, 0, 0, 0); OUT: switch_off(); From 342a85ef7e76837b78913ff3db30be4c3b5b66ba Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 05:27:54 +0200 Subject: [PATCH 13/28] MIX --- armsrc/mifaredesfire.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 8ac788122..b2f45d117 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -609,6 +609,6 @@ void OnSuccess() { } void OnError(uint8_t reason) { - reply_old(CMD_ACK, 0, reason, 0, 0, 0); + reply_mix(CMD_ACK, 0, reason, 0, 0, 0); OnSuccess(); } From 75eff352c92183b44b7b756ee91ed3e18afc9466 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 05:29:22 +0200 Subject: [PATCH 14/28] MIX --- armsrc/felica.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/armsrc/felica.c b/armsrc/felica.c index b1e0253a2..2cb23b48c 100644 --- a/armsrc/felica.c +++ b/armsrc/felica.c @@ -621,7 +621,7 @@ void felica_sniff(uint32_t samplesToSkip, uint32_t triggersToSkip) { set_tracelen(BigBuf_max_traceLen()); Dbprintf("Felica sniffing done, tracelen: %i, use hf list felica for annotations", BigBuf_get_traceLen()); - reply_old(CMD_ACK, 1, numbts, 0, 0, 0); + reply_mix(CMD_ACK, 1, numbts, 0, 0, 0); LED_D_OFF(); } @@ -812,5 +812,5 @@ void felica_dump_lite_s() { //setting tracelen - important! it was set by buffer overflow before set_tracelen(cnt); - reply_old(CMD_ACK, isOK, cnt, 0, 0, 0); + reply_mix(CMD_ACK, isOK, cnt, 0, 0, 0); } From 0aa18f300886555adcc4703f0eba86dfc46c6c4e Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 13:26:44 +0200 Subject: [PATCH 15/28] add test command for developing desfire --- client/cmdhfmfdes.c | 145 +++++++++++++++++++++++++++++++++++++++--- client/emv/apduinfo.c | 12 +++- client/emv/emvcore.c | 4 ++ client/emv/emvcore.h | 1 + 4 files changed, 151 insertions(+), 11 deletions(-) diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index aebefe8fb..e23a8ad40 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -22,6 +22,11 @@ #include "protocols.h" #include "mifare.h" // desfire raw command options #include "cmdtrace.h" +#include "cliparser/cliparser.h" +#include "emv/apduinfo.h" // APDU manipulation / errorcodes +#include "emv/emvcore.h" // APDU logging +#include "util_posix.h" // msleep +#include "mifare/mifare4.h" // MIFARE Authenticate / MAC uint8_t key_zero_data[16] = { 0x00 }; uint8_t key_ones_data[16] = { 0x01 }; @@ -37,13 +42,17 @@ typedef enum { LIGHT, } desfire_cardtype_t; +typedef struct { + uint8_t aid[3]; + uint8_t fid[2]; + uint8_t name[16]; +} dfname_t; static int CmdHelp(const char *Cmd); - static int SendDesfireCmd(uint8_t *c, size_t len, int p0, int p1, int p2, PacketResponseNG *response, int timeout) { - PacketResponseNG resp; + PacketResponseNG resp; if (response == NULL) response = &resp; @@ -345,12 +354,6 @@ static int get_desfire_appids(uint8_t *dest, uint8_t *app_ids_len) { return PM3_SUCCESS; } -typedef struct { - uint8_t aid[3]; - uint8_t fid[2]; - uint8_t name[16]; -} dfname_t; - static int get_desfire_dfnames(dfname_t *dest, uint8_t *dfname_count) { if (dest == NULL) return PM3_ESOFT; uint8_t c[] = {MFDES_GET_DF_NAMES, 0x00, 0x00, 0x00}; //0x6d @@ -362,8 +365,11 @@ static int get_desfire_dfnames(dfname_t *dest, uint8_t *dfname_count) { memcpy(&dest[count - 1], resp.data.asBytes + 1, resp.length - 5); if (resp.data.asBytes[resp.length - 3] == MFDES_ADDITIONAL_FRAME) { c[0] = MFDES_ADDITIONAL_FRAME; //0xAF + ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 3000); if (ret != PM3_SUCCESS) return ret; + + count++; memcpy(&dest[count - 1], resp.data.asBytes + 1, resp.length - 5); } @@ -809,8 +815,126 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { */ +int DESFIRESendApdu(bool activate_field, bool leavefield_on, sAPDU apdu, uint8_t *result, int max_result_len, int *result_len, uint16_t *sw) { + + *result_len = 0; + if (sw) *sw = 0; + + uint16_t isw = 0; + int res = 0; + + if (activate_field) { + DropField(); + msleep(50); + } + + // select? + uint8_t data[APDU_RES_LEN] = {0}; + + // COMPUTE APDU + int datalen = 0; + //if (APDUEncodeS(&apdu, false, IncludeLe ? 0x100 : 0x00, data, &datalen)) { + if (APDUEncodeS(&apdu, false, 0x100, data, &datalen)) { + PrintAndLogEx(ERR, "APDU encoding error."); + return PM3_EAPDU_ENCODEFAIL; + } + + if (GetAPDULogging()) + PrintAndLogEx(SUCCESS, ">>>> %s", sprint_hex(data, datalen)); + + res = ExchangeAPDU14a(data, datalen, activate_field, leavefield_on, result, max_result_len, result_len); + if (res) { + return res; + } + + if (GetAPDULogging()) + PrintAndLogEx(SUCCESS, "<<<< %s", sprint_hex(result, *result_len)); + + if (*result_len < 2) { + return PM3_SUCCESS; + } + + *result_len -= 2; + isw = (result[*result_len] << 8) + result[*result_len + 1]; + if (sw) + *sw = isw; + + if (isw != 0x9000 && isw != 0x9100) { + if (GetAPDULogging()) { + if (isw >> 8 == 0x61) { + PrintAndLogEx(ERR, "APDU chaining len:%02x -->", isw & 0xff); + } else { + PrintAndLogEx(ERR, "APDU(%02x%02x) ERROR: [%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(isw >> 8, isw & 0xff)); + return PM3_EAPDU_FAIL; + } + } + } + + return PM3_SUCCESS; +} + +static int CmdHF14ADesTEST(const char *Cmd) { + + uint8_t aid[3]; + uint8_t app_ids[78] = {0}; + int app_ids_len = 0; + +// uint8_t file_ids[33] = {0}; +// uint8_t file_ids_len = 0; + + uint8_t data[255*5] = {0}; + dfname_t dfnames[255] = {0}; + int dfname_count = 0; + uint16_t sw = 0; + + SetAPDULogging(true); + + // get application ids + sAPDU apdu = {0x90, MFDES_GET_APPLICATION_IDS, 0x00, 0x00, 0x00, NULL}; + int res = DESFIRESendApdu(true, true, apdu, app_ids, sizeof(app_ids), &app_ids_len, &sw); + if (res != PM3_SUCCESS) + goto out; + + // get dfnames + apdu.INS = MFDES_GET_DF_NAMES; + res = DESFIRESendApdu(true, false, apdu, data, sizeof(data), &dfname_count, &sw); + if (res != PM3_SUCCESS) + goto out; + + + // enum test... + for (int i = 0; i < app_ids_len; i += 3) { + + aid[0] = app_ids[i]; + aid[1] = app_ids[i + 1]; + aid[2] = app_ids[i + 2]; + + PrintAndLogEx(NORMAL, ""); + + if (memcmp(aid, "\x00\x00\x00", 3) == 0) { + // CARD MASTER KEY + PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); + } else { + PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); + } + + PrintAndLogEx(SUCCESS, " AID : " _GREEN_("%s"), sprint_hex(aid, sizeof(aid))); + for (int m = 0; m < dfname_count; m++) { + if (memcmp (dfnames[m].aid, aid, 3) == 0) { + PrintAndLogEx(SUCCESS, " - DF " _YELLOW_("%02X %02X") " Name : " _YELLOW_("%s"), + dfnames[m].fid[0], dfnames[m].fid[1], + dfnames[m].name + ); + } + } + } +out: + SetAPDULogging(false); + return PM3_SUCCESS; +} + // MIAFRE DESFire Authentication // #define BUFSIZE 256 @@ -824,9 +948,9 @@ static int CmdHF14ADesAuth(const char *Cmd) { // 4 = AES 16 uint8_t keylength = 8; - unsigned char key[24]; + uint8_t key[24]; uint8_t aidlength = 3; - unsigned char aid[3]; + uint8_t aid[3]; if (strlen(Cmd) < 3) { PrintAndLogEx(NORMAL, "Usage: hf mfdes auth <1|2|3> <1|2|3|4> "); @@ -949,6 +1073,7 @@ static command_t CommandTable[] = { {"auth", CmdHF14ADesAuth, IfPm3Iso14443a, "Tries a MIFARE DesFire Authentication"}, // {"rdbl", CmdHF14ADesRb, IfPm3Iso14443a, "Read MIFARE DesFire block"}, // {"wrbl", CmdHF14ADesWb, IfPm3Iso14443a, "write MIFARE DesFire block"}, + {"test", CmdHF14ADesTEST, IfPm3Iso14443a, "testing command"}, {NULL, NULL, NULL, NULL} }; diff --git a/client/emv/apduinfo.c b/client/emv/apduinfo.c index 35735fb47..b64696628 100644 --- a/client/emv/apduinfo.c +++ b/client/emv/apduinfo.c @@ -503,7 +503,17 @@ void APDUPrint(APDUStruct apdu) { void APDUPrintEx(APDUStruct apdu, size_t maxdatalen) { PrintAndLogEx(INFO, "APDU: %scase=0x%02x cla=0x%02x ins=0x%02x p1=0x%02x p2=0x%02x Lc=0x%02x(%d) Le=0x%02x(%d)", - apdu.extended_apdu ? "[e]" : "", apdu.case_type, apdu.cla, apdu.ins, apdu.p1, apdu.p2, apdu.lc, apdu.lc, apdu.le, apdu.le); + apdu.extended_apdu ? "[e]" : "", + apdu.case_type, + apdu.cla, + apdu.ins, + apdu.p1, + apdu.p2, + apdu.lc, + apdu.lc, + apdu.le, + apdu.le + ); if (maxdatalen > 0) PrintAndLogEx(INFO, "data: %s%s", sprint_hex(apdu.data, MIN(apdu.lc, maxdatalen)), apdu.lc > maxdatalen ? "..." : ""); } diff --git a/client/emv/emvcore.c b/client/emv/emvcore.c index fe5ff3a31..852d801c7 100644 --- a/client/emv/emvcore.c +++ b/client/emv/emvcore.c @@ -136,6 +136,10 @@ void SetAPDULogging(bool logging) { APDULogging = logging; } +bool GetAPDULogging(void) { + return APDULogging; +} + enum CardPSVendor GetCardPSVendor(uint8_t *AID, size_t AIDlen) { char buf[100] = {0}; if (AIDlen < 1) diff --git a/client/emv/emvcore.h b/client/emv/emvcore.h index d5dccd037..1c422e483 100644 --- a/client/emv/emvcore.h +++ b/client/emv/emvcore.h @@ -57,6 +57,7 @@ struct tlvdb *GetPANFromTrack2(const struct tlv *track2); struct tlvdb *GetdCVVRawFromTrack2(const struct tlv *track2); void SetAPDULogging(bool logging); +bool GetAPDULogging(void); // exchange int EMVExchange(EMVCommandChannel channel, bool LeaveFieldON, sAPDU apdu, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv); From a0874248c716c511f291e6d0b887531cd15d0bb4 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 13:27:13 +0200 Subject: [PATCH 16/28] chg more pm3 fail codes --- include/pm3_cmd.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index d97fae6ed..6ce271aab 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -618,6 +618,11 @@ typedef struct { #define PM3_EOUTOFBOUND -17 // exchange with card error client/pm3: error when cant get answer from card or got an incorrect answer #define PM3_ECARDEXCHANGE -18 + +// Failed to create APDU, +#define PM3_EAPDU_ENCODEFAIL -19 +// APDU responded with a failure code +#define PM3_EAPDU_FAIL -20 // No data pm3: no data available, no host frame available (not really an error) #define PM3_ENODATA -98 // Quit program client: reserved, order to quit the program From 285de43444ff3f5f50e8df14be857a3fea60b47a Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 13:37:48 +0200 Subject: [PATCH 17/28] textual --- client/cmdhfmfdes.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index e23a8ad40..31187a57c 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -176,7 +176,7 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign {"DESFire EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3A"}, {"NTAG424DNA, NTAG424DNATT, DESFire Light EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3B"}, {"DESFire Light EV1", "040E98E117AAA36457F43173DC920A8757267F44CE4EC5ADD3C54075571AEBBF7B942A9774A1D94AD02572427E5AE0A2DD36591B1FB34FCF3D"}, - {"Mifare Plus", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"} + {"Mifare Plus EV1", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"} }; uint8_t i; @@ -207,10 +207,10 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 32); PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 48); PrintAndLogEx(INFO, " Elliptic curve parameters: NID_secp224r1"); - PrintAndLogEx(INFO, " TAG IC Signature: %s", sprint_hex(signature, 16)); - PrintAndLogEx(INFO, " : %s", sprint_hex(signature + 16, 16)); - PrintAndLogEx(INFO, " : %s", sprint_hex(signature + 32, 16)); - PrintAndLogEx(INFO, " : %s", sprint_hex(signature + 48, signature_len - 48)); + PrintAndLogEx(INFO, " TAG IC Signature: %s", sprint_hex_inrow(signature, 16)); + PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 16, 16)); + PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 32, 16)); + PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 48, signature_len - 48)); PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful")); return PM3_SUCCESS; } From 69b7d798c175a9da2c13210391ea5d90f28830c1 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 13:48:56 +0200 Subject: [PATCH 18/28] colors --- client/cmdhfmfp.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/client/cmdhfmfp.c b/client/cmdhfmfp.c index 7d705697a..ff13576c9 100644 --- a/client/cmdhfmfp.c +++ b/client/cmdhfmfp.c @@ -37,7 +37,7 @@ static int CmdHFMFPInfo(const char *Cmd) { PrintAndLogEx(WARNING, "command don't have any parameters.\n"); PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(INFO, "-- Mifare Plus Tag Information ------------------------------"); + PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") "---------------------------"); PrintAndLogEx(INFO, "-------------------------------------------------------------"); // info about 14a part @@ -45,7 +45,6 @@ static int CmdHFMFPInfo(const char *Cmd) { // Mifare Plus info SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_CONNECT, 0, 0, NULL, 0); - PacketResponseNG resp; WaitForResponse(CMD_ACK, &resp); @@ -56,8 +55,7 @@ static int CmdHFMFPInfo(const char *Cmd) { if (select_status == 1 || select_status == 2) { - PrintAndLogEx(INFO, "-------------------------------------------------------------"); - PrintAndLogEx(INFO, " Fingerprint"); + PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint")); // MIFARE Type Identification Procedure // https://www.nxp.com/docs/en/application-note/AN10833.pdf From 43936042e919a11f73f69c22ea81927351ce7af1 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 13:49:18 +0200 Subject: [PATCH 19/28] text --- client/cmdhfmfdes.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index 31187a57c..c4cab419a 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -201,7 +201,7 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign PrintAndLogEx(NORMAL, ""); PrintAndLogEx(INFO, "--- " _CYAN_("Tag Signature")); - PrintAndLogEx(INFO, " IC signature public key name: %s", nxp_desfire_public_keys[i].desc); + PrintAndLogEx(INFO, " IC signature public key name: " _GREEN_("%s"), nxp_desfire_public_keys[i].desc); PrintAndLogEx(INFO, "IC signature public key value: %.32s", nxp_desfire_public_keys[i].value); PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 16); PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 32); @@ -211,7 +211,7 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 16, 16)); PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 32, 16)); PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 48, signature_len - 48)); - PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful")); + PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful")); return PM3_SUCCESS; } From f870abf45497d32d545fff6b49d7db6cc0b3cc47 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 13:59:20 +0200 Subject: [PATCH 20/28] text --- client/cmdhfmfp.c | 49 ++++++++++++++++++++--------------------------- 1 file changed, 21 insertions(+), 28 deletions(-) diff --git a/client/cmdhfmfp.c b/client/cmdhfmfp.c index ff13576c9..31acb1a24 100644 --- a/client/cmdhfmfp.c +++ b/client/cmdhfmfp.c @@ -62,45 +62,37 @@ static int CmdHFMFPInfo(const char *Cmd) { uint16_t ATQA = card.atqa[0] + (card.atqa[1] << 8); bool isPlus = false; - if (ATQA == 0x0004) { - PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 2K") " (4b UID)"); + if (ATQA & 0x0004) { + PrintAndLogEx(INFO, " ATQA - " _GREEN_("MIFARE Plus 2K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); isPlus = true; } - if (ATQA == 0x0002) { - PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 4K") " (4b UID)"); - isPlus = true; - } - if (ATQA == 0x0044) { - PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 2K") " (7b UID)"); - isPlus = true; - } - if (ATQA == 0x0042) { - PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 4K") " (7b UID)"); + if (ATQA & 0x0002) { + PrintAndLogEx(INFO, " ATQA - " _GREEN_("MIFARE Plus 4K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); isPlus = true; } uint8_t SLmode = 0xff; if (isPlus) { if (card.sak == 0x08) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 2K 7b UID")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus 2K 7b UID")); if (select_status == 2) SLmode = 1; } if (card.sak == 0x18) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 4K 7b UID")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus 4K 7b UID")); if (select_status == 2) SLmode = 1; } if (card.sak == 0x10) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 2K")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus 2K")); if (select_status == 2) SLmode = 2; } if (card.sak == 0x11) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 4K")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus 4K")); if (select_status == 2) SLmode = 2; } } if (card.sak == 0x20) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus SL0/SL3") "or " _GREEN_("Mifare DESFire")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus SL0/SL3") "or " _GREEN_("MIFARE DESFire")); if (card.ats_len > 0) { @@ -113,7 +105,7 @@ static int CmdHFMFPInfo(const char *Cmd) { int res = ExchangeRAW14a(cmd, sizeof(cmd), true, false, data, sizeof(data), &datalen, false); if (memcmp(data, "\x67\x00", 2) == 0) { - PrintAndLogEx(INFO, "\tMost likely a Mifare DESFire tag"); + PrintAndLogEx(INFO, "\tMost likely a MIFARE DESFire tag"); PrintAndLogEx(HINT, "Hint: Try " _YELLOW_("`hf mfdes info`")); DropField(); return PM3_SUCCESS; @@ -126,28 +118,29 @@ static int CmdHFMFPInfo(const char *Cmd) { } // How do we detect SL0 / SL1 / SL2 / SL3 modes?!? - PrintAndLogEx(INFO, "Security Level (SL)"); + PrintAndLogEx(INFO, "--- " _CYAN_("Security Level (SL)")); + + if (SLmode != 0xFF) + PrintAndLogEx(SUCCESS, " MIFARE Plus SL mode: " _YELLOW_("SL%d"), SLmode); + else + PrintAndLogEx(WARNING, " MIFARE Plus SL mode: " _YELLOW_("unknown")); + switch(SLmode) { case 0: - PrintAndLogEx(INFO, "SL 0: initial delivery configuration, used for card personalization"); + PrintAndLogEx(INFO, " SL 0: initial delivery configuration, used for card personalization"); break; case 1: - PrintAndLogEx(INFO, "SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication"); + PrintAndLogEx(INFO, " SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication"); break; case 2: - PrintAndLogEx(INFO, "SL 2: 3-Pass Authentication based on AES followed by MIFARE CRYPTO1 authentication, communication secured by MIFARE CRYPTO1"); + PrintAndLogEx(INFO, " SL 2: 3-Pass Authentication based on AES followed by MIFARE CRYPTO1 authentication, communication secured by MIFARE CRYPTO1"); break; case 3: - PrintAndLogEx(INFO, "SL 3: 3-Pass authentication based on AES, data manipulation commands secured by AES encryption and an AES based MACing method."); + PrintAndLogEx(INFO, " SL 3: 3-Pass authentication based on AES, data manipulation commands secured by AES encryption and an AES based MACing method."); break; default: break; } - - if (SLmode != 0xFF) - PrintAndLogEx(SUCCESS, "\tMifare Plus SL mode: " _YELLOW_("SL%d"), SLmode); - else - PrintAndLogEx(WARNING, "\tMifare Plus SL mode: " _YELLOW_("unknown")); } else { PrintAndLogEx(INFO, "\tMifare Plus info not available."); } From cdf920b2894c6db8e91b44c6af5dcd75d1e209c5 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 14:18:21 +0200 Subject: [PATCH 21/28] coverity fix --- client/cmdhflegic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index 088800780..5c007f9f9 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -662,6 +662,8 @@ static int CmdLegicWrbl(const char *Cmd) { // OUT-OF-BOUNDS checks // UID 4+1 bytes can't be written to. if (offset < 5) { + if (data) + free(data); PrintAndLogEx(WARNING, "Out-of-bounds, bytes 0-1-2-3-4 can't be written to. Offset = %d", offset); return PM3_EOUTOFBOUND; } From 7643b24ca76b4efe150d83d986d36e6a12bd5295 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 15:21:40 +0200 Subject: [PATCH 22/28] chg: 'hf mfp info' - colors and now checks originality for Plus EV1 --- client/cmdhfmfp.c | 75 +++++++++++++++++++++++++++++++++++++++++ client/mifare/mifare4.c | 5 +++ client/mifare/mifare4.h | 2 ++ 3 files changed, 82 insertions(+) diff --git a/client/cmdhfmfp.c b/client/cmdhfmfp.c index 31acb1a24..b872eba12 100644 --- a/client/cmdhfmfp.c +++ b/client/cmdhfmfp.c @@ -24,6 +24,9 @@ #include "mifare/mifaredefault.h" #include "util_posix.h" #include "fileutils.h" +#include "protocols.h" +#include "crypto/libpcrypto.h" + static const uint8_t DefaultKey[16] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; @@ -31,6 +34,70 @@ uint16_t CardAddresses[] = {0x9000, 0x9001, 0x9002, 0x9003, 0x9004, 0xA000, 0xA0 static int CmdHelp(const char *Cmd); +// --- GET SIGNATURE +static int plus_print_signature(uint8_t *uid, uint8_t uidlen, uint8_t *signature, int signature_len) { + + // ref: MIFARE Plus EV1 Originality Signature Validation + #define PUBLIC_PLUS_ECDA_KEYLEN 57 + const ecdsa_publickey_t nxp_plus_public_keys[] = { + {"Mifare Plus EV1", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"} + }; + + uint8_t i; + int res; + bool is_valid = false; + + for (i = 0; i < ARRAYLEN(nxp_plus_public_keys); i++) { + + int dl = 0; + uint8_t key[PUBLIC_PLUS_ECDA_KEYLEN]; + param_gethex_to_eol(nxp_plus_public_keys[i].value, 0, key, PUBLIC_PLUS_ECDA_KEYLEN, &dl); + + res = ecdsa_signature_r_s_verify(MBEDTLS_ECP_DP_SECP224R1, key, uid, uidlen, signature, signature_len, false); + is_valid = (res == 0); + if (is_valid) + break; + } + if (is_valid == false) { + PrintAndLogEx(SUCCESS, "Signature verification " _RED_("failed")); + return PM3_ESOFT; + } + + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(INFO, "--- " _CYAN_("Tag Signature")); + PrintAndLogEx(INFO, " IC signature public key name: " _GREEN_("%s"), nxp_plus_public_keys[i].desc); + PrintAndLogEx(INFO, "IC signature public key value: %.32s", nxp_plus_public_keys[i].value); + PrintAndLogEx(INFO, " : %.32s", nxp_plus_public_keys[i].value + 16); + PrintAndLogEx(INFO, " : %.32s", nxp_plus_public_keys[i].value + 32); + PrintAndLogEx(INFO, " : %.32s", nxp_plus_public_keys[i].value + 48); + PrintAndLogEx(INFO, " Elliptic curve parameters: NID_secp224r1"); + PrintAndLogEx(INFO, " TAG IC Signature: %s", sprint_hex_inrow(signature, 16)); + PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 16, 16)); + PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 32, 16)); + PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 48, signature_len - 48)); + PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful")); + return PM3_SUCCESS; +} + +static int get_plus_signature(uint8_t *signature, int *signature_len) { + + mfpSetVerboseMode(false); + + uint8_t data[59] = {0}; + int resplen = 0, retval = PM3_SUCCESS; + MFPGetSignature(true, false, data, sizeof(data), &resplen); + + if (resplen == 59) { + memcpy(signature, data + 1, 56); + *signature_len = 56; + } else { + *signature_len = 0; + retval = PM3_ESOFT; + } + mfpSetVerboseMode(false); + return retval; +} + static int CmdHFMFPInfo(const char *Cmd) { if (Cmd && strlen(Cmd) > 0) @@ -53,6 +120,14 @@ static int CmdHFMFPInfo(const char *Cmd) { uint64_t select_status = resp.oldarg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision + // Signature originality check + uint8_t signature[56] = {0}; + int signature_len = sizeof(signature); + if (get_plus_signature(signature, &signature_len) == PM3_SUCCESS) { + plus_print_signature(card.uid, card.uidlen, signature, signature_len); + } + + if (select_status == 1 || select_status == 2) { PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint")); diff --git a/client/mifare/mifare4.c b/client/mifare/mifare4.c index 966a2027d..7b45d2d4a 100644 --- a/client/mifare/mifare4.c +++ b/client/mifare/mifare4.c @@ -429,6 +429,11 @@ int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *data return 0; } +int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) { + uint8_t c[] = {0x3c, 0x00}; + return intExchangeRAW14aPlus(c, sizeof(c), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen); +} + // Mifare Memory Structure: up to 32 Sectors with 4 blocks each (1k and 2k cards), // plus evtl. 8 sectors with 16 blocks each (4k cards) uint8_t mfNumBlocksPerSector(uint8_t sectorNo) { diff --git a/client/mifare/mifare4.h b/client/mifare/mifare4.h index cb2c8d652..379218543 100644 --- a/client/mifare/mifare4.h +++ b/client/mifare/mifare4.h @@ -59,6 +59,8 @@ int MFPReadBlock(mf4Session_t *session, bool plain, uint8_t blockNum, uint8_t bl int MFPWriteBlock(mf4Session_t *session, uint8_t blockNum, uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac); int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *dataout, bool verbose); +int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen); + const char *mfGetAccessConditionsDesc(uint8_t blockn, uint8_t *data); uint8_t mfNumBlocksPerSector(uint8_t sectorNo); From 133e2a6bc49e015355b013cdaa5ee194cc296b5f Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 17:13:05 +0200 Subject: [PATCH 23/28] fix: 'hf mfp info' - now support GetVersion command (Plus EV1) --- client/cmdhfmfp.c | 99 ++++++++++++++++++++++++++++++++++++++++- client/mifare/mifare4.c | 16 +++++++ client/mifare/mifare4.h | 1 + 3 files changed, 115 insertions(+), 1 deletion(-) diff --git a/client/cmdhfmfp.c b/client/cmdhfmfp.c index b872eba12..6a80b9122 100644 --- a/client/cmdhfmfp.c +++ b/client/cmdhfmfp.c @@ -34,6 +34,63 @@ uint16_t CardAddresses[] = {0x9000, 0x9001, 0x9002, 0x9003, 0x9004, 0xA000, 0xA0 static int CmdHelp(const char *Cmd); +/* + The 7 MSBits (= n) code the storage size itself based on 2^n, + the LSBit is set to '0' if the size is exactly 2^n + and set to '1' if the storage size is between 2^n and 2^(n+1). + For this version of DESFire the 7 MSBits are set to 0x0C (2^12 = 4096) and the LSBit is '0'. +*/ +static char *getCardSizeStr(uint8_t fsize) { + + static char buf[40] = {0x00}; + char *retStr = buf; + + uint16_t usize = 1 << ((fsize >> 1) + 1); + uint16_t lsize = 1 << (fsize >> 1); + + // is LSB set? + if (fsize & 1) + sprintf(retStr, "0x%02X ( " _YELLOW_("%d - %d bytes") ")", fsize, usize, lsize); + else + sprintf(retStr, "0x%02X ( " _YELLOW_("%d bytes") ")", fsize, lsize); + return buf; +} + +static char *getProtocolStr(uint8_t id) { + + static char buf[40] = {0x00}; + char *retStr = buf; + + if (id == 0x05) + sprintf(retStr, "0x%02X ( " _YELLOW_("ISO 14443-3, 14443-4") ")", id); + else + sprintf(retStr, "0x%02X ( " _YELLOW_("Unknown") ")", id); + return buf; +} + +static char *getVersionStr(uint8_t major, uint8_t minor) { + + static char buf[40] = {0x00}; + char *retStr = buf; + + if (major == 0x00) + sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire MF3ICD40") ")", major, minor); + else if (major == 0x01 && minor == 0x00) + sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV1") ")", major, minor); + else if (major == 0x12 && minor == 0x00) + sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV2") ")", major, minor); +// else if (major == 0x13 && minor == 0x00) +// sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV3") ")", major, minor); + else if (major == 0x30 && minor == 0x00) + sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire Light") ")", major, minor); + + else if (major == 0x11 && minor == 0x00) + sprintf(retStr, "%x.%x ( " _YELLOW_("Plus EV1") ")", major, minor); + else + sprintf(retStr, "%x.%x ( " _YELLOW_("Unknown") ")", major, minor); + return buf; +} + // --- GET SIGNATURE static int plus_print_signature(uint8_t *uid, uint8_t uidlen, uint8_t *signature, int signature_len) { @@ -97,6 +154,40 @@ static int get_plus_signature(uint8_t *signature, int *signature_len) { mfpSetVerboseMode(false); return retval; } +// GET VERSION +static int plus_print_version(uint8_t *version) { + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(INFO, "--- " _CYAN_("Hardware Information")); + PrintAndLogEx(INFO, " Vendor Id: " _YELLOW_("%s"), getTagInfo(version[0])); + PrintAndLogEx(INFO, " Type: " _YELLOW_("0x%02X"), version[1]); + PrintAndLogEx(INFO, " Subtype: " _YELLOW_("0x%02X"), version[2]); + PrintAndLogEx(INFO, " Version: %s", getVersionStr(version[3], version[4])); + PrintAndLogEx(INFO, " Storage size: %s", getCardSizeStr(version[5])); + PrintAndLogEx(INFO, " Protocol: %s", getProtocolStr(version[6])); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(INFO, "--- " _CYAN_("Software Information")); + PrintAndLogEx(INFO, " Vendor Id: " _YELLOW_("%s"), getTagInfo(version[0])); + PrintAndLogEx(INFO, " Type: " _YELLOW_("0x%02X"), version[1]); + PrintAndLogEx(INFO, " Subtype: " _YELLOW_("0x%02X"), version[2]); + PrintAndLogEx(INFO, " Version: " _YELLOW_("%d.%d"), version[3], version[4]); + PrintAndLogEx(INFO, " Storage size: %s", getCardSizeStr(version[5])); + PrintAndLogEx(INFO, " Protocol: %s", getProtocolStr(version[6])); + return PM3_SUCCESS; +} +static int get_plus_version(uint8_t *version, int *version_len) { + + int resplen = 0, retval = PM3_SUCCESS; + + mfpSetVerboseMode(false); + MFPGetVersion(true, false, version, *version_len, &resplen); + mfpSetVerboseMode(false); + + *version_len = resplen; + if (resplen != 14) { + retval = PM3_ESOFT; + } + return retval; +} static int CmdHFMFPInfo(const char *Cmd) { @@ -110,6 +201,13 @@ static int CmdHFMFPInfo(const char *Cmd) { // info about 14a part infoHF14A(false, false, false); + // version check + uint8_t version[15] = {0}; + int version_len = sizeof(version); + if (get_plus_version(version, &version_len) == PM3_SUCCESS) { + plus_print_version(version); + } + // Mifare Plus info SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_CONNECT, 0, 0, NULL, 0); PacketResponseNG resp; @@ -127,7 +225,6 @@ static int CmdHFMFPInfo(const char *Cmd) { plus_print_signature(card.uid, card.uidlen, signature, signature_len); } - if (select_status == 1 || select_status == 2) { PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint")); diff --git a/client/mifare/mifare4.c b/client/mifare/mifare4.c index 7b45d2d4a..bb5742408 100644 --- a/client/mifare/mifare4.c +++ b/client/mifare/mifare4.c @@ -434,6 +434,22 @@ int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, in return intExchangeRAW14aPlus(c, sizeof(c), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen); } +int MFPGetVersion(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) { + uint8_t tmp[10] = {0}; + uint8_t c[] = {0x60}; + int res = intExchangeRAW14aPlus(c, sizeof(c), activateField, true, tmp, maxdataoutlen, dataoutlen); + if (tmp[0] == 0xAF) { //MFDES_ADDITIONAL_FRAME + memcpy(dataout, tmp + 1, 7); + c[0] = 0xAF; + res = intExchangeRAW14aPlus(c, sizeof(c), false, leaveSignalON, tmp, maxdataoutlen, dataoutlen); + if (res == 0) { + memcpy(dataout + 7, tmp + 1, 7); + *dataoutlen = 14; + } + } + return res; +} + // Mifare Memory Structure: up to 32 Sectors with 4 blocks each (1k and 2k cards), // plus evtl. 8 sectors with 16 blocks each (4k cards) uint8_t mfNumBlocksPerSector(uint8_t sectorNo) { diff --git a/client/mifare/mifare4.h b/client/mifare/mifare4.h index 379218543..0c3e08458 100644 --- a/client/mifare/mifare4.h +++ b/client/mifare/mifare4.h @@ -60,6 +60,7 @@ int MFPWriteBlock(mf4Session_t *session, uint8_t blockNum, uint8_t *data, bool a int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *dataout, bool verbose); int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen); +int MFPGetVersion(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen); const char *mfGetAccessConditionsDesc(uint8_t blockn, uint8_t *data); From f216fc7f5ed925109a24842bfc59b9c69c54424a Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 19:07:11 +0200 Subject: [PATCH 24/28] chg: hf mfp info - need all data from getversion. Layout changes --- client/cmdhfmfp.c | 86 +++++++++++++++++++++++++++-------------------- 1 file changed, 50 insertions(+), 36 deletions(-) diff --git a/client/cmdhfmfp.c b/client/cmdhfmfp.c index 6a80b9122..fa4feb5a4 100644 --- a/client/cmdhfmfp.c +++ b/client/cmdhfmfp.c @@ -156,6 +156,9 @@ static int get_plus_signature(uint8_t *signature, int *signature_len) { } // GET VERSION static int plus_print_version(uint8_t *version) { + PrintAndLogEx(SUCCESS, " UID: " _GREEN_("%s"), sprint_hex(version + 14, 7)); + PrintAndLogEx(SUCCESS, " Batch number: " _GREEN_("%s"), sprint_hex(version + 21, 5)); + PrintAndLogEx(SUCCESS, " Production date: week " _GREEN_("%02x") "/ " _GREEN_("20%02x"), version[7+7+7+5], version[7+7+7+5+1]); PrintAndLogEx(NORMAL, ""); PrintAndLogEx(INFO, "--- " _CYAN_("Hardware Information")); PrintAndLogEx(INFO, " Vendor Id: " _YELLOW_("%s"), getTagInfo(version[0])); @@ -177,13 +180,12 @@ static int plus_print_version(uint8_t *version) { static int get_plus_version(uint8_t *version, int *version_len) { int resplen = 0, retval = PM3_SUCCESS; - mfpSetVerboseMode(false); MFPGetVersion(true, false, version, *version_len, &resplen); mfpSetVerboseMode(false); *version_len = resplen; - if (resplen != 14) { + if (resplen != 28) { retval = PM3_ESOFT; } return retval; @@ -198,14 +200,18 @@ static int CmdHFMFPInfo(const char *Cmd) { PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") "---------------------------"); PrintAndLogEx(INFO, "-------------------------------------------------------------"); - // info about 14a part - infoHF14A(false, false, false); + bool supportVersion = false; + bool supportSignature = false; // version check - uint8_t version[15] = {0}; + uint8_t version[30] = {0}; int version_len = sizeof(version); if (get_plus_version(version, &version_len) == PM3_SUCCESS) { plus_print_version(version); + supportVersion = true; + } else { + // info about 14a part + infoHF14A(false, false, false); } // Mifare Plus info @@ -223,11 +229,18 @@ static int CmdHFMFPInfo(const char *Cmd) { int signature_len = sizeof(signature); if (get_plus_signature(signature, &signature_len) == PM3_SUCCESS) { plus_print_signature(card.uid, card.uidlen, signature, signature_len); + supportSignature = true; } if (select_status == 1 || select_status == 2) { PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint")); + + if (supportVersion && supportSignature) { + PrintAndLogEx(INFO, " Tech: " _GREEN_("MIFARE Plus EV1")); + } else { + PrintAndLogEx(INFO, " Tech: " _YELLOW_("MIFARE Plus SE/X")); + } // MIFARE Type Identification Procedure // https://www.nxp.com/docs/en/application-note/AN10833.pdf @@ -235,36 +248,36 @@ static int CmdHFMFPInfo(const char *Cmd) { bool isPlus = false; if (ATQA & 0x0004) { - PrintAndLogEx(INFO, " ATQA - " _GREEN_("MIFARE Plus 2K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); + PrintAndLogEx(INFO, " ATQA: " _GREEN_("2K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); isPlus = true; } if (ATQA & 0x0002) { - PrintAndLogEx(INFO, " ATQA - " _GREEN_("MIFARE Plus 4K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); + PrintAndLogEx(INFO, " ATQA: " _GREEN_("4K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); isPlus = true; } - uint8_t SLmode = 0xff; + uint8_t SLmode = 0xFF; if (isPlus) { if (card.sak == 0x08) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus 2K 7b UID")); + PrintAndLogEx(INFO, " SAK: " _GREEN_("2K 7b UID")); if (select_status == 2) SLmode = 1; } if (card.sak == 0x18) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus 4K 7b UID")); + PrintAndLogEx(INFO, " SAK: " _GREEN_("4K 7b UID")); if (select_status == 2) SLmode = 1; } if (card.sak == 0x10) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus 2K")); + PrintAndLogEx(INFO, " SAK: " _GREEN_("2K")); if (select_status == 2) SLmode = 2; } if (card.sak == 0x11) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus 4K")); + PrintAndLogEx(INFO, " SAK: " _GREEN_("4K")); if (select_status == 2) SLmode = 2; } } if (card.sak == 0x20) { - PrintAndLogEx(INFO, " SAK - " _GREEN_("MIFARE Plus SL0/SL3") "or " _GREEN_("MIFARE DESFire")); + PrintAndLogEx(INFO, " SAK: " _GREEN_("MIFARE Plus SL0/SL3") "or " _GREEN_("MIFARE DESFire")); if (card.ats_len > 0) { @@ -289,34 +302,35 @@ static int CmdHFMFPInfo(const char *Cmd) { } } - // How do we detect SL0 / SL1 / SL2 / SL3 modes?!? - PrintAndLogEx(INFO, "--- " _CYAN_("Security Level (SL)")); + if (isPlus) { + // How do we detect SL0 / SL1 / SL2 / SL3 modes?!? + PrintAndLogEx(INFO, "--- " _CYAN_("Security Level (SL)")); - if (SLmode != 0xFF) - PrintAndLogEx(SUCCESS, " MIFARE Plus SL mode: " _YELLOW_("SL%d"), SLmode); - else - PrintAndLogEx(WARNING, " MIFARE Plus SL mode: " _YELLOW_("unknown")); - - switch(SLmode) { - case 0: - PrintAndLogEx(INFO, " SL 0: initial delivery configuration, used for card personalization"); - break; - case 1: - PrintAndLogEx(INFO, " SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication"); - break; - case 2: - PrintAndLogEx(INFO, " SL 2: 3-Pass Authentication based on AES followed by MIFARE CRYPTO1 authentication, communication secured by MIFARE CRYPTO1"); - break; - case 3: - PrintAndLogEx(INFO, " SL 3: 3-Pass authentication based on AES, data manipulation commands secured by AES encryption and an AES based MACing method."); - break; - default: - break; + if (SLmode != 0xFF ) + PrintAndLogEx(SUCCESS, " SL mode: " _YELLOW_("SL%d"), SLmode); + else + PrintAndLogEx(WARNING, " SL mode: " _YELLOW_("unknown")); + switch(SLmode) { + case 0: + PrintAndLogEx(INFO, " SL 0: initial delivery configuration, used for card personalization"); + break; + case 1: + PrintAndLogEx(INFO, " SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication"); + break; + case 2: + PrintAndLogEx(INFO, " SL 2: 3-Pass Authentication based on AES followed by MIFARE CRYPTO1 authentication, communication secured by MIFARE CRYPTO1"); + break; + case 3: + PrintAndLogEx(INFO, " SL 3: 3-Pass authentication based on AES, data manipulation commands secured by AES encryption and an AES based MACing method."); + break; + default: + break; + } } } else { PrintAndLogEx(INFO, "\tMifare Plus info not available."); } - + PrintAndLogEx(NORMAL, ""); DropField(); return PM3_SUCCESS; } From df83c71470409452e2c0023f22359fe3098c02ad Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 19:07:17 +0200 Subject: [PATCH 25/28] chg: hf mfp info - need all data from getversion. Layout changes --- client/mifare/mifare4.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/client/mifare/mifare4.c b/client/mifare/mifare4.c index bb5742408..848528611 100644 --- a/client/mifare/mifare4.c +++ b/client/mifare/mifare4.c @@ -435,18 +435,37 @@ int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, in } int MFPGetVersion(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) { - uint8_t tmp[10] = {0}; + uint8_t tmp[20] = {0}; uint8_t c[] = {0x60}; int res = intExchangeRAW14aPlus(c, sizeof(c), activateField, true, tmp, maxdataoutlen, dataoutlen); - if (tmp[0] == 0xAF) { //MFDES_ADDITIONAL_FRAME - memcpy(dataout, tmp + 1, 7); + if (res != 0) { + DropField(); + *dataoutlen = 0; + return res; + } + + memcpy(dataout, tmp + 1, (*dataoutlen - 3)); + + *dataoutlen = 0; + // MFDES_ADDITIONAL_FRAME + if (tmp[0] == 0xAF) { c[0] = 0xAF; - res = intExchangeRAW14aPlus(c, sizeof(c), false, leaveSignalON, tmp, maxdataoutlen, dataoutlen); + res = intExchangeRAW14aPlus(c, sizeof(c), false, true, tmp, maxdataoutlen, dataoutlen); if (res == 0) { - memcpy(dataout + 7, tmp + 1, 7); - *dataoutlen = 14; + + memcpy(dataout + 7, tmp + 1, (*dataoutlen - 3)); + + // MFDES_ADDITIONAL_FRAME + res = intExchangeRAW14aPlus(c, sizeof(c), false, false, tmp, maxdataoutlen, dataoutlen); + if (res == 0) { + if (tmp[0] == 0x90) { + memcpy(dataout + 7 + 7, tmp + 1, (*dataoutlen - 3)); + *dataoutlen = 28; + } + } } } + DropField(); return res; } From 68a890d0e9e1a1a9e40dafff984ad08f2c2484b9 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Wed, 8 Apr 2020 19:16:42 +0200 Subject: [PATCH 26/28] textual --- client/cmdhf14a.c | 6 ++---- client/cmdhfmfp.c | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index 60f54adaf..2e5fcb69e 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -1317,10 +1317,8 @@ int detect_nxp_card(uint8_t sak, uint16_t atqa) { printTag("MIFARE NTAG424DNA (Random ID feature)"); type |= MTDESFIRE; } else { - printTag("MIFARE Plus 2K / Plus EV1 2K"); - printTag("MIFARE Plus 4K / Plus EV1 4K"); - printTag("MIFARE Plus CL2 2K / Plus CL2 EV1 4K"); - printTag("MIFARE Plus CL2 4K / Plus CL2 EV1 4K"); + printTag("MIFARE Plus 2K/4K / Plus EV1 2K/4K"); + printTag("MIFARE Plus CL2 2K/4K / Plus CL2 EV1 2K/4K"); type |= MTPLUS; } } diff --git a/client/cmdhfmfp.c b/client/cmdhfmfp.c index fa4feb5a4..71da93bcc 100644 --- a/client/cmdhfmfp.c +++ b/client/cmdhfmfp.c @@ -248,11 +248,11 @@ static int CmdHFMFPInfo(const char *Cmd) { bool isPlus = false; if (ATQA & 0x0004) { - PrintAndLogEx(INFO, " ATQA: " _GREEN_("2K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); + PrintAndLogEx(INFO, " SIZE: " _GREEN_("2K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); isPlus = true; } if (ATQA & 0x0002) { - PrintAndLogEx(INFO, " ATQA: " _GREEN_("4K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); + PrintAndLogEx(INFO, " SIZE: " _GREEN_("4K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); isPlus = true; } From a3ea353dab97a2ed301783daf61bbd8c1e9129ae Mon Sep 17 00:00:00 2001 From: Bjoern Kerler Date: Wed, 8 Apr 2020 22:44:51 +0200 Subject: [PATCH 27/28] Improve hf mfdes and cleanup --- client/cmdhfmfdes.c | 606 +++++++++++++++++++------------------------- include/protocols.h | 4 + 2 files changed, 267 insertions(+), 343 deletions(-) diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index c4cab419a..22e401b07 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -16,6 +16,7 @@ #include "cmdparser.h" // command_t #include "comms.h" #include "ui.h" +#include "cmdhw.h" #include "cmdhf14a.h" #include "mbedtls/des.h" #include "crypto/libpcrypto.h" @@ -24,7 +25,7 @@ #include "cmdtrace.h" #include "cliparser/cliparser.h" #include "emv/apduinfo.h" // APDU manipulation / errorcodes -#include "emv/emvcore.h" // APDU logging +#include "emv/emvcore.h" // APDU logging #include "util_posix.h" // msleep #include "mifare/mifare4.h" // MIFARE Authenticate / MAC @@ -50,29 +51,113 @@ typedef struct { static int CmdHelp(const char *Cmd); -static int SendDesfireCmd(uint8_t *c, size_t len, int p0, int p1, int p2, PacketResponseNG *response, int timeout) { +/* + uint8_t cmd[3 + 16] = {0xa8, 0x90, 0x90, 0x00}; + int res = ExchangeRAW14a(cmd, sizeof(cmd), false, false, data, sizeof(data), &datalen, false); - PacketResponseNG resp; - if (response == NULL) - response = &resp; + if (!res && datalen > 1 && data[0] == 0x09) { + SLmode = 0; + } - clearCommandBuffer(); - SendCommandMIX(CMD_HF_DESFIRE_COMMAND, p0, p1, p2, c, len); +*/ - if (!WaitForResponseTimeout(CMD_ACK, response, timeout)) { - PrintAndLogEx(WARNING, "[SendDesfireCmd] Timed-out: " _RED_("%s"), sprint_hex(c, len)); +int DESFIRESendApdu(bool activate_field, bool leavefield_on, sAPDU apdu, uint8_t *result, int max_result_len, int *result_len, uint16_t *sw) { + *result_len = 0; + if (sw) *sw = 0; + + uint16_t isw = 0; + int res = 0; + + if (activate_field) { DropField(); - return PM3_ETIMEOUT; + msleep(50); } - uint8_t isOK = response->data.asBytes[0] & 0xff; - if (!isOK) { - PrintAndLogEx(WARNING, "[SendDesfireCmd] Unsuccessful: " _RED_("%s"), sprint_hex(c, len)); - return PM3_ESOFT; + // select? + uint8_t data[APDU_RES_LEN] = {0}; + + // COMPUTE APDU + int datalen = 0; + //if (APDUEncodeS(&apdu, false, IncludeLe ? 0x100 : 0x00, data, &datalen)) { + if (APDUEncodeS(&apdu, false, 0x100, data, &datalen)) { + PrintAndLogEx(ERR, "APDU encoding error."); + return PM3_EAPDU_ENCODEFAIL; } + + if (GetAPDULogging() || (g_debugMode > 1)) + PrintAndLogEx(SUCCESS, ">>>> %s", sprint_hex(data, datalen)); + + res = ExchangeAPDU14a(data, datalen, activate_field, leavefield_on, result, max_result_len, result_len); + if (res) { + return res; + } + + if (GetAPDULogging() || (g_debugMode > 1)) + PrintAndLogEx(SUCCESS, "<<<< %s", sprint_hex(result, *result_len)); + + if (*result_len < 2) { + return PM3_SUCCESS; + } + + *result_len -= 2; + isw = (result[*result_len] << 8) + result[*result_len + 1]; + if (sw) + *sw = isw; + + if (isw != 0x9000 && isw != MFDES_SUCCESS_FRAME_RESP && isw != MFDES_ADDITIONAL_FRAME_RESP) { + if (GetAPDULogging()) { + if (isw >> 8 == 0x61) { + PrintAndLogEx(ERR, "APDU chaining len:%02x -->", isw & 0xff); + } else { + PrintAndLogEx(ERR, "APDU(%02x%02x) ERROR: [%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(isw >> 8, isw & 0xff)); + return PM3_EAPDU_FAIL; + } + } + } + return PM3_SUCCESS; } + +static int send_desfire_cmd(sAPDU *apdu, bool select, uint8_t *dest, int *recv_len, uint16_t *sw, int splitbysize) { + //SetAPDULogging(true); + *sw = 0; + uint8_t data[255 * 5] = {0x00}; + int resplen = 0; + int pos = 0; + int i = 1; + int res = DESFIRESendApdu(select, true, *apdu, data, sizeof(data), &resplen, sw); + if (res != PM3_SUCCESS) return res; + if (*sw != MFDES_ADDITIONAL_FRAME_RESP && *sw != MFDES_SUCCESS_FRAME_RESP) return PM3_ESOFT; + if (dest != NULL) { + memcpy(dest, data, resplen); + } + + pos += resplen; + if (*sw == MFDES_ADDITIONAL_FRAME_RESP) { + apdu->INS = MFDES_ADDITIONAL_FRAME; //0xAF + + res = DESFIRESendApdu(false, true, *apdu, data, sizeof(data), &resplen, sw); + if (res != PM3_SUCCESS) return res; + if (dest != NULL) { + if (splitbysize) { + memcpy(&dest[i * splitbysize], data, resplen); + i += 1; + } else { + memcpy(&dest[pos], data, resplen); + } + } + pos += resplen; + } + if (splitbysize) *recv_len = i; + else { + *recv_len = pos; + } + //SetAPDULogging(false); + return PM3_SUCCESS; + +} + static desfire_cardtype_t getCardType(uint8_t major, uint8_t minor) { if (major == 0x00) @@ -89,53 +174,31 @@ static desfire_cardtype_t getCardType(uint8_t major, uint8_t minor) { return UNKNOWN; } -//ICEMAN: Turn on field method? //none static int test_desfire_authenticate() { - uint8_t c[] = {MFDES_AUTHENTICATE, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x0A, KEY 0 - SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); - PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { - DropField(); - return PM3_ETIMEOUT; - } - if (resp.length == 13) - return PM3_SUCCESS; - return PM3_ESOFT; + uint8_t c = 0x00; + sAPDU apdu = {0x90, MFDES_AUTHENTICATE, 0x00, 0x00, 0x01, &c}; // 0x0A, KEY 0 + int recv_len = 0; + uint16_t sw = 0; + return send_desfire_cmd(&apdu, false, NONE, &recv_len, &sw, 0); } + // none static int test_desfire_authenticate_iso() { - uint8_t c[] = {MFDES_AUTHENTICATE_ISO, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x1A, KEY 0 - SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); - PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { - DropField(); - return PM3_ETIMEOUT; - } - if (resp.length >= 13) - return PM3_SUCCESS; - return PM3_ESOFT; + uint8_t c = 0x00; + sAPDU apdu = {0x90, MFDES_AUTHENTICATE_ISO, 0x00, 0x00, 0x01, &c}; // 0x1A, KEY 0 + int recv_len = 0; + uint16_t sw = 0; + return send_desfire_cmd(&apdu, false, NONE, &recv_len, &sw, 0); } + //none static int test_desfire_authenticate_aes() { - /* Just left here for future use, from TI TRF7970A sloa213 document - const static u08_t CustomKey1[16] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; - const static u08_t CustomKey2[16] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, - 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}; - const static u08_t CustomKey3[16] = {0x79, 0x70, 0x25, 0x53, 0x79, 0x70, 0x25, - 0x53, 0x79, 0x70, 0x25, 0x53, 0x79, 0x70, 0x25, 0x53}; - */ - uint8_t c[] = {MFDES_AUTHENTICATE_AES, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0xAA, KEY 0 - SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); - PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { - DropField(); - return PM3_ETIMEOUT; - } - if (resp.length >= 13) - return PM3_SUCCESS; - return PM3_ESOFT; + uint8_t c = 0x00; + sAPDU apdu = {0x90, MFDES_AUTHENTICATE_AES, 0x00, 0x00, 0x01, &c}; // 0xAA, KEY 0 + int recv_len = 0; + uint16_t sw = 0; + return send_desfire_cmd(&apdu, false, NONE, &recv_len, &sw, 0); } // --- FREE MEM @@ -146,20 +209,18 @@ static int desfire_print_freemem(uint32_t free_mem) { // init / disconnect static int get_desfire_freemem(uint32_t *free_mem) { - uint8_t c[] = {MFDES_GET_FREE_MEMORY, 0x00, 0x00, 0x00}; // 0x6E - SendCommandMIX(CMD_HF_DESFIRE_COMMAND, (INIT | DISCONNECT), sizeof(c), 0, c, sizeof(c)); - PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { - return PM3_ETIMEOUT; - } + sAPDU apdu = {0x90, MFDES_GET_FREE_MEMORY, 0x00, 0x00, 0x00, NONE}; // 0x6E + int recv_len = 0; + uint16_t sw = 0; + uint8_t fmem[4] = {0}; - if (resp.length == 8) { - *free_mem = le24toh(resp.data.asBytes + 1); - return PM3_SUCCESS; + int res = send_desfire_cmd(&apdu, true, fmem, &recv_len, &sw, 0); + if (res == PM3_SUCCESS) { + *free_mem = le24toh(fmem); + return res; } - *free_mem = 0; - return PM3_ESOFT; + return res; } @@ -176,7 +237,7 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign {"DESFire EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3A"}, {"NTAG424DNA, NTAG424DNATT, DESFire Light EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3B"}, {"DESFire Light EV1", "040E98E117AAA36457F43173DC920A8757267F44CE4EC5ADD3C54075571AEBBF7B942A9774A1D94AD02572427E5AE0A2DD36591B1FB34FCF3D"}, - {"Mifare Plus EV1", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"} + {"Mifare Plus EV1", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"} }; uint8_t i; @@ -217,20 +278,25 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign // init / disconnect static int get_desfire_signature(uint8_t *signature, size_t *signature_len) { - uint8_t c[] = {MFDES_READSIG, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x3C - SendCommandMIX(CMD_HF_DESFIRE_COMMAND, (INIT | DISCONNECT), sizeof(c), 0, c, sizeof(c)); - PacketResponseNG resp; - if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) - return PM3_ETIMEOUT; + uint8_t c = 0x00; + sAPDU apdu = {0x90, MFDES_READSIG, 0x00, 0x00, 0x01, &c}; // 0x3C + int recv_len = 0; + uint16_t sw = 0; + int res = send_desfire_cmd(&apdu, true, signature, &recv_len, &sw, 0); + if (res == PM3_SUCCESS) { + if (recv_len != 56) { + *signature_len = 0; + DropField(); + return PM3_ESOFT; + } else { + *signature_len = recv_len; - if (resp.length == 61) { - memcpy(signature, resp.data.asBytes + 1, 56); - *signature_len = 56; + } + DropField(); return PM3_SUCCESS; - } else { - *signature_len = 0; - return PM3_ESOFT; } + DropField(); + return res; } @@ -268,18 +334,21 @@ static int desfire_print_keysetting(uint8_t key_settings, uint8_t num_keys) { // none static int get_desfire_keysettings(uint8_t *key_settings, uint8_t *num_keys) { - PacketResponseNG resp; - uint8_t c[] = {MFDES_GET_KEY_SETTINGS, 0x00, 0x00, 0x00}; // 0x45 - int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); - if (ret != PM3_SUCCESS) return ret; - - if (resp.data.asBytes[1] == 0x91 && resp.data.asBytes[2] == 0xae) { + sAPDU apdu = {0x90, MFDES_GET_KEY_SETTINGS, 0x00, 0x00, 0x00, NONE}; //0x45 + int recv_len = 0; + uint16_t sw = 0; + uint8_t data[2] = {0}; + if (num_keys == NULL) return PM3_ESOFT; + if (key_settings == NULL) return PM3_ESOFT; + int res = send_desfire_cmd(&apdu, false, data, &recv_len, &sw, 0); + if (sw == MFDES_EAUTH_RESP) { PrintAndLogEx(WARNING, _RED_("[get_desfire_keysettings] Authentication error")); return PM3_ESOFT; } -// PrintAndLogEx(INFO, "ICE: KEYSETTING resp :: %s", sprint_hex(resp.data.asBytes, resp.length)); - *key_settings = resp.data.asBytes[1]; - *num_keys = resp.data.asBytes[2]; + if (res != PM3_SUCCESS) return res; + + *key_settings = data[0]; + *num_keys = data[1]; return PM3_SUCCESS; } @@ -291,122 +360,72 @@ static int desfire_print_keyversion(uint8_t key_idx, uint8_t key_version) { // none static int get_desfire_keyversion(uint8_t curr_key, uint8_t *num_versions) { - PacketResponseNG resp; - uint8_t c[] = {MFDES_GET_KEY_VERSION, 0x00, 0x00, 0x01, curr_key, 0x00}; // 0x64 - int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); - if (ret != PM3_SUCCESS) return ret; - - if (resp.data.asBytes[1] == 0x91 && resp.data.asBytes[2] == 0x40) { + sAPDU apdu = {0x90, MFDES_GET_KEY_VERSION, 0x00, 0x00, 0x01, &curr_key}; //0x64 + int recv_len = 0; + uint16_t sw = 0; + if (num_versions == NULL) return PM3_ESOFT; + int res = send_desfire_cmd(&apdu, false, num_versions, &recv_len, &sw, 0); + if (sw == MFDES_ENO_SUCH_KEY_RESP) { + PrintAndLogEx(WARNING, _RED_("[get_desfire_keyversion] Key %d doesn't exist"), curr_key); return PM3_ESOFT; } - - *num_versions = resp.data.asBytes[1]; - return PM3_SUCCESS; -} - - -// init -static int get_desfire_select_application(uint8_t *aid) { - if (aid == NULL) return PM3_ESOFT; - - DropField(); - uint8_t c[] = {MFDES_SELECT_APPLICATION, 0x00, 0x00, 0x03, aid[0], aid[1], aid[2], 0x00}; // 0x5a - PacketResponseNG resp; - int ret = SendDesfireCmd(c, sizeof(c), INIT, sizeof(c), 0, &resp, 3000); - if (ret != PM3_SUCCESS) { - if (ret == PM3_ESOFT) { - PrintAndLogEx(WARNING, "[get_desfire_select_application] Can't select AID: " _RED_("%s"), sprint_hex(aid, 3)); - } - return ret; - } - - if (resp.data.asBytes[1] == 0x91 && resp.data.asBytes[2] == 0x00) { - return PM3_SUCCESS; - } - - return PM3_ESOFT; + return res; } // init / disconnect static int get_desfire_appids(uint8_t *dest, uint8_t *app_ids_len) { - - uint8_t c[] = {MFDES_GET_APPLICATION_IDS, 0x00, 0x00, 0x00}; //0x6a - PacketResponseNG resp; - int ret = SendDesfireCmd(c, sizeof(c), INIT | CLEARTRACE | DISCONNECT, sizeof(c), 0, &resp, 1500); - if (ret != PM3_SUCCESS) return ret; - - *app_ids_len = resp.length - 5; - - // resp.length - 2crc, 2status, 1pcb... - memcpy(dest, resp.data.asBytes + 1, *app_ids_len); - - if (resp.data.asBytes[resp.length - 3] == MFDES_ADDITIONAL_FRAME) { - - c[0] = MFDES_ADDITIONAL_FRAME; //0xAF - ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); - if (ret != PM3_SUCCESS) return ret; - - memcpy(dest + *app_ids_len, resp.data.asBytes + 1, resp.length - 5); - - *app_ids_len += (resp.length - 5); - } - return PM3_SUCCESS; + sAPDU apdu = {0x90, MFDES_GET_APPLICATION_IDS, 0x00, 0x00, 0x00, NULL}; //0x6a + int recv_len = 0; + uint16_t sw = 0; + if (dest == NULL) return PM3_ESOFT; + if (app_ids_len == NULL) return PM3_ESOFT; + int res = send_desfire_cmd(&apdu, true, dest, &recv_len, &sw, 0); + if (res != PM3_SUCCESS) return res; + *app_ids_len = (uint8_t)recv_len & 0xFF; + return res; } static int get_desfire_dfnames(dfname_t *dest, uint8_t *dfname_count) { + sAPDU apdu = {0x90, MFDES_GET_DF_NAMES, 0x00, 0x00, 0x00, NULL}; //0x6d + int recv_len = 0; + uint16_t sw = 0; if (dest == NULL) return PM3_ESOFT; - uint8_t c[] = {MFDES_GET_DF_NAMES, 0x00, 0x00, 0x00}; //0x6d - PacketResponseNG resp; - int ret = SendDesfireCmd(c, sizeof(c), INIT, sizeof(c), 0, &resp, 3000); - if (ret != PM3_SUCCESS) return ret; - - uint8_t count = 1; - memcpy(&dest[count - 1], resp.data.asBytes + 1, resp.length - 5); - if (resp.data.asBytes[resp.length - 3] == MFDES_ADDITIONAL_FRAME) { - c[0] = MFDES_ADDITIONAL_FRAME; //0xAF - - ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 3000); - if (ret != PM3_SUCCESS) return ret; - - - count++; - memcpy(&dest[count - 1], resp.data.asBytes + 1, resp.length - 5); - } - *dfname_count = count; - return PM3_SUCCESS; + if (dfname_count == NULL) return PM3_ESOFT; + int res = send_desfire_cmd(&apdu, true, (uint8_t *)dest, &recv_len, &sw, sizeof(dfname_t)); + if (res != PM3_SUCCESS) return res; + *dfname_count = recv_len; + return res; } +// init +static int get_desfire_select_application(uint8_t *aid) { + sAPDU apdu = {0x90, MFDES_SELECT_APPLICATION, 0x00, 0x00, 0x03, aid}; //0x5a + int recv_len = 0; + uint16_t sw = 0; + if (aid == NULL) return PM3_ESOFT; + return send_desfire_cmd(&apdu, true, NONE, &recv_len, &sw, sizeof(dfname_t)); +} + // none static int get_desfire_fileids(uint8_t *dest, uint8_t *file_ids_len) { - uint8_t c[] = {MFDES_GET_FILE_IDS, 0x00, 0x00, 0x00}; // 0x6f - PacketResponseNG resp; - int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); - if (ret != PM3_SUCCESS) return ret; - - if (resp.data.asBytes[resp.length - 4] == 0x91 && resp.data.asBytes[resp.length - 3] == 0x00) { - *file_ids_len = resp.length - 5; - memcpy(dest, resp.data.asBytes + 1, *file_ids_len); - return PM3_SUCCESS; - } - - return PM3_ESOFT; + sAPDU apdu = {0x90, MFDES_GET_FILE_IDS, 0x00, 0x00, 0x00, NULL}; //0x6f + int recv_len = 0; + uint16_t sw = 0; + if (dest == NULL) return PM3_ESOFT; + if (file_ids_len == NULL) return PM3_ESOFT; + *file_ids_len = 0; + int res = send_desfire_cmd(&apdu, false, dest, &recv_len, &sw, 0); + if (res != PM3_SUCCESS) return res; + *file_ids_len = recv_len; + return res; } -static int get_desfire_filesettings(uint8_t file_id, uint8_t *dest, uint8_t *destlen) { - uint8_t c[] = {MFDES_GET_FILE_SETTINGS, 0x00, 0x00, 0x01, file_id, 0x00}; // 0xF5 - PacketResponseNG resp; - int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); - if (ret != PM3_SUCCESS) return ret; - - if (resp.data.asBytes[resp.length - 4] == 0x91 && resp.data.asBytes[resp.length - 3] == 0x00) { - *destlen = resp.length - 5; - memcpy(dest, resp.data.asBytes + 1, *destlen); - return PM3_SUCCESS; - } - - return PM3_ESOFT; +static int get_desfire_filesettings(uint8_t file_id, uint8_t *dest, int *destlen) { + sAPDU apdu = {0x90, MFDES_GET_FILE_SETTINGS, 0x00, 0x00, 0x01, &file_id}; // 0xF5 + uint16_t sw = 0; + return send_desfire_cmd(&apdu, false, dest, destlen, &sw, 0); } static int CmdHF14ADesInfo(const char *Cmd) { @@ -703,7 +722,7 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { (void)Cmd; // Cmd is not used so far // uint8_t isOK = 0x00; - uint8_t aid[3]; + uint8_t aid[3] = {0}; uint8_t app_ids[78] = {0}; uint8_t app_ids_len = 0; @@ -715,6 +734,7 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { if (get_desfire_appids(app_ids, &app_ids_len) != PM3_SUCCESS) { PrintAndLogEx(ERR, "Can't get list of applications on tag"); + DropField(); return PM3_ESOFT; } @@ -767,7 +787,7 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { PrintAndLogEx(SUCCESS, " Fileid %d (0x%02x)", file_ids[j], file_ids[j]); uint8_t filesettings[20] = {0}; - uint8_t fileset_len = 0; + int fileset_len = 0; int res = get_desfire_filesettings(j, filesettings, &fileset_len); if (res == PM3_SUCCESS) { PrintAndLogEx(INFO, " Settings [%u] %s", fileset_len, sprint_hex(filesettings, fileset_len)); @@ -805,195 +825,90 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { DropField(); return PM3_SUCCESS; } -/* - uint8_t cmd[3 + 16] = {0xa8, 0x90, 0x90, 0x00}; - int res = ExchangeRAW14a(cmd, sizeof(cmd), false, false, data, sizeof(data), &datalen, false); - if (!res && datalen > 1 && data[0] == 0x09) { - SLmode = 0; - } - -*/ - -int DESFIRESendApdu(bool activate_field, bool leavefield_on, sAPDU apdu, uint8_t *result, int max_result_len, int *result_len, uint16_t *sw) { - - *result_len = 0; - if (sw) *sw = 0; - - uint16_t isw = 0; - int res = 0; - - if (activate_field) { - DropField(); - msleep(50); - } - - // select? - uint8_t data[APDU_RES_LEN] = {0}; - - // COMPUTE APDU - int datalen = 0; - //if (APDUEncodeS(&apdu, false, IncludeLe ? 0x100 : 0x00, data, &datalen)) { - if (APDUEncodeS(&apdu, false, 0x100, data, &datalen)) { - PrintAndLogEx(ERR, "APDU encoding error."); - return PM3_EAPDU_ENCODEFAIL; - } - - if (GetAPDULogging()) - PrintAndLogEx(SUCCESS, ">>>> %s", sprint_hex(data, datalen)); - - res = ExchangeAPDU14a(data, datalen, activate_field, leavefield_on, result, max_result_len, result_len); - if (res) { - return res; - } - - if (GetAPDULogging()) - PrintAndLogEx(SUCCESS, "<<<< %s", sprint_hex(result, *result_len)); - - if (*result_len < 2) { - return PM3_SUCCESS; - } - - *result_len -= 2; - isw = (result[*result_len] << 8) + result[*result_len + 1]; - if (sw) - *sw = isw; - - if (isw != 0x9000 && isw != 0x9100) { - if (GetAPDULogging()) { - if (isw >> 8 == 0x61) { - PrintAndLogEx(ERR, "APDU chaining len:%02x -->", isw & 0xff); - } else { - PrintAndLogEx(ERR, "APDU(%02x%02x) ERROR: [%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(isw >> 8, isw & 0xff)); - return PM3_EAPDU_FAIL; - } - } - } - - return PM3_SUCCESS; -} - -static int CmdHF14ADesTEST(const char *Cmd) { - - uint8_t aid[3]; - uint8_t app_ids[78] = {0}; - int app_ids_len = 0; - -// uint8_t file_ids[33] = {0}; -// uint8_t file_ids_len = 0; - - uint8_t data[255*5] = {0}; - dfname_t dfnames[255] = {0}; - int dfname_count = 0; - uint16_t sw = 0; - - SetAPDULogging(true); - - // get application ids - sAPDU apdu = {0x90, MFDES_GET_APPLICATION_IDS, 0x00, 0x00, 0x00, NULL}; - int res = DESFIRESendApdu(true, true, apdu, app_ids, sizeof(app_ids), &app_ids_len, &sw); - if (res != PM3_SUCCESS) - goto out; - - // get dfnames - apdu.INS = MFDES_GET_DF_NAMES; - res = DESFIRESendApdu(true, false, apdu, data, sizeof(data), &dfname_count, &sw); - if (res != PM3_SUCCESS) - goto out; - - - // enum test... - for (int i = 0; i < app_ids_len; i += 3) { - - aid[0] = app_ids[i]; - aid[1] = app_ids[i + 1]; - aid[2] = app_ids[i + 2]; - - PrintAndLogEx(NORMAL, ""); - - if (memcmp(aid, "\x00\x00\x00", 3) == 0) { - // CARD MASTER KEY - PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); - } else { - PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); - } - - PrintAndLogEx(SUCCESS, " AID : " _GREEN_("%s"), sprint_hex(aid, sizeof(aid))); - for (int m = 0; m < dfname_count; m++) { - if (memcmp (dfnames[m].aid, aid, 3) == 0) { - PrintAndLogEx(SUCCESS, " - DF " _YELLOW_("%02X %02X") " Name : " _YELLOW_("%s"), - dfnames[m].fid[0], dfnames[m].fid[1], - dfnames[m].name - ); - } - } - } - - -out: - SetAPDULogging(false); - return PM3_SUCCESS; -} - // MIAFRE DESFire Authentication // #define BUFSIZE 256 static int CmdHF14ADesAuth(const char *Cmd) { - + clearCommandBuffer(); // NR DESC KEYLENGHT // ------------------------ // 1 = DES 8 // 2 = 3DES 16 // 3 = 3K 3DES 24 // 4 = AES 16 - + //SetAPDULogging(true); uint8_t keylength = 8; - uint8_t key[24]; - uint8_t aidlength = 3; - uint8_t aid[3]; - if (strlen(Cmd) < 3) { - PrintAndLogEx(NORMAL, "Usage: hf mfdes auth <1|2|3> <1|2|3|4> "); - PrintAndLogEx(NORMAL, " Auth modes"); - PrintAndLogEx(NORMAL, " 1 = normal, 2 = iso, 3 = aes"); - PrintAndLogEx(NORMAL, " Crypto"); - PrintAndLogEx(NORMAL, " 1 = DES 2 = 3DES 3 = 3K3DES 4 = AES"); - PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(NORMAL, "Examples:"); - PrintAndLogEx(NORMAL, _YELLOW_(" hf mfdes auth 1 1 0 0 11223344")); - PrintAndLogEx(NORMAL, _YELLOW_(" hf mfdes auth 3 4 018380 0 404142434445464748494a4b4c4d4e4f")); - return PM3_SUCCESS; - } - uint8_t cmdAuthMode = param_get8(Cmd, 0); - uint8_t cmdAuthAlgo = param_get8(Cmd, 1); - // AID - if (param_gethex(Cmd, 2, aid, aidlength * 2)) { - PrintAndLogEx(WARNING, "aid must include %d HEX symbols", 3); + CLIParserInit("hf mfdes auth", + "Authenticates Mifare DESFire using Key", + "Usage:\n\t-m Auth type (1=normal, 2=iso, 3=aes)\n\t-t Crypt algo (1=DES, 2=3DES, 3=3K3DES, 4=aes)\n\t-a aid (3 bytes)\n\t-n keyno\n\t-k key (8-24 bytes)\n\n" + "Example:\n\thf mfdes auth -m 3 -t 4 -a 018380 -n 0 -k 404142434445464748494a4b4c4d4e4f\n" + ); + + void *argtable[] = { + arg_param_begin, + arg_int0("mM", "type", "Auth type (1=normal, 2=iso, 3=aes)", NULL), + arg_int0("tT", "algo", "Crypt algo (1=DES, 2=3DES, 3=3K3DES, 4=aes)", NULL), + arg_strx0("aA", "aid", "", "AID used for authentification"), + arg_int0("nN", "keyno", "Key number used for authentification", NULL), + arg_str0("kK", "key", "", "Key for checking (HEX 16 bytes)"), + arg_param_end + }; + CLIExecWithReturn(Cmd, argtable, true); + + uint8_t cmdAuthMode = arg_get_int_def(1, 0); + uint8_t cmdAuthAlgo = arg_get_int_def(2, 0); + + int aidlength = 3; + uint8_t aid[3] = {0}; + CLIGetHexWithReturn(3, aid, &aidlength); + + uint8_t cmdKeyNo = arg_get_int_def(4, 0); + + uint8_t key[24] = {0}; + int keylen = 0; + CLIGetHexWithReturn(5, key, &keylen); + CLIParserFree(); + + if ((keylen < 8) || (keylen > 24)) { + PrintAndLogEx(ERR, "Specified key must have 16 bytes length."); + //SetAPDULogging(false); + return PM3_EINVARG; + } + + // AID + if (aidlength != 3) { + PrintAndLogEx(WARNING, "aid must include %d HEX symbols", 3); + //SetAPDULogging(false); return PM3_EINVARG; } - uint8_t cmdKeyNo = param_get8(Cmd, 3); switch (cmdAuthMode) { case 1: if (cmdAuthAlgo != 1 && cmdAuthAlgo != 2) { PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode"); + //SetAPDULogging(false); return PM3_EINVARG; } break; case 2: if (cmdAuthAlgo != 1 && cmdAuthAlgo != 2 && cmdAuthAlgo != 3) { PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode"); + //SetAPDULogging(false); return PM3_EINVARG; } break; case 3: if (cmdAuthAlgo != 4) { PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode"); + //SetAPDULogging(false); return PM3_EINVARG; } break; default: - PrintAndLogEx(WARNING, "Wrong Auth mode"); + PrintAndLogEx(WARNING, "Wrong Auth mode (%d) -> (1=normal, 2=iso, 3=aes)", cmdAuthMode); + //SetAPDULogging(false); return PM3_EINVARG; } @@ -1017,8 +932,8 @@ static int CmdHF14ADesAuth(const char *Cmd) { break; } - // key - if (param_gethex(Cmd, 4, key, keylength * 2)) { + // KEY + if (keylen != keylength) { PrintAndLogEx(WARNING, "Key must include %d HEX symbols", keylength); return PM3_EINVARG; } @@ -1031,17 +946,23 @@ static int CmdHF14ADesAuth(const char *Cmd) { uint8_t file_ids[33] = {0}; uint8_t file_ids_len = 0; - get_desfire_fileids(file_ids, &file_ids_len); + int res = get_desfire_fileids(file_ids, &file_ids_len); + if (res != PM3_SUCCESS) { + PrintAndLogEx(WARNING, "Get file ids error."); + DropField(); + return res; + } + // algo, keylength, uint8_t data[25] = {keylength}; // max length: 1 + 24 (3k3DES) memcpy(data + 1, key, keylength); - clearCommandBuffer(); SendCommandOLD(CMD_HF_DESFIRE_AUTH1, cmdAuthMode, cmdAuthAlgo, cmdKeyNo, data, keylength + 1); PacketResponseNG resp; if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) { PrintAndLogEx(WARNING, "Client command execute timeout"); + DropField(); return PM3_ETIMEOUT; } @@ -1073,7 +994,6 @@ static command_t CommandTable[] = { {"auth", CmdHF14ADesAuth, IfPm3Iso14443a, "Tries a MIFARE DesFire Authentication"}, // {"rdbl", CmdHF14ADesRb, IfPm3Iso14443a, "Read MIFARE DesFire block"}, // {"wrbl", CmdHF14ADesWb, IfPm3Iso14443a, "write MIFARE DesFire block"}, - {"test", CmdHF14ADesTEST, IfPm3Iso14443a, "testing command"}, {NULL, NULL, NULL, NULL} }; diff --git a/include/protocols.h b/include/protocols.h index 76b891b9a..03953fcc6 100644 --- a/include/protocols.h +++ b/include/protocols.h @@ -381,6 +381,10 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. #define MFDES_ABORT_TRANSACTION 0xA7 #define MFDES_AUTHENTICATION_FRAME 0xAF #define MFDES_ADDITIONAL_FRAME 0xAF +#define MFDES_ADDITIONAL_FRAME_RESP 0x91AF +#define MFDES_SUCCESS_FRAME_RESP 0x9100 +#define MFDES_EAUTH_RESP 0x91AE +#define MFDES_ENO_SUCH_KEY_RESP 0x9140 #define MFDES_READ_RECORDS 0xBB #define MFDES_READ_DATA 0xBD From d9d92b1ec009eaeda32d0e02ca75bbbd59c57e1a Mon Sep 17 00:00:00 2001 From: Bjoern Kerler Date: Wed, 8 Apr 2020 22:51:29 +0200 Subject: [PATCH 28/28] Update Changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a878351b7..eff29cc79 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Rewrote `hf mfdes` functions and added apdu debugging (@bkerler) - Add Mifare Desfire GetDFNames and improve HF MFDES Enum output (@bkerler) - Fix Mifare Desfire select appid handling (@bkerler) - Improved `hf 14a info` - card detection handling (@bkerler)