github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 22:03:42 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #20 from RfidResearchGroup/master

Browse source 
Update
This commit is contained in:
Bjoern Kerler 2020-04-09 09:31:48 +02:00 committed by GitHub
commit 5c167cdd57
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 705 additions and 391 deletions
Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -3,6 +3,9 @@ All notable changes to this project will be documented in this file.
This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased] ## [unreleased][unreleased]
- Rewrote `hf mfdes` functions and added apdu debugging (@bkerler)
- Add Mifare Desfire GetDFNames and improve HF MFDES Enum output (@bkerler)
- Fix Mifare Desfire select appid handling (@bkerler)
- Improved `hf 14a info` - card detection handling (@bkerler) - Improved `hf 14a info` - card detection handling (@bkerler)
- Updated helptext layout in all luascripts (@iceman1001) - Updated helptext layout in all luascripts (@iceman1001)
- Change `hf mfdes info` - output and logging (@bkerler) - Change `hf mfdes info` - output and logging (@bkerler)

1
armsrc/desfire.h
View file

@ -150,6 +150,7 @@ enum DESFIRE_CMD {
GET_FREE_MEMORY = 0x6e, GET_FREE_MEMORY = 0x6e,
GET_FILE_IDS = 0x6f, GET_FILE_IDS = 0x6f,
GET_FILE_SETTINGS = 0xf5, GET_FILE_SETTINGS = 0xf5,
GET_DF_NAMES = 0x6d,
CHANGE_FILE_SETTINGS = 0x5f, CHANGE_FILE_SETTINGS = 0x5f,
CREATE_STD_DATA_FILE = 0xcd, CREATE_STD_DATA_FILE = 0xcd,
CREATE_BACKUP_DATA_FILE = 0xcb, CREATE_BACKUP_DATA_FILE = 0xcb,

31
armsrc/epa.c
View file

@ -263,7 +263,7 @@ static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return) {
EPA_Finish(); EPA_Finish();
// send the USB packet // send the USB packet
reply_old(CMD_ACK, step, func_return, 0, 0, 0); reply_mix(CMD_ACK, step, func_return, 0, 0, 0);
} }
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
@ -280,12 +280,8 @@ void EPA_PACE_Collect_Nonce(PacketCommandNG *c) {
* d: * d:
* Encrypted nonce * Encrypted nonce
*/ */
// return value of a function
int func_return = 0;
// set up communication // set up communication
func_return = EPA_Setup(); int func_return = EPA_Setup();
if (func_return != 0) { if (func_return != 0) {
EPA_PACE_Collect_Nonce_Abort(1, func_return); EPA_PACE_Collect_Nonce_Abort(1, func_return);
return; return;
@ -335,7 +331,7 @@ void EPA_PACE_Collect_Nonce(PacketCommandNG *c) {
EPA_Finish(); EPA_Finish();
// save received information // save received information
reply_old(CMD_ACK, 0, func_return, 0, nonce, func_return); reply_mix(CMD_ACK, 0, func_return, 0, nonce, func_return);
} }
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
@ -447,7 +443,7 @@ void EPA_PACE_Replay(PacketCommandNG *c) {
if (c->oldarg[0] != 0) { if (c->oldarg[0] != 0) {
// make sure it's not too big // make sure it's not too big
if (c->oldarg[2] > apdus_replay[c->oldarg[0] - 1].len) { if (c->oldarg[2] > apdus_replay[c->oldarg[0] - 1].len) {
reply_old(CMD_ACK, 1, 0, 0, NULL, 0); reply_mix(CMD_ACK, 1, 0, 0, NULL, 0);
} }
memcpy(apdus_replay[c->oldarg[0] - 1].data + c->oldarg[1], memcpy(apdus_replay[c->oldarg[0] - 1].data + c->oldarg[1],
c->data.asBytes, c->data.asBytes,
@ -458,7 +454,7 @@ void EPA_PACE_Replay(PacketCommandNG *c) {
} else { } else {
apdu_lengths_replay[c->oldarg[0] - 1] += c->oldarg[2]; apdu_lengths_replay[c->oldarg[0] - 1] += c->oldarg[2];
} }
reply_old(CMD_ACK, 0, 0, 0, NULL, 0); reply_mix(CMD_ACK, 0, 0, 0, NULL, 0);
return; return;
} }
@ -469,7 +465,7 @@ void EPA_PACE_Replay(PacketCommandNG *c) {
func_return = EPA_Setup(); func_return = EPA_Setup();
if (func_return != 0) { if (func_return != 0) {
EPA_Finish(); EPA_Finish();
reply_old(CMD_ACK, 2, func_return, 0, NULL, 0); reply_mix(CMD_ACK, 2, func_return, 0, NULL, 0);
return; return;
} }
@ -492,12 +488,12 @@ void EPA_PACE_Replay(PacketCommandNG *c) {
|| response_apdu[func_return - 4] != 0x90 || response_apdu[func_return - 4] != 0x90
|| response_apdu[func_return - 3] != 0x00)) { || response_apdu[func_return - 3] != 0x00)) {
EPA_Finish(); EPA_Finish();
reply_old(CMD_ACK, 3 + i, func_return, 0, timings, 20); reply_mix(CMD_ACK, 3 + i, func_return, 0, timings, 20);
return; return;
} }
} }
EPA_Finish(); EPA_Finish();
reply_old(CMD_ACK, 0, 0, 0, timings, 20); reply_mix(CMD_ACK, 0, 0, 0, timings, 20);
return; return;
} }
@ -506,14 +502,13 @@ void EPA_PACE_Replay(PacketCommandNG *c) {
// Returns 0 on success or a non-zero error code on failure // Returns 0 on success or a non-zero error code on failure
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
int EPA_Setup() { int EPA_Setup() {
uint8_t uid[10];
iso14a_card_select_t card_a_info;
// first, look for type A cards // first, look for type A cards
// power up the field // power up the field
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
// select the card iso14a_card_select_t card_a_info;
int return_code = iso14443a_select_card(uid, &card_a_info, NULL, true, 0, false); int return_code = iso14443a_select_card(NULL, &card_a_info, NULL, true, 0, false);
if (return_code == 1) { if (return_code == 1) {
uint8_t pps_response[3]; uint8_t pps_response[3];
uint8_t pps_response_par[1]; uint8_t pps_response_par[1];
@ -528,12 +523,14 @@ int EPA_Setup() {
return 0; return 0;
} }
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
// if we're here, there is no type A card, so we look for type B // if we're here, there is no type A card, so we look for type B
// power up the field // power up the field
iso14443b_setup(); iso14443b_setup();
iso14b_card_select_t card_b_info; iso14b_card_select_t card_b_info;
// select the card
return_code = iso14443b_select_card(&card_b_info); return_code = iso14443b_select_card(&card_b_info);
if (return_code == 0) { if (return_code == 0) {
Dbprintf("ISO 14443 Type B"); Dbprintf("ISO 14443 Type B");
iso_type = 'b'; iso_type = 'b';

4
armsrc/felica.c
View file

@ -621,7 +621,7 @@ void felica_sniff(uint32_t samplesToSkip, uint32_t triggersToSkip) {
set_tracelen(BigBuf_max_traceLen()); set_tracelen(BigBuf_max_traceLen());
Dbprintf("Felica sniffing done, tracelen: %i, use hf list felica for annotations", BigBuf_get_traceLen()); Dbprintf("Felica sniffing done, tracelen: %i, use hf list felica for annotations", BigBuf_get_traceLen());
reply_old(CMD_ACK, 1, numbts, 0, 0, 0); reply_mix(CMD_ACK, 1, numbts, 0, 0, 0);
LED_D_OFF(); LED_D_OFF();
} }
@ -812,5 +812,5 @@ void felica_dump_lite_s() {
//setting tracelen - important! it was set by buffer overflow before //setting tracelen - important! it was set by buffer overflow before
set_tracelen(cnt); set_tracelen(cnt);
reply_old(CMD_ACK, isOK, cnt, 0, 0, 0); reply_mix(CMD_ACK, isOK, cnt, 0, 0, 0);
} }

6
armsrc/hitagS.c
View file

@ -1407,7 +1407,7 @@ void ReadHitagS(hitag_function htf, hitag_data *htd) {
set_tracing(false); set_tracing(false);
lf_finalize(); lf_finalize();
reply_old(CMD_ACK, bSuccessful, 0, 0, 0, 0); reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0);
} }
/* /*
@ -1624,7 +1624,7 @@ void WritePageHitagS(hitag_function htf, hitag_data *htd, int page) {
lf_finalize(); lf_finalize();
reply_old(CMD_ACK, bSuccessful, 0, 0, 0, 0); reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0);
} }
/* /*
@ -1860,5 +1860,5 @@ void check_challenges(bool file_given, uint8_t *data) {
set_tracing(false); set_tracing(false);
lf_finalize(); lf_finalize();
reply_old(CMD_ACK, bSuccessful, 0, 0, 0, 0); reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0);
} }

6
armsrc/legicrf.c
View file

@ -438,7 +438,7 @@ void LegicRfInfo(void) {
} }
// OK // OK
reply_old(CMD_ACK, 1, 0, 0, (uint8_t *)&card, sizeof(legic_card_select_t)); reply_mix(CMD_ACK, 1, 0, 0, (uint8_t *)&card, sizeof(legic_card_select_t));
OUT: OUT:
switch_off(); switch_off();
@ -513,7 +513,7 @@ void LegicRfReader(uint16_t offset, uint16_t len, uint8_t iv) {
} }
// OK // OK
reply_old(CMD_ACK, 1, len, 0, legic_mem, len); reply_mix(CMD_ACK, 1, len, 0, 0, 0);
OUT: OUT:
switch_off(); switch_off();
@ -552,7 +552,7 @@ void LegicRfWriter(uint16_t offset, uint16_t len, uint8_t iv, uint8_t *data) {
} }
// OK // OK
reply_old(CMD_ACK, 1, len, 0, legic_mem, len); reply_mix(CMD_ACK, 1, len, 0, 0, 0);
OUT: OUT:
switch_off(); switch_off();

2
armsrc/mifaredesfire.c
View file

@ -609,6 +609,6 @@ void OnSuccess() {
} }
void OnError(uint8_t reason) { void OnError(uint8_t reason) {
reply_old(CMD_ACK, 0, reason, 0, 0, 0); reply_mix(CMD_ACK, 0, reason, 0, 0, 0);
OnSuccess(); OnSuccess();
} }

20
client/cmdhf14a.c
View file

@ -193,7 +193,7 @@ static int usage_hf_14a_sim(void) {
PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sim t 1 u 11223344")); PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sim t 1 u 11223344"));
PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sim t 1 u 11223344556677")); PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sim t 1 u 11223344556677"));
// PrintAndLogEx(NORMAL, " hf 14a sim t 1 u 11223445566778899AA\n"); // PrintAndLogEx(NORMAL, " hf 14a sim t 1 u 11223445566778899AA\n");
return 0; return PM3_SUCCESS;
} }
static int usage_hf_14a_sniff(void) { static int usage_hf_14a_sniff(void) {
PrintAndLogEx(NORMAL, "It get data from the field and saves it into command buffer."); PrintAndLogEx(NORMAL, "It get data from the field and saves it into command buffer.");
@ -203,7 +203,7 @@ static int usage_hf_14a_sniff(void) {
PrintAndLogEx(NORMAL, "r - triggered by first 7-bit request from reader (REQ,WUP,...)"); PrintAndLogEx(NORMAL, "r - triggered by first 7-bit request from reader (REQ,WUP,...)");
PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, "Examples:");
PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sniff c r")); PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sniff c r"));
return 0; return PM3_SUCCESS;
} }
static int usage_hf_14a_raw(void) { static int usage_hf_14a_raw(void) {
PrintAndLogEx(NORMAL, "Usage: hf 14a raw [-h] [-r] [-c] [-p] [-a] [-T] [-t] <milliseconds> [-b] <number of bits> <0A 0B 0C ... hex>"); PrintAndLogEx(NORMAL, "Usage: hf 14a raw [-h] [-r] [-c] [-p] [-a] [-T] [-t] <milliseconds> [-b] <number of bits> <0A 0B 0C ... hex>");
@ -217,7 +217,7 @@ static int usage_hf_14a_raw(void) {
PrintAndLogEx(NORMAL, " -t timeout in ms"); PrintAndLogEx(NORMAL, " -t timeout in ms");
PrintAndLogEx(NORMAL, " -T use Topaz protocol to send command"); PrintAndLogEx(NORMAL, " -T use Topaz protocol to send command");
PrintAndLogEx(NORMAL, " -3 ISO14443-3 select only (skip RATS)"); PrintAndLogEx(NORMAL, " -3 ISO14443-3 select only (skip RATS)");
return 0; return PM3_SUCCESS;
} }
static int usage_hf_14a_reader(void) { static int usage_hf_14a_reader(void) {
PrintAndLogEx(NORMAL, "Usage: hf 14a reader [k|s|x] [3]"); PrintAndLogEx(NORMAL, "Usage: hf 14a reader [k|s|x] [3]");
@ -225,7 +225,7 @@ static int usage_hf_14a_reader(void) {
PrintAndLogEx(NORMAL, " s silent (no messages)"); PrintAndLogEx(NORMAL, " s silent (no messages)");
PrintAndLogEx(NORMAL, " x just drop the signal field"); PrintAndLogEx(NORMAL, " x just drop the signal field");
PrintAndLogEx(NORMAL, " 3 ISO14443-3 select only (skip RATS)"); PrintAndLogEx(NORMAL, " 3 ISO14443-3 select only (skip RATS)");
return 0; return PM3_SUCCESS;
} }
static int CmdHF14AList(const char *Cmd) { static int CmdHF14AList(const char *Cmd) {
@ -580,7 +580,7 @@ int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leav
if (resp.oldarg[0] == 2) { // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision if (resp.oldarg[0] == 2) { // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
// get ATS // get ATS
uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
SendCommandOLD(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, 2, 0, rats, 2); SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, 2, 0, rats, sizeof(rats));
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
if (!silentMode) PrintAndLogEx(ERR, "Proxmark3 connection timeout."); if (!silentMode) PrintAndLogEx(ERR, "Proxmark3 connection timeout.");
return 1; return 1;
@ -674,7 +674,7 @@ static int SelectCard14443_4(bool disconnect, iso14a_card_select_t *card) {
if (resp.oldarg[0] == 2) { // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision if (resp.oldarg[0] == 2) { // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
// get ATS // get ATS
uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0
SendCommandOLD(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, sizeof(rats), 0, rats, sizeof(rats)); SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, sizeof(rats), 0, rats, sizeof(rats));
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
PrintAndLogEx(ERR, "Proxmark3 connection timeout."); PrintAndLogEx(ERR, "Proxmark3 connection timeout.");
return 1; return 1;
@ -1237,7 +1237,7 @@ static command_t CommandTable[] = {
static int CmdHelp(const char *Cmd) { static int CmdHelp(const char *Cmd) {
(void)Cmd; // Cmd is not used so far (void)Cmd; // Cmd is not used so far
CmdsHelp(CommandTable); CmdsHelp(CommandTable);
return 0; return PM3_SUCCESS;
} }
int CmdHF14A(const char *Cmd) { int CmdHF14A(const char *Cmd) {
@ -1317,10 +1317,8 @@ int detect_nxp_card(uint8_t sak, uint16_t atqa) {
printTag("MIFARE NTAG424DNA (Random ID feature)"); printTag("MIFARE NTAG424DNA (Random ID feature)");
type |= MTDESFIRE; type |= MTDESFIRE;
} else { } else {
printTag("MIFARE Plus 2K / Plus EV1 2K"); printTag("MIFARE Plus 2K/4K / Plus EV1 2K/4K");
printTag("MIFARE Plus 4K / Plus EV1 4K"); printTag("MIFARE Plus CL2 2K/4K / Plus CL2 EV1 2K/4K");
printTag("MIFARE Plus CL2 2K / Plus CL2 EV1 4K");
printTag("MIFARE Plus CL2 4K / Plus CL2 EV1 4K");
type |= MTPLUS; type |= MTPLUS;
} }
} }

19
client/cmdhflegic.c
View file

@ -658,6 +658,16 @@ static int CmdLegicWrbl(const char *Cmd) {
} }
} }
} }
// OUT-OF-BOUNDS checks
// UID 4+1 bytes can't be written to.
if (offset < 5) {
if (data)
free(data);
PrintAndLogEx(WARNING, "Out-of-bounds, bytes 0-1-2-3-4 can't be written to. Offset = %d", offset);
return PM3_EOUTOFBOUND;
}
//Validations //Validations
if (errors || cmdp == 0) { if (errors || cmdp == 0) {
if (data) if (data)
@ -674,14 +684,7 @@ static int CmdLegicWrbl(const char *Cmd) {
legic_print_type(card.cardsize, 0); legic_print_type(card.cardsize, 0);
// OUT-OF-BOUNDS checks if (len + offset > card.cardsize) {
// UID 4+1 bytes can't be written to.
if (offset < 5) {
PrintAndLogEx(WARNING, "Out-of-bounds, bytes 0-1-2-3-4 can't be written to. Offset = %d", offset);
return PM3_EOUTOFBOUND;
}
if (len + offset >= card.cardsize) {
PrintAndLogEx(WARNING, "Out-of-bounds, Cardsize = %d, [offset+len = %d ]", card.cardsize, len + offset); PrintAndLogEx(WARNING, "Out-of-bounds, Cardsize = %d, [offset+len = %d ]", card.cardsize, len + offset);
return PM3_EOUTOFBOUND; return PM3_EOUTOFBOUND;
} }

3
client/cmdhflist.c
View file

@ -768,6 +768,9 @@ void annotateMfDesfire(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) {
case MFDES_GET_FILE_IDS: case MFDES_GET_FILE_IDS:
snprintf(exp, size, "GET FILE IDS"); snprintf(exp, size, "GET FILE IDS");
break; break;
case MFDES_GET_DF_NAMES:
snprintf(exp, size, "GET DF NAMES");
break;
case MFDES_GET_ISOFILE_IDS: case MFDES_GET_ISOFILE_IDS:
snprintf(exp, size, "GET ISOFILE IDS"); snprintf(exp, size, "GET ISOFILE IDS");
break; break;

526
client/cmdhfmfdes.c
View file

@ -16,12 +16,18 @@
#include "cmdparser.h" // command_t #include "cmdparser.h" // command_t
#include "comms.h" #include "comms.h"
#include "ui.h" #include "ui.h"
#include "cmdhw.h"
#include "cmdhf14a.h" #include "cmdhf14a.h"
#include "mbedtls/des.h" #include "mbedtls/des.h"
#include "crypto/libpcrypto.h" #include "crypto/libpcrypto.h"
#include "protocols.h" #include "protocols.h"
#include "mifare.h" // desfire raw command options #include "mifare.h" // desfire raw command options
#include "cmdtrace.h" #include "cmdtrace.h"
#include "cliparser/cliparser.h"
#include "emv/apduinfo.h" // APDU manipulation / errorcodes
#include "emv/emvcore.h" // APDU logging
#include "util_posix.h" // msleep
#include "mifare/mifare4.h" // MIFARE Authenticate / MAC
uint8_t key_zero_data[16] = { 0x00 }; uint8_t key_zero_data[16] = { 0x00 };
uint8_t key_ones_data[16] = { 0x01 }; uint8_t key_ones_data[16] = { 0x01 };
@ -37,33 +43,121 @@ typedef enum {
LIGHT, LIGHT,
} desfire_cardtype_t; } desfire_cardtype_t;
typedef struct {
uint8_t aid[3];
uint8_t fid[2];
uint8_t name[16];
} dfname_t;
static int CmdHelp(const char *Cmd); static int CmdHelp(const char *Cmd);
/*
uint8_t cmd[3 + 16] = {0xa8, 0x90, 0x90, 0x00};
int res = ExchangeRAW14a(cmd, sizeof(cmd), false, false, data, sizeof(data), &datalen, false);
static int SendDesfireCmd(uint8_t *c, size_t len, int p0, int p1, int p2, PacketResponseNG *response, int timeout) { if (!res && datalen > 1 && data[0] == 0x09) {
PacketResponseNG resp; SLmode = 0;
}
if (response == NULL) */
response = &resp;
clearCommandBuffer(); int DESFIRESendApdu(bool activate_field, bool leavefield_on, sAPDU apdu, uint8_t *result, int max_result_len, int *result_len, uint16_t *sw) {
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, p0, p1, p2, c, len); *result_len = 0;
if (sw) *sw = 0;
if (!WaitForResponseTimeout(CMD_ACK, response, timeout)) { uint16_t isw = 0;
PrintAndLogEx(WARNING, "[SendDesfireCmd] Timed-out: " _RED_("%s"), sprint_hex(c, len)); int res = 0;
if (activate_field) {
DropField(); DropField();
return PM3_ETIMEOUT; msleep(50);
} }
uint8_t isOK = response->data.asBytes[0] & 0xff; // select?
if (!isOK) { uint8_t data[APDU_RES_LEN] = {0};
PrintAndLogEx(WARNING, "[SendDesfireCmd] Unsuccessful: " _RED_("%s"), sprint_hex(c, len));
return PM3_ESOFT; // COMPUTE APDU
int datalen = 0;
//if (APDUEncodeS(&apdu, false, IncludeLe ? 0x100 : 0x00, data, &datalen)) {
if (APDUEncodeS(&apdu, false, 0x100, data, &datalen)) {
PrintAndLogEx(ERR, "APDU encoding error.");
return PM3_EAPDU_ENCODEFAIL;
} }
if (GetAPDULogging() || (g_debugMode > 1))
PrintAndLogEx(SUCCESS, ">>>> %s", sprint_hex(data, datalen));
res = ExchangeAPDU14a(data, datalen, activate_field, leavefield_on, result, max_result_len, result_len);
if (res) {
return res;
}
if (GetAPDULogging() || (g_debugMode > 1))
PrintAndLogEx(SUCCESS, "<<<< %s", sprint_hex(result, *result_len));
if (*result_len < 2) {
return PM3_SUCCESS;
}
*result_len -= 2;
isw = (result[*result_len] << 8) + result[*result_len + 1];
if (sw)
*sw = isw;
if (isw != 0x9000 && isw != MFDES_SUCCESS_FRAME_RESP && isw != MFDES_ADDITIONAL_FRAME_RESP) {
if (GetAPDULogging()) {
if (isw >> 8 == 0x61) {
PrintAndLogEx(ERR, "APDU chaining len:%02x -->", isw & 0xff);
} else {
PrintAndLogEx(ERR, "APDU(%02x%02x) ERROR: [%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(isw >> 8, isw & 0xff));
return PM3_EAPDU_FAIL;
}
}
}
return PM3_SUCCESS; return PM3_SUCCESS;
} }
static int send_desfire_cmd(sAPDU *apdu, bool select, uint8_t *dest, int *recv_len, uint16_t *sw, int splitbysize) {
//SetAPDULogging(true);
*sw = 0;
uint8_t data[255 * 5] = {0x00};
int resplen = 0;
int pos = 0;
int i = 1;
int res = DESFIRESendApdu(select, true, *apdu, data, sizeof(data), &resplen, sw);
if (res != PM3_SUCCESS) return res;
if (*sw != MFDES_ADDITIONAL_FRAME_RESP && *sw != MFDES_SUCCESS_FRAME_RESP) return PM3_ESOFT;
if (dest != NULL) {
memcpy(dest, data, resplen);
}
pos += resplen;
if (*sw == MFDES_ADDITIONAL_FRAME_RESP) {
apdu->INS = MFDES_ADDITIONAL_FRAME; //0xAF
res = DESFIRESendApdu(false, true, *apdu, data, sizeof(data), &resplen, sw);
if (res != PM3_SUCCESS) return res;
if (dest != NULL) {
if (splitbysize) {
memcpy(&dest[i * splitbysize], data, resplen);
i += 1;
} else {
memcpy(&dest[pos], data, resplen);
}
}
pos += resplen;
}
if (splitbysize) *recv_len = i;
else {
*recv_len = pos;
}
//SetAPDULogging(false);
return PM3_SUCCESS;
}
static desfire_cardtype_t getCardType(uint8_t major, uint8_t minor) { static desfire_cardtype_t getCardType(uint8_t major, uint8_t minor) {
if (major == 0x00) if (major == 0x00)
@ -80,53 +174,31 @@ static desfire_cardtype_t getCardType(uint8_t major, uint8_t minor) {
return UNKNOWN; return UNKNOWN;
} }
//ICEMAN: Turn on field method?
//none //none
static int test_desfire_authenticate() { static int test_desfire_authenticate() {
uint8_t c[] = {AUTHENTICATE, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x0A, KEY 0 uint8_t c = 0x00;
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); sAPDU apdu = {0x90, MFDES_AUTHENTICATE, 0x00, 0x00, 0x01, &c}; // 0x0A, KEY 0
PacketResponseNG resp; int recv_len = 0;
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { uint16_t sw = 0;
DropField(); return send_desfire_cmd(&apdu, false, NONE, &recv_len, &sw, 0);
return PM3_ETIMEOUT;
}
if (resp.length == 13)
return PM3_SUCCESS;
return PM3_ESOFT;
} }
// none // none
static int test_desfire_authenticate_iso() { static int test_desfire_authenticate_iso() {
uint8_t c[] = {AUTHENTICATE_ISO, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x1A, KEY 0 uint8_t c = 0x00;
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); sAPDU apdu = {0x90, MFDES_AUTHENTICATE_ISO, 0x00, 0x00, 0x01, &c}; // 0x1A, KEY 0
PacketResponseNG resp; int recv_len = 0;
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { uint16_t sw = 0;
DropField(); return send_desfire_cmd(&apdu, false, NONE, &recv_len, &sw, 0);
return PM3_ETIMEOUT;
}
if (resp.length >= 13)
return PM3_SUCCESS;
return PM3_ESOFT;
} }
//none //none
static int test_desfire_authenticate_aes() { static int test_desfire_authenticate_aes() {
/* Just left here for future use, from TI TRF7970A sloa213 document uint8_t c = 0x00;
const static u08_t CustomKey1[16] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, sAPDU apdu = {0x90, MFDES_AUTHENTICATE_AES, 0x00, 0x00, 0x01, &c}; // 0xAA, KEY 0
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; int recv_len = 0;
const static u08_t CustomKey2[16] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, uint16_t sw = 0;
0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}; return send_desfire_cmd(&apdu, false, NONE, &recv_len, &sw, 0);
const static u08_t CustomKey3[16] = {0x79, 0x70, 0x25, 0x53, 0x79, 0x70, 0x25,
0x53, 0x79, 0x70, 0x25, 0x53, 0x79, 0x70, 0x25, 0x53};
*/
uint8_t c[] = {AUTHENTICATE_AES, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0xAA, KEY 0
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c));
PacketResponseNG resp;
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {
DropField();
return PM3_ETIMEOUT;
}
if (resp.length >= 13)
return PM3_SUCCESS;
return PM3_ESOFT;
} }
// --- FREE MEM // --- FREE MEM
@ -137,20 +209,18 @@ static int desfire_print_freemem(uint32_t free_mem) {
// init / disconnect // init / disconnect
static int get_desfire_freemem(uint32_t *free_mem) { static int get_desfire_freemem(uint32_t *free_mem) {
uint8_t c[] = {GET_FREE_MEMORY, 0x00, 0x00, 0x00}; // 0x6E sAPDU apdu = {0x90, MFDES_GET_FREE_MEMORY, 0x00, 0x00, 0x00, NONE}; // 0x6E
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, (INIT | DISCONNECT), sizeof(c), 0, c, sizeof(c)); int recv_len = 0;
PacketResponseNG resp; uint16_t sw = 0;
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { uint8_t fmem[4] = {0};
return PM3_ETIMEOUT;
}
if (resp.length == 8) { int res = send_desfire_cmd(&apdu, true, fmem, &recv_len, &sw, 0);
*free_mem = le24toh(resp.data.asBytes + 1); if (res == PM3_SUCCESS) {
return PM3_SUCCESS; *free_mem = le24toh(fmem);
return res;
} }
*free_mem = 0; *free_mem = 0;
return PM3_ESOFT; return res;
} }
@ -167,7 +237,7 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign
{"DESFire EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3A"}, {"DESFire EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3A"},
{"NTAG424DNA, NTAG424DNATT, DESFire Light EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3B"}, {"NTAG424DNA, NTAG424DNATT, DESFire Light EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3B"},
{"DESFire Light EV1", "040E98E117AAA36457F43173DC920A8757267F44CE4EC5ADD3C54075571AEBBF7B942A9774A1D94AD02572427E5AE0A2DD36591B1FB34FCF3D"}, {"DESFire Light EV1", "040E98E117AAA36457F43173DC920A8757267F44CE4EC5ADD3C54075571AEBBF7B942A9774A1D94AD02572427E5AE0A2DD36591B1FB34FCF3D"},
{"Mifare Plus", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"} {"Mifare Plus EV1", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"}
}; };
uint8_t i; uint8_t i;
@ -192,36 +262,41 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign
PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "--- " _CYAN_("Tag Signature")); PrintAndLogEx(INFO, "--- " _CYAN_("Tag Signature"));
PrintAndLogEx(INFO, " IC signature public key name: %s", nxp_desfire_public_keys[i].desc); PrintAndLogEx(INFO, " IC signature public key name: " _GREEN_("%s"), nxp_desfire_public_keys[i].desc);
PrintAndLogEx(INFO, "IC signature public key value: %.32s", nxp_desfire_public_keys[i].value); PrintAndLogEx(INFO, "IC signature public key value: %.32s", nxp_desfire_public_keys[i].value);
PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 16); PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 16);
PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 32); PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 32);
PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 48); PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 48);
PrintAndLogEx(INFO, " Elliptic curve parameters: NID_secp224r1"); PrintAndLogEx(INFO, " Elliptic curve parameters: NID_secp224r1");
PrintAndLogEx(INFO, " TAG IC Signature: %s", sprint_hex(signature, 16)); PrintAndLogEx(INFO, " TAG IC Signature: %s", sprint_hex_inrow(signature, 16));
PrintAndLogEx(INFO, " : %s", sprint_hex(signature + 16, 16)); PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 16, 16));
PrintAndLogEx(INFO, " : %s", sprint_hex(signature + 32, 16)); PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 32, 16));
PrintAndLogEx(INFO, " : %s", sprint_hex(signature + 48, signature_len - 48)); PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 48, signature_len - 48));
PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful")); PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful"));
return PM3_SUCCESS; return PM3_SUCCESS;
} }
// init / disconnect // init / disconnect
static int get_desfire_signature(uint8_t *signature, size_t *signature_len) { static int get_desfire_signature(uint8_t *signature, size_t *signature_len) {
uint8_t c[] = {MFDES_READSIG, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x3C uint8_t c = 0x00;
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, (INIT | DISCONNECT), sizeof(c), 0, c, sizeof(c)); sAPDU apdu = {0x90, MFDES_READSIG, 0x00, 0x00, 0x01, &c}; // 0x3C
PacketResponseNG resp; int recv_len = 0;
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) uint16_t sw = 0;
return PM3_ETIMEOUT; int res = send_desfire_cmd(&apdu, true, signature, &recv_len, &sw, 0);
if (res == PM3_SUCCESS) {
if (recv_len != 56) {
*signature_len = 0;
DropField();
return PM3_ESOFT;
} else {
*signature_len = recv_len;
if (resp.length == 61) { }
memcpy(signature, resp.data.asBytes + 1, 56); DropField();
*signature_len = 56;
return PM3_SUCCESS; return PM3_SUCCESS;
} else {
*signature_len = 0;
return PM3_ESOFT;
} }
DropField();
return res;
} }
@ -259,18 +334,21 @@ static int desfire_print_keysetting(uint8_t key_settings, uint8_t num_keys) {
// none // none
static int get_desfire_keysettings(uint8_t *key_settings, uint8_t *num_keys) { static int get_desfire_keysettings(uint8_t *key_settings, uint8_t *num_keys) {
PacketResponseNG resp; sAPDU apdu = {0x90, MFDES_GET_KEY_SETTINGS, 0x00, 0x00, 0x00, NONE}; //0x45
uint8_t c[] = {MFDES_GET_KEY_SETTINGS, 0x00, 0x00, 0x00}; // 0x45 int recv_len = 0;
int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); uint16_t sw = 0;
if (ret != PM3_SUCCESS) return ret; uint8_t data[2] = {0};
if (num_keys == NULL) return PM3_ESOFT;
if (resp.data.asBytes[1] == 0x91 && resp.data.asBytes[2] == 0xae) { if (key_settings == NULL) return PM3_ESOFT;
int res = send_desfire_cmd(&apdu, false, data, &recv_len, &sw, 0);
if (sw == MFDES_EAUTH_RESP) {
PrintAndLogEx(WARNING, _RED_("[get_desfire_keysettings] Authentication error")); PrintAndLogEx(WARNING, _RED_("[get_desfire_keysettings] Authentication error"));
return PM3_ESOFT; return PM3_ESOFT;
} }
// PrintAndLogEx(INFO, "ICE: KEYSETTING resp :: %s", sprint_hex(resp.data.asBytes, resp.length)); if (res != PM3_SUCCESS) return res;
*key_settings = resp.data.asBytes[1];
*num_keys = resp.data.asBytes[2]; *key_settings = data[0];
*num_keys = data[1];
return PM3_SUCCESS; return PM3_SUCCESS;
} }
@ -282,98 +360,72 @@ static int desfire_print_keyversion(uint8_t key_idx, uint8_t key_version) {
// none // none
static int get_desfire_keyversion(uint8_t curr_key, uint8_t *num_versions) { static int get_desfire_keyversion(uint8_t curr_key, uint8_t *num_versions) {
PacketResponseNG resp; sAPDU apdu = {0x90, MFDES_GET_KEY_VERSION, 0x00, 0x00, 0x01, &curr_key}; //0x64
uint8_t c[] = {MFDES_GET_KEY_VERSION, 0x00, 0x00, 0x01, curr_key, 0x00}; // 0x64 int recv_len = 0;
int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); uint16_t sw = 0;
if (ret != PM3_SUCCESS) return ret; if (num_versions == NULL) return PM3_ESOFT;
int res = send_desfire_cmd(&apdu, false, num_versions, &recv_len, &sw, 0);
if (resp.data.asBytes[1] == 0x91 && resp.data.asBytes[2] == 0x40) { if (sw == MFDES_ENO_SUCH_KEY_RESP) {
PrintAndLogEx(WARNING, _RED_("[get_desfire_keyversion] Key %d doesn't exist"), curr_key);
return PM3_ESOFT; return PM3_ESOFT;
} }
return res;
*num_versions = resp.data.asBytes[1];
return PM3_SUCCESS;
}
// init
static int get_desfire_select_application(uint8_t *aid) {
if (aid == NULL) return PM3_ESOFT;
uint8_t c[] = {SELECT_APPLICATION, 0x00, 0x00, 0x03, aid[0], aid[1], aid[2], 0x00}; // 0x5a
PacketResponseNG resp;
int ret = SendDesfireCmd(c, sizeof(c), INIT, sizeof(c), 0, &resp, 3000);
if (ret != PM3_SUCCESS) {
if (ret == PM3_ESOFT) {
PrintAndLogEx(WARNING, "[get_desfire_select_application] Can't select AID: " _RED_("%s"), sprint_hex(aid, 3));
}
return ret;
}
if (resp.data.asBytes[1] == 0x91 && resp.data.asBytes[2] == 0x00) {
return PM3_SUCCESS;
}
return PM3_ESOFT;
} }
// init / disconnect // init / disconnect
static int get_desfire_appids(uint8_t *dest, uint8_t *app_ids_len) { static int get_desfire_appids(uint8_t *dest, uint8_t *app_ids_len) {
sAPDU apdu = {0x90, MFDES_GET_APPLICATION_IDS, 0x00, 0x00, 0x00, NULL}; //0x6a
uint8_t c[] = {GET_APPLICATION_IDS, 0x00, 0x00, 0x00}; //0x6a int recv_len = 0;
PacketResponseNG resp; uint16_t sw = 0;
int ret = SendDesfireCmd(c, sizeof(c), INIT | CLEARTRACE | DISCONNECT, sizeof(c), 0, &resp, 1500); if (dest == NULL) return PM3_ESOFT;
if (ret != PM3_SUCCESS) return ret; if (app_ids_len == NULL) return PM3_ESOFT;
int res = send_desfire_cmd(&apdu, true, dest, &recv_len, &sw, 0);
*app_ids_len = resp.length - 5; if (res != PM3_SUCCESS) return res;
*app_ids_len = (uint8_t)recv_len & 0xFF;
// resp.length - 2crc, 2status, 1pcb... return res;
memcpy(dest, resp.data.asBytes + 1, *app_ids_len);
if (resp.data.asBytes[resp.length - 3] == MFDES_ADDITIONAL_FRAME) {
c[0] = MFDES_ADDITIONAL_FRAME; //0xAF
ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500);
if (ret != PM3_SUCCESS) return ret;
memcpy(dest + *app_ids_len, resp.data.asBytes + 1, resp.length - 5);
*app_ids_len += (resp.length - 5);
}
return PM3_SUCCESS;
} }
static int get_desfire_dfnames(dfname_t *dest, uint8_t *dfname_count) {
sAPDU apdu = {0x90, MFDES_GET_DF_NAMES, 0x00, 0x00, 0x00, NULL}; //0x6d
int recv_len = 0;
uint16_t sw = 0;
if (dest == NULL) return PM3_ESOFT;
if (dfname_count == NULL) return PM3_ESOFT;
int res = send_desfire_cmd(&apdu, true, (uint8_t *)dest, &recv_len, &sw, sizeof(dfname_t));
if (res != PM3_SUCCESS) return res;
*dfname_count = recv_len;
return res;
}
// init
static int get_desfire_select_application(uint8_t *aid) {
sAPDU apdu = {0x90, MFDES_SELECT_APPLICATION, 0x00, 0x00, 0x03, aid}; //0x5a
int recv_len = 0;
uint16_t sw = 0;
if (aid == NULL) return PM3_ESOFT;
return send_desfire_cmd(&apdu, true, NONE, &recv_len, &sw, sizeof(dfname_t));
}
// none // none
static int get_desfire_fileids(uint8_t *dest, uint8_t *file_ids_len) { static int get_desfire_fileids(uint8_t *dest, uint8_t *file_ids_len) {
uint8_t c[] = {MFDES_GET_FILE_IDS, 0x00, 0x00, 0x00}; // 0x6f sAPDU apdu = {0x90, MFDES_GET_FILE_IDS, 0x00, 0x00, 0x00, NULL}; //0x6f
PacketResponseNG resp; int recv_len = 0;
int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); uint16_t sw = 0;
if (ret != PM3_SUCCESS) return ret; if (dest == NULL) return PM3_ESOFT;
if (file_ids_len == NULL) return PM3_ESOFT;
if (resp.data.asBytes[resp.length - 4] == 0x91 && resp.data.asBytes[resp.length - 3] == 0x00) { *file_ids_len = 0;
*file_ids_len = resp.length - 5; int res = send_desfire_cmd(&apdu, false, dest, &recv_len, &sw, 0);
memcpy(dest, resp.data.asBytes + 1, *file_ids_len); if (res != PM3_SUCCESS) return res;
return PM3_SUCCESS; *file_ids_len = recv_len;
} return res;
return PM3_ESOFT;
} }
static int get_desfire_filesettings( uint8_t file_id, uint8_t *dest, uint8_t *destlen) { static int get_desfire_filesettings(uint8_t file_id, uint8_t *dest, int *destlen) {
uint8_t c[] = {MFDES_GET_FILE_SETTINGS, 0x00, 0x00, 0x01, file_id, 0x00}; // 0xF5 sAPDU apdu = {0x90, MFDES_GET_FILE_SETTINGS, 0x00, 0x00, 0x01, &file_id}; // 0xF5
PacketResponseNG resp; uint16_t sw = 0;
int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); return send_desfire_cmd(&apdu, false, dest, destlen, &sw, 0);
if (ret != PM3_SUCCESS) return ret;
if (resp.data.asBytes[resp.length - 4] == 0x91 && resp.data.asBytes[resp.length - 3] == 0x00) {
*destlen = resp.length - 5;
memcpy(dest, resp.data.asBytes + 1, *destlen);
return PM3_SUCCESS;
}
return PM3_ESOFT;
} }
static int CmdHF14ADesInfo(const char *Cmd) { static int CmdHF14ADesInfo(const char *Cmd) {
@ -561,9 +613,7 @@ void getKeySettings(uint8_t *aid) {
if (memcmp(aid, "\x00\x00\x00", 3) == 0) { if (memcmp(aid, "\x00\x00\x00", 3) == 0) {
// CARD MASTER KEY // CARD MASTER KEY
PrintAndLogEx(NORMAL, ""); //PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings"));
PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings"));
if (get_desfire_select_application(aid) != PM3_SUCCESS) { if (get_desfire_select_application(aid) != PM3_SUCCESS) {
PrintAndLogEx(WARNING, _RED_(" Can't select AID")); PrintAndLogEx(WARNING, _RED_(" Can't select AID"));
DropField(); DropField();
@ -626,9 +676,7 @@ void getKeySettings(uint8_t *aid) {
} else { } else {
// AID - APPLICATION MASTER KEYS // AID - APPLICATION MASTER KEYS
PrintAndLogEx(NORMAL, ""); //PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings"));
PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings"));
if (get_desfire_select_application(aid) != PM3_SUCCESS) { if (get_desfire_select_application(aid) != PM3_SUCCESS) {
PrintAndLogEx(WARNING, _RED_(" Can't select AID")); PrintAndLogEx(WARNING, _RED_(" Can't select AID"));
DropField(); DropField();
@ -674,15 +722,25 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
(void)Cmd; // Cmd is not used so far (void)Cmd; // Cmd is not used so far
// uint8_t isOK = 0x00; // uint8_t isOK = 0x00;
uint8_t aid[3]; uint8_t aid[3] = {0};
uint8_t app_ids[78] = {0}; uint8_t app_ids[78] = {0};
uint8_t app_ids_len = 0; uint8_t app_ids_len = 0;
uint8_t file_ids[33] = {0}; uint8_t file_ids[33] = {0};
uint8_t file_ids_len = 0; uint8_t file_ids_len = 0;
dfname_t dfnames[255] = {0};
uint8_t dfname_count = 0;
if (get_desfire_appids(app_ids, &app_ids_len) != PM3_SUCCESS) { if (get_desfire_appids(app_ids, &app_ids_len) != PM3_SUCCESS) {
PrintAndLogEx(ERR, "Can't get list of applications on tag"); PrintAndLogEx(ERR, "Can't get list of applications on tag");
DropField();
return PM3_ESOFT;
}
if (get_desfire_dfnames(dfnames, &dfname_count) != PM3_SUCCESS) {
PrintAndLogEx(WARNING, _RED_("Can't get DF Names"));
DropField();
return PM3_ESOFT; return PM3_ESOFT;
} }
@ -697,7 +755,21 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
aid[1] = app_ids[i + 1]; aid[1] = app_ids[i + 1];
aid[2] = app_ids[i + 2]; aid[2] = app_ids[i + 2];
PrintAndLogEx(SUCCESS, " AID %d : " _GREEN_("%02X %02X %02X"), i, app_ids[i], app_ids[i + 1], app_ids[i + 2]); PrintAndLogEx(NORMAL, "");
if (memcmp(aid, "\x00\x00\x00", 3) == 0) {
// CARD MASTER KEY
PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings"));
} else {
PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings"));
}
PrintAndLogEx(SUCCESS, " AID : " _GREEN_("%02X %02X %02X"), aid[0], aid[1], aid[2]);
for (int m = 0; m < dfname_count; m++) {
if (dfnames[m].aid[0] == aid[0] && dfnames[m].aid[1] == aid[1] && dfnames[m].aid[2] == aid[2]) {
PrintAndLogEx(SUCCESS, " - DF " _YELLOW_("%02X %02X") " Name : " _YELLOW_("%s"), dfnames[m].fid[0], dfnames[m].fid[1], dfnames[m].name);
}
}
getKeySettings(aid); getKeySettings(aid);
@ -708,7 +780,6 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
return PM3_ESOFT; return PM3_ESOFT;
} }
// Get File IDs // Get File IDs
if (get_desfire_fileids(file_ids, &file_ids_len) == PM3_SUCCESS) { if (get_desfire_fileids(file_ids, &file_ids_len) == PM3_SUCCESS) {
PrintAndLogEx(SUCCESS, " Tag report " _GREEN_("%d") "file%c", file_ids_len, (file_ids_len == 1) ? ' ' : 's'); PrintAndLogEx(SUCCESS, " Tag report " _GREEN_("%d") "file%c", file_ids_len, (file_ids_len == 1) ? ' ' : 's');
@ -716,10 +787,10 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
PrintAndLogEx(SUCCESS, " Fileid %d (0x%02x)", file_ids[j], file_ids[j]); PrintAndLogEx(SUCCESS, " Fileid %d (0x%02x)", file_ids[j], file_ids[j]);
uint8_t filesettings[20] = {0}; uint8_t filesettings[20] = {0};
uint8_t fileset_len = 0; int fileset_len = 0;
int res = get_desfire_filesettings(j, filesettings, &fileset_len); int res = get_desfire_filesettings(j, filesettings, &fileset_len);
if (res == PM3_SUCCESS) { if (res == PM3_SUCCESS) {
PrintAndLogEx(INFO, " Settings [%u] %s", fileset_len, sprint_hex(filesettings, fileset_len) ); PrintAndLogEx(INFO, " Settings [%u] %s", fileset_len, sprint_hex(filesettings, fileset_len));
} }
} }
} }
@ -754,77 +825,90 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
DropField(); DropField();
return PM3_SUCCESS; return PM3_SUCCESS;
} }
/*
uint8_t cmd[3 + 16] = {0xa8, 0x90, 0x90, 0x00};
int res = ExchangeRAW14a(cmd, sizeof(cmd), false, false, data, sizeof(data), &datalen, false);
if (!res && datalen > 1 && data[0] == 0x09) {
SLmode = 0;
}
*/
// MIAFRE DESFire Authentication // MIAFRE DESFire Authentication
// //
#define BUFSIZE 256 #define BUFSIZE 256
static int CmdHF14ADesAuth(const char *Cmd) { static int CmdHF14ADesAuth(const char *Cmd) {
clearCommandBuffer();
// NR DESC KEYLENGHT // NR DESC KEYLENGHT
// ------------------------ // ------------------------
// 1 = DES 8 // 1 = DES 8
// 2 = 3DES 16 // 2 = 3DES 16
// 3 = 3K 3DES 24 // 3 = 3K 3DES 24
// 4 = AES 16 // 4 = AES 16
//SetAPDULogging(true);
uint8_t keylength = 8; uint8_t keylength = 8;
unsigned char key[24];
uint8_t aidlength = 3;
unsigned char aid[3];
if (strlen(Cmd) < 3) { CLIParserInit("hf mfdes auth",
PrintAndLogEx(NORMAL, "Usage: hf mfdes auth <1|2|3> <1|2|3|4> <appid> <keyno> <key> "); "Authenticates Mifare DESFire using Key",
PrintAndLogEx(NORMAL, " Auth modes"); "Usage:\n\t-m Auth type (1=normal, 2=iso, 3=aes)\n\t-t Crypt algo (1=DES, 2=3DES, 3=3K3DES, 4=aes)\n\t-a aid (3 bytes)\n\t-n keyno\n\t-k key (8-24 bytes)\n\n"
PrintAndLogEx(NORMAL, " 1 = normal, 2 = iso, 3 = aes"); "Example:\n\thf mfdes auth -m 3 -t 4 -a 018380 -n 0 -k 404142434445464748494a4b4c4d4e4f\n"
PrintAndLogEx(NORMAL, " Crypto"); );
PrintAndLogEx(NORMAL, " 1 = DES 2 = 3DES 3 = 3K3DES 4 = AES");
PrintAndLogEx(NORMAL, ""); void *argtable[] = {
PrintAndLogEx(NORMAL, "Examples:"); arg_param_begin,
PrintAndLogEx(NORMAL, _YELLOW_(" hf mfdes auth 1 1 0 0 11223344")); arg_int0("mM", "type", "Auth type (1=normal, 2=iso, 3=aes)", NULL),
PrintAndLogEx(NORMAL, _YELLOW_(" hf mfdes auth 3 4 018380 0 404142434445464748494a4b4c4d4e4f")); arg_int0("tT", "algo", "Crypt algo (1=DES, 2=3DES, 3=3K3DES, 4=aes)", NULL),
return PM3_SUCCESS; arg_strx0("aA", "aid", "<aid>", "AID used for authentification"),
} arg_int0("nN", "keyno", "Key number used for authentification", NULL),
uint8_t cmdAuthMode = param_get8(Cmd, 0); arg_str0("kK", "key", "<Key>", "Key for checking (HEX 16 bytes)"),
uint8_t cmdAuthAlgo = param_get8(Cmd, 1); arg_param_end
// AID };
if (param_gethex(Cmd, 2, aid, aidlength*2)) { CLIExecWithReturn(Cmd, argtable, true);
PrintAndLogEx(WARNING, "aid must include %d HEX symbols", 3);
uint8_t cmdAuthMode = arg_get_int_def(1, 0);
uint8_t cmdAuthAlgo = arg_get_int_def(2, 0);
int aidlength = 3;
uint8_t aid[3] = {0};
CLIGetHexWithReturn(3, aid, &aidlength);
uint8_t cmdKeyNo = arg_get_int_def(4, 0);
uint8_t key[24] = {0};
int keylen = 0;
CLIGetHexWithReturn(5, key, &keylen);
CLIParserFree();
if ((keylen < 8) || (keylen > 24)) {
PrintAndLogEx(ERR, "Specified key must have 16 bytes length.");
//SetAPDULogging(false);
return PM3_EINVARG;
}
// AID
if (aidlength != 3) {
PrintAndLogEx(WARNING, "aid must include %d HEX symbols", 3);
//SetAPDULogging(false);
return PM3_EINVARG; return PM3_EINVARG;
} }
uint8_t cmdKeyNo = param_get8(Cmd, 3);
switch (cmdAuthMode) { switch (cmdAuthMode) {
case 1: case 1:
if (cmdAuthAlgo != 1 && cmdAuthAlgo != 2) { if (cmdAuthAlgo != 1 && cmdAuthAlgo != 2) {
PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode"); PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode");
//SetAPDULogging(false);
return PM3_EINVARG; return PM3_EINVARG;
} }
break; break;
case 2: case 2:
if (cmdAuthAlgo != 1 && cmdAuthAlgo != 2 && cmdAuthAlgo != 3) { if (cmdAuthAlgo != 1 && cmdAuthAlgo != 2 && cmdAuthAlgo != 3) {
PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode"); PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode");
//SetAPDULogging(false);
return PM3_EINVARG; return PM3_EINVARG;
} }
break; break;
case 3: case 3:
if (cmdAuthAlgo != 4) { if (cmdAuthAlgo != 4) {
PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode"); PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode");
//SetAPDULogging(false);
return PM3_EINVARG; return PM3_EINVARG;
} }
break; break;
default: default:
PrintAndLogEx(WARNING, "Wrong Auth mode"); PrintAndLogEx(WARNING, "Wrong Auth mode (%d) -> (1=normal, 2=iso, 3=aes)", cmdAuthMode);
//SetAPDULogging(false);
return PM3_EINVARG; return PM3_EINVARG;
} }
@ -848,8 +932,8 @@ static int CmdHF14ADesAuth(const char *Cmd) {
break; break;
} }
// key // KEY
if (param_gethex(Cmd, 4, key, keylength * 2)) { if (keylen != keylength) {
PrintAndLogEx(WARNING, "Key must include %d HEX symbols", keylength); PrintAndLogEx(WARNING, "Key must include %d HEX symbols", keylength);
return PM3_EINVARG; return PM3_EINVARG;
} }
@ -862,17 +946,23 @@ static int CmdHF14ADesAuth(const char *Cmd) {
uint8_t file_ids[33] = {0}; uint8_t file_ids[33] = {0};
uint8_t file_ids_len = 0; uint8_t file_ids_len = 0;
get_desfire_fileids(file_ids, &file_ids_len); int res = get_desfire_fileids(file_ids, &file_ids_len);
if (res != PM3_SUCCESS) {
PrintAndLogEx(WARNING, "Get file ids error.");
DropField();
return res;
}
// algo, keylength, // algo, keylength,
uint8_t data[25] = {keylength}; // max length: 1 + 24 (3k3DES) uint8_t data[25] = {keylength}; // max length: 1 + 24 (3k3DES)
memcpy(data + 1, key, keylength); memcpy(data + 1, key, keylength);
clearCommandBuffer();
SendCommandOLD(CMD_HF_DESFIRE_AUTH1, cmdAuthMode, cmdAuthAlgo, cmdKeyNo, data, keylength + 1); SendCommandOLD(CMD_HF_DESFIRE_AUTH1, cmdAuthMode, cmdAuthAlgo, cmdKeyNo, data, keylength + 1);
PacketResponseNG resp; PacketResponseNG resp;
if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) { if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) {
PrintAndLogEx(WARNING, "Client command execute timeout"); PrintAndLogEx(WARNING, "Client command execute timeout");
DropField();
return PM3_ETIMEOUT; return PM3_ETIMEOUT;
} }

40
client/cmdhfmfdes.h
View file

@ -19,50 +19,14 @@ char *getProtocolStr(uint8_t id);
char *getVersionStr(uint8_t major, uint8_t minor); char *getVersionStr(uint8_t major, uint8_t minor);
void getKeySettings(uint8_t *aid); void getKeySettings(uint8_t *aid);
#define CREATE_APPLICATION 0xca // Ev1 card limits
#define DELETE_APPLICATION 0xda
#define GET_APPLICATION_IDS 0x6a
#define SELECT_APPLICATION 0x5a
#define FORMAT_PICC 0xfc
#define GET_VERSION 0x60
#define READ_DATA 0xbd
#define WRITE_DATA 0x3d
#define GET_VALUE 0x6c
#define CREDIT 0x0c
#define DEBIT 0xdc
#define LIMITED_CREDIT 0x1c
#define WRITE_RECORD 0x3b
#define READ_RECORDS 0xbb
#define CLEAR_RECORD_FILE 0xeb
#define COMMIT_TRANSACTION 0xc7
#define ABORT_TRANSACTION 0xa7
#define GET_FREE_MEMORY 0x6e
#define GET_FILE_IDS 0x6f
#define GET_ISOFILE_IDS 0x61
#define GET_FILE_SETTINGS 0xf5
#define CHANGE_FILE_SETTINGS 0x5f
#define CREATE_STD_DATA_FILE 0xcd
#define CREATE_BACKUP_DATA_FILE 0xcb
#define CREATE_VALUE_FILE 0xcc
#define CREATE_LINEAR_RECORD_FILE 0xc1
#define CREATE_CYCLIC_RECORD_FILE 0xc0
#define DELETE_FILE 0xdf
#define AUTHENTICATE 0x0a // AUTHENTICATE_NATIVE
#define AUTHENTICATE_ISO 0x1a // AUTHENTICATE_STANDARD
#define AUTHENTICATE_AES 0xaa
#define CHANGE_KEY_SETTINGS 0x54
#define GET_KEY_SETTINGS 0x45
#define CHANGE_KEY 0xc4
#define GET_KEY_VERSION 0x64
#define AUTHENTICATION_FRAME 0xAF
#define MAX_NUM_KEYS 0x0F #define MAX_NUM_KEYS 0x0F
#define MAX_APPLICATION_COUNT 28 #define MAX_APPLICATION_COUNT 28
#define MAX_FILE_COUNT 32 #define MAX_FILE_COUNT 32
#define MAX_FRAME_SIZE 60 #define MAX_FRAME_SIZE 60
#define NOT_YET_AUTHENTICATED 255
#define FRAME_PAYLOAD_SIZE (MAX_FRAME_SIZE - 5) #define FRAME_PAYLOAD_SIZE (MAX_FRAME_SIZE - 5)
#define NOT_YET_AUTHENTICATED 0xFF
// status- and error codes | // status- and error codes |
#define OPERATION_OK 0x00 // Successful operation #define OPERATION_OK 0x00 // Successful operation

276
client/cmdhfmfp.c
View file

@ -10,12 +10,9 @@
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
#include "cmdhfmfp.h" #include "cmdhfmfp.h"
#include <string.h> #include <string.h>
#include "cmdparser.h" // command_t #include "cmdparser.h" // command_t
#include "commonutil.h" // ARRAYLEN #include "commonutil.h" // ARRAYLEN
#include "comms.h" #include "comms.h"
#include "ui.h" #include "ui.h"
#include "cmdhf14a.h" #include "cmdhf14a.h"
@ -27,6 +24,9 @@
#include "mifare/mifaredefault.h" #include "mifare/mifaredefault.h"
#include "util_posix.h" #include "util_posix.h"
#include "fileutils.h" #include "fileutils.h"
#include "protocols.h"
#include "crypto/libpcrypto.h"
static const uint8_t DefaultKey[16] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; static const uint8_t DefaultKey[16] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
@ -34,21 +34,188 @@ uint16_t CardAddresses[] = {0x9000, 0x9001, 0x9002, 0x9003, 0x9004, 0xA000, 0xA0
static int CmdHelp(const char *Cmd); static int CmdHelp(const char *Cmd);
/*
The 7 MSBits (= n) code the storage size itself based on 2^n,
the LSBit is set to '0' if the size is exactly 2^n
and set to '1' if the storage size is between 2^n and 2^(n+1).
For this version of DESFire the 7 MSBits are set to 0x0C (2^12 = 4096) and the LSBit is '0'.
*/
static char *getCardSizeStr(uint8_t fsize) {
static char buf[40] = {0x00};
char *retStr = buf;
uint16_t usize = 1 << ((fsize >> 1) + 1);
uint16_t lsize = 1 << (fsize >> 1);
// is LSB set?
if (fsize & 1)
sprintf(retStr, "0x%02X ( " _YELLOW_("%d - %d bytes") ")", fsize, usize, lsize);
else
sprintf(retStr, "0x%02X ( " _YELLOW_("%d bytes") ")", fsize, lsize);
return buf;
}
static char *getProtocolStr(uint8_t id) {
static char buf[40] = {0x00};
char *retStr = buf;
if (id == 0x05)
sprintf(retStr, "0x%02X ( " _YELLOW_("ISO 14443-3, 14443-4") ")", id);
else
sprintf(retStr, "0x%02X ( " _YELLOW_("Unknown") ")", id);
return buf;
}
static char *getVersionStr(uint8_t major, uint8_t minor) {
static char buf[40] = {0x00};
char *retStr = buf;
if (major == 0x00)
sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire MF3ICD40") ")", major, minor);
else if (major == 0x01 && minor == 0x00)
sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV1") ")", major, minor);
else if (major == 0x12 && minor == 0x00)
sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV2") ")", major, minor);
// else if (major == 0x13 && minor == 0x00)
// sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV3") ")", major, minor);
else if (major == 0x30 && minor == 0x00)
sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire Light") ")", major, minor);
else if (major == 0x11 && minor == 0x00)
sprintf(retStr, "%x.%x ( " _YELLOW_("Plus EV1") ")", major, minor);
else
sprintf(retStr, "%x.%x ( " _YELLOW_("Unknown") ")", major, minor);
return buf;
}
// --- GET SIGNATURE
static int plus_print_signature(uint8_t *uid, uint8_t uidlen, uint8_t *signature, int signature_len) {
// ref: MIFARE Plus EV1 Originality Signature Validation
#define PUBLIC_PLUS_ECDA_KEYLEN 57
const ecdsa_publickey_t nxp_plus_public_keys[] = {
{"Mifare Plus EV1", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"}
};
uint8_t i;
int res;
bool is_valid = false;
for (i = 0; i < ARRAYLEN(nxp_plus_public_keys); i++) {
int dl = 0;
uint8_t key[PUBLIC_PLUS_ECDA_KEYLEN];
param_gethex_to_eol(nxp_plus_public_keys[i].value, 0, key, PUBLIC_PLUS_ECDA_KEYLEN, &dl);
res = ecdsa_signature_r_s_verify(MBEDTLS_ECP_DP_SECP224R1, key, uid, uidlen, signature, signature_len, false);
is_valid = (res == 0);
if (is_valid)
break;
}
if (is_valid == false) {
PrintAndLogEx(SUCCESS, "Signature verification " _RED_("failed"));
return PM3_ESOFT;
}
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "--- " _CYAN_("Tag Signature"));
PrintAndLogEx(INFO, " IC signature public key name: " _GREEN_("%s"), nxp_plus_public_keys[i].desc);
PrintAndLogEx(INFO, "IC signature public key value: %.32s", nxp_plus_public_keys[i].value);
PrintAndLogEx(INFO, " : %.32s", nxp_plus_public_keys[i].value + 16);
PrintAndLogEx(INFO, " : %.32s", nxp_plus_public_keys[i].value + 32);
PrintAndLogEx(INFO, " : %.32s", nxp_plus_public_keys[i].value + 48);
PrintAndLogEx(INFO, " Elliptic curve parameters: NID_secp224r1");
PrintAndLogEx(INFO, " TAG IC Signature: %s", sprint_hex_inrow(signature, 16));
PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 16, 16));
PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 32, 16));
PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 48, signature_len - 48));
PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful"));
return PM3_SUCCESS;
}
static int get_plus_signature(uint8_t *signature, int *signature_len) {
mfpSetVerboseMode(false);
uint8_t data[59] = {0};
int resplen = 0, retval = PM3_SUCCESS;
MFPGetSignature(true, false, data, sizeof(data), &resplen);
if (resplen == 59) {
memcpy(signature, data + 1, 56);
*signature_len = 56;
} else {
*signature_len = 0;
retval = PM3_ESOFT;
}
mfpSetVerboseMode(false);
return retval;
}
// GET VERSION
static int plus_print_version(uint8_t *version) {
PrintAndLogEx(SUCCESS, " UID: " _GREEN_("%s"), sprint_hex(version + 14, 7));
PrintAndLogEx(SUCCESS, " Batch number: " _GREEN_("%s"), sprint_hex(version + 21, 5));
PrintAndLogEx(SUCCESS, " Production date: week " _GREEN_("%02x") "/ " _GREEN_("20%02x"), version[7+7+7+5], version[7+7+7+5+1]);
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "--- " _CYAN_("Hardware Information"));
PrintAndLogEx(INFO, " Vendor Id: " _YELLOW_("%s"), getTagInfo(version[0]));
PrintAndLogEx(INFO, " Type: " _YELLOW_("0x%02X"), version[1]);
PrintAndLogEx(INFO, " Subtype: " _YELLOW_("0x%02X"), version[2]);
PrintAndLogEx(INFO, " Version: %s", getVersionStr(version[3], version[4]));
PrintAndLogEx(INFO, " Storage size: %s", getCardSizeStr(version[5]));
PrintAndLogEx(INFO, " Protocol: %s", getProtocolStr(version[6]));
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "--- " _CYAN_("Software Information"));
PrintAndLogEx(INFO, " Vendor Id: " _YELLOW_("%s"), getTagInfo(version[0]));
PrintAndLogEx(INFO, " Type: " _YELLOW_("0x%02X"), version[1]);
PrintAndLogEx(INFO, " Subtype: " _YELLOW_("0x%02X"), version[2]);
PrintAndLogEx(INFO, " Version: " _YELLOW_("%d.%d"), version[3], version[4]);
PrintAndLogEx(INFO, " Storage size: %s", getCardSizeStr(version[5]));
PrintAndLogEx(INFO, " Protocol: %s", getProtocolStr(version[6]));
return PM3_SUCCESS;
}
static int get_plus_version(uint8_t *version, int *version_len) {
int resplen = 0, retval = PM3_SUCCESS;
mfpSetVerboseMode(false);
MFPGetVersion(true, false, version, *version_len, &resplen);
mfpSetVerboseMode(false);
*version_len = resplen;
if (resplen != 28) {
retval = PM3_ESOFT;
}
return retval;
}
static int CmdHFMFPInfo(const char *Cmd) { static int CmdHFMFPInfo(const char *Cmd) {
if (Cmd && strlen(Cmd) > 0) if (Cmd && strlen(Cmd) > 0)
PrintAndLogEx(WARNING, "command don't have any parameters.\n"); PrintAndLogEx(WARNING, "command don't have any parameters.\n");
PrintAndLogEx(NORMAL, ""); PrintAndLogEx(NORMAL, "");
PrintAndLogEx(INFO, "-- Mifare Plus Tag Information ------------------------------"); PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") "---------------------------");
PrintAndLogEx(INFO, "-------------------------------------------------------------"); PrintAndLogEx(INFO, "-------------------------------------------------------------");
// info about 14a part bool supportVersion = false;
infoHF14A(false, false, false); bool supportSignature = false;
// version check
uint8_t version[30] = {0};
int version_len = sizeof(version);
if (get_plus_version(version, &version_len) == PM3_SUCCESS) {
plus_print_version(version);
supportVersion = true;
} else {
// info about 14a part
infoHF14A(false, false, false);
}
// Mifare Plus info // Mifare Plus info
SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_CONNECT, 0, 0, NULL, 0); SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_CONNECT, 0, 0, NULL, 0);
PacketResponseNG resp; PacketResponseNG resp;
WaitForResponse(CMD_ACK, &resp); WaitForResponse(CMD_ACK, &resp);
@ -57,55 +224,60 @@ static int CmdHFMFPInfo(const char *Cmd) {
uint64_t select_status = resp.oldarg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision uint64_t select_status = resp.oldarg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision
// Signature originality check
uint8_t signature[56] = {0};
int signature_len = sizeof(signature);
if (get_plus_signature(signature, &signature_len) == PM3_SUCCESS) {
plus_print_signature(card.uid, card.uidlen, signature, signature_len);
supportSignature = true;
}
if (select_status == 1 || select_status == 2) { if (select_status == 1 || select_status == 2) {
PrintAndLogEx(INFO, "-------------------------------------------------------------"); PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint"));
PrintAndLogEx(INFO, " Fingerprint");
if (supportVersion && supportSignature) {
PrintAndLogEx(INFO, " Tech: " _GREEN_("MIFARE Plus EV1"));
} else {
PrintAndLogEx(INFO, " Tech: " _YELLOW_("MIFARE Plus SE/X"));
}
// MIFARE Type Identification Procedure // MIFARE Type Identification Procedure
// https://www.nxp.com/docs/en/application-note/AN10833.pdf // https://www.nxp.com/docs/en/application-note/AN10833.pdf
uint16_t ATQA = card.atqa[0] + (card.atqa[1] << 8); uint16_t ATQA = card.atqa[0] + (card.atqa[1] << 8);
bool isPlus = false; bool isPlus = false;
if (ATQA == 0x0004) { if (ATQA & 0x0004) {
PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 2K") " (4b UID)"); PrintAndLogEx(INFO, " SIZE: " _GREEN_("2K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4");
isPlus = true; isPlus = true;
} }
if (ATQA == 0x0002) { if (ATQA & 0x0002) {
PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 4K") " (4b UID)"); PrintAndLogEx(INFO, " SIZE: " _GREEN_("4K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4");
isPlus = true;
}
if (ATQA == 0x0044) {
PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 2K") " (7b UID)");
isPlus = true;
}
if (ATQA == 0x0042) {
PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 4K") " (7b UID)");
isPlus = true; isPlus = true;
} }
uint8_t SLmode = 0xff; uint8_t SLmode = 0xFF;
if (isPlus) { if (isPlus) {
if (card.sak == 0x08) { if (card.sak == 0x08) {
PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 2K 7b UID")); PrintAndLogEx(INFO, " SAK: " _GREEN_("2K 7b UID"));
if (select_status == 2) SLmode = 1; if (select_status == 2) SLmode = 1;
} }
if (card.sak == 0x18) { if (card.sak == 0x18) {
PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 4K 7b UID")); PrintAndLogEx(INFO, " SAK: " _GREEN_("4K 7b UID"));
if (select_status == 2) SLmode = 1; if (select_status == 2) SLmode = 1;
} }
if (card.sak == 0x10) { if (card.sak == 0x10) {
PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 2K")); PrintAndLogEx(INFO, " SAK: " _GREEN_("2K"));
if (select_status == 2) SLmode = 2; if (select_status == 2) SLmode = 2;
} }
if (card.sak == 0x11) { if (card.sak == 0x11) {
PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 4K")); PrintAndLogEx(INFO, " SAK: " _GREEN_("4K"));
if (select_status == 2) SLmode = 2; if (select_status == 2) SLmode = 2;
} }
} }
if (card.sak == 0x20) { if (card.sak == 0x20) {
PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus SL0/SL3") "or " _GREEN_("Mifare DESFire")); PrintAndLogEx(INFO, " SAK: " _GREEN_("MIFARE Plus SL0/SL3") "or " _GREEN_("MIFARE DESFire"));
if (card.ats_len > 0) { if (card.ats_len > 0) {
@ -118,7 +290,7 @@ static int CmdHFMFPInfo(const char *Cmd) {
int res = ExchangeRAW14a(cmd, sizeof(cmd), true, false, data, sizeof(data), &datalen, false); int res = ExchangeRAW14a(cmd, sizeof(cmd), true, false, data, sizeof(data), &datalen, false);
if (memcmp(data, "\x67\x00", 2) == 0) { if (memcmp(data, "\x67\x00", 2) == 0) {
PrintAndLogEx(INFO, "\tMost likely a Mifare DESFire tag"); PrintAndLogEx(INFO, "\tMost likely a MIFARE DESFire tag");
PrintAndLogEx(HINT, "Hint: Try " _YELLOW_("`hf mfdes info`")); PrintAndLogEx(HINT, "Hint: Try " _YELLOW_("`hf mfdes info`"));
DropField(); DropField();
return PM3_SUCCESS; return PM3_SUCCESS;
@ -130,33 +302,35 @@ static int CmdHFMFPInfo(const char *Cmd) {
} }
} }
// How do we detect SL0 / SL1 / SL2 / SL3 modes?!? if (isPlus) {
PrintAndLogEx(INFO, "Security Level (SL)"); // How do we detect SL0 / SL1 / SL2 / SL3 modes?!?
switch(SLmode) { PrintAndLogEx(INFO, "--- " _CYAN_("Security Level (SL)"));
case 0:
PrintAndLogEx(INFO, "SL 0: initial delivery configuration, used for card personalization");
break;
case 1:
PrintAndLogEx(INFO, "SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication");
break;
case 2:
PrintAndLogEx(INFO, "SL 2: 3-Pass Authentication based on AES followed by MIFARE CRYPTO1 authentication, communication secured by MIFARE CRYPTO1");
break;
case 3:
PrintAndLogEx(INFO, "SL 3: 3-Pass authentication based on AES, data manipulation commands secured by AES encryption and an AES based MACing method.");
break;
default:
break;
}
if (SLmode != 0xFF) if (SLmode != 0xFF )
PrintAndLogEx(SUCCESS, "\tMifare Plus SL mode: " _YELLOW_("SL%d"), SLmode); PrintAndLogEx(SUCCESS, " SL mode: " _YELLOW_("SL%d"), SLmode);
else else
PrintAndLogEx(WARNING, "\tMifare Plus SL mode: " _YELLOW_("unknown")); PrintAndLogEx(WARNING, " SL mode: " _YELLOW_("unknown"));
switch(SLmode) {
case 0:
PrintAndLogEx(INFO, " SL 0: initial delivery configuration, used for card personalization");
break;
case 1:
PrintAndLogEx(INFO, " SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication");
break;
case 2:
PrintAndLogEx(INFO, " SL 2: 3-Pass Authentication based on AES followed by MIFARE CRYPTO1 authentication, communication secured by MIFARE CRYPTO1");
break;
case 3:
PrintAndLogEx(INFO, " SL 3: 3-Pass authentication based on AES, data manipulation commands secured by AES encryption and an AES based MACing method.");
break;
default:
break;
}
}
} else { } else {
PrintAndLogEx(INFO, "\tMifare Plus info not available."); PrintAndLogEx(INFO, "\tMifare Plus info not available.");
} }
PrintAndLogEx(NORMAL, "");
DropField(); DropField();
return PM3_SUCCESS; return PM3_SUCCESS;
} }

12
client/emv/apduinfo.c
View file

@ -503,7 +503,17 @@ void APDUPrint(APDUStruct apdu) {
void APDUPrintEx(APDUStruct apdu, size_t maxdatalen) { void APDUPrintEx(APDUStruct apdu, size_t maxdatalen) {
PrintAndLogEx(INFO, "APDU: %scase=0x%02x cla=0x%02x ins=0x%02x p1=0x%02x p2=0x%02x Lc=0x%02x(%d) Le=0x%02x(%d)", PrintAndLogEx(INFO, "APDU: %scase=0x%02x cla=0x%02x ins=0x%02x p1=0x%02x p2=0x%02x Lc=0x%02x(%d) Le=0x%02x(%d)",
apdu.extended_apdu ? "[e]" : "", apdu.case_type, apdu.cla, apdu.ins, apdu.p1, apdu.p2, apdu.lc, apdu.lc, apdu.le, apdu.le); apdu.extended_apdu ? "[e]" : "",
apdu.case_type,
apdu.cla,
apdu.ins,
apdu.p1,
apdu.p2,
apdu.lc,
apdu.lc,
apdu.le,
apdu.le
);
if (maxdatalen > 0) if (maxdatalen > 0)
PrintAndLogEx(INFO, "data: %s%s", sprint_hex(apdu.data, MIN(apdu.lc, maxdatalen)), apdu.lc > maxdatalen ? "..." : ""); PrintAndLogEx(INFO, "data: %s%s", sprint_hex(apdu.data, MIN(apdu.lc, maxdatalen)), apdu.lc > maxdatalen ? "..." : "");
} }

4
client/emv/emvcore.c
View file

@ -136,6 +136,10 @@ void SetAPDULogging(bool logging) {
APDULogging = logging; APDULogging = logging;
} }
bool GetAPDULogging(void) {
return APDULogging;
}
enum CardPSVendor GetCardPSVendor(uint8_t *AID, size_t AIDlen) { enum CardPSVendor GetCardPSVendor(uint8_t *AID, size_t AIDlen) {
char buf[100] = {0}; char buf[100] = {0};
if (AIDlen < 1) if (AIDlen < 1)

1
client/emv/emvcore.h
View file

@ -57,6 +57,7 @@ struct tlvdb *GetPANFromTrack2(const struct tlv *track2);
struct tlvdb *GetdCVVRawFromTrack2(const struct tlv *track2); struct tlvdb *GetdCVVRawFromTrack2(const struct tlv *track2);
void SetAPDULogging(bool logging); void SetAPDULogging(bool logging);
bool GetAPDULogging(void);
// exchange // exchange
int EMVExchange(EMVCommandChannel channel, bool LeaveFieldON, sAPDU apdu, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv); int EMVExchange(EMVCommandChannel channel, bool LeaveFieldON, sAPDU apdu, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv);

40
client/mifare/mifare4.c
View file

@ -429,6 +429,46 @@ int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *data
return 0; return 0;
} }
int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
uint8_t c[] = {0x3c, 0x00};
return intExchangeRAW14aPlus(c, sizeof(c), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen);
}
int MFPGetVersion(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
uint8_t tmp[20] = {0};
uint8_t c[] = {0x60};
int res = intExchangeRAW14aPlus(c, sizeof(c), activateField, true, tmp, maxdataoutlen, dataoutlen);
if (res != 0) {
DropField();
*dataoutlen = 0;
return res;
}
memcpy(dataout, tmp + 1, (*dataoutlen - 3));
*dataoutlen = 0;
// MFDES_ADDITIONAL_FRAME
if (tmp[0] == 0xAF) {
c[0] = 0xAF;
res = intExchangeRAW14aPlus(c, sizeof(c), false, true, tmp, maxdataoutlen, dataoutlen);
if (res == 0) {
memcpy(dataout + 7, tmp + 1, (*dataoutlen - 3));
// MFDES_ADDITIONAL_FRAME
res = intExchangeRAW14aPlus(c, sizeof(c), false, false, tmp, maxdataoutlen, dataoutlen);
if (res == 0) {
if (tmp[0] == 0x90) {
memcpy(dataout + 7 + 7, tmp + 1, (*dataoutlen - 3));
*dataoutlen = 28;
}
}
}
}
DropField();
return res;
}
// Mifare Memory Structure: up to 32 Sectors with 4 blocks each (1k and 2k cards), // Mifare Memory Structure: up to 32 Sectors with 4 blocks each (1k and 2k cards),
// plus evtl. 8 sectors with 16 blocks each (4k cards) // plus evtl. 8 sectors with 16 blocks each (4k cards)
uint8_t mfNumBlocksPerSector(uint8_t sectorNo) { uint8_t mfNumBlocksPerSector(uint8_t sectorNo) {

3
client/mifare/mifare4.h
View file

@ -59,6 +59,9 @@ int MFPReadBlock(mf4Session_t *session, bool plain, uint8_t blockNum, uint8_t bl
int MFPWriteBlock(mf4Session_t *session, uint8_t blockNum, uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac); int MFPWriteBlock(mf4Session_t *session, uint8_t blockNum, uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac);
int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *dataout, bool verbose); int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *dataout, bool verbose);
int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
int MFPGetVersion(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
const char *mfGetAccessConditionsDesc(uint8_t blockn, uint8_t *data); const char *mfGetAccessConditionsDesc(uint8_t blockn, uint8_t *data);
uint8_t mfNumBlocksPerSector(uint8_t sectorNo); uint8_t mfNumBlocksPerSector(uint8_t sectorNo);

5
include/pm3_cmd.h
View file

@ -618,6 +618,11 @@ typedef struct {
#define PM3_EOUTOFBOUND -17 #define PM3_EOUTOFBOUND -17
// exchange with card error client/pm3: error when cant get answer from card or got an incorrect answer // exchange with card error client/pm3: error when cant get answer from card or got an incorrect answer
#define PM3_ECARDEXCHANGE -18 #define PM3_ECARDEXCHANGE -18
// Failed to create APDU,
#define PM3_EAPDU_ENCODEFAIL -19
// APDU responded with a failure code
#define PM3_EAPDU_FAIL -20
// No data pm3: no data available, no host frame available (not really an error) // No data pm3: no data available, no host frame available (not really an error)
#define PM3_ENODATA -98 #define PM3_ENODATA -98
// Quit program client: reserved, order to quit the program // Quit program client: reserved, order to quit the program

84
include/protocols.h
View file

@ -349,44 +349,62 @@ ISO 7816-4 Basic interindustry commands. For command APDU's.
// 6x xx = ERROR // 6x xx = ERROR
// MIFARE DESFire command set: // MIFARE DESFire command set:
#define MFDES_CREATE_APPLICATION 0xca
#define MFDES_DELETE_APPLICATION 0xda
#define MFDES_GET_APPLICATION_IDS 0x6a
#define MFDES_SELECT_APPLICATION 0x5a
#define MFDES_FORMAT_PICC 0xfc
#define MFDES_GET_VERSION 0x60 #define MFDES_GET_VERSION 0x60
#define MFDES_READ_DATA 0xbd
#define MFDES_WRITE_DATA 0x3d #define MFDES_AUTHENTICATE 0x0A // AUTHENTICATE_NATIVE
#define MFDES_GET_VALUE 0x6c #define MFDES_AUTHENTICATE_ISO 0x1A // AUTHENTICATE_STANDARD
#define MFDES_CREDIT 0x0c #define MFDES_AUTHENTICATE_AES 0xAA
#define MFDES_DEBIT 0xdc
#define MFDES_LIMITED_CREDIT 0x1c #define MFDES_CREDIT 0x0C
#define MFDES_WRITE_RECORD 0x3b #define MFDES_LIMITED_CREDIT 0x1C
#define MFDES_READ_RECORDS 0xbb #define MFDES_DEBIT 0xDC
#define MFDES_CLEAR_RECORD_FILE 0xeb
#define MFDES_COMMIT_TRANSACTION 0xc7 #define MFDES_WRITE_RECORD 0x3B
#define MFDES_ABORT_TRANSACTION 0xa7 #define MFDES_READSIG 0x3C
#define MFDES_GET_FREE_MEMORY 0x6e #define MFDES_WRITE_DATA 0x3D
#define MFDES_GET_FILE_IDS 0x6f
#define MFDES_GET_ISOFILE_IDS 0x61
#define MFDES_GET_FILE_SETTINGS 0xf5
#define MFDES_CHANGE_FILE_SETTINGS 0x5f
#define MFDES_CREATE_STD_DATA_FILE 0xcd
#define MFDES_CREATE_BACKUP_DATA_FILE 0xcb
#define MFDES_CREATE_VALUE_FILE 0xcc
#define MFDES_CREATE_LINEAR_RECORD_FILE 0xc1
#define MFDES_CREATE_CYCLIC_RECORD_FILE 0xc0
#define MFDES_DELETE_FILE 0xdf
#define MFDES_AUTHENTICATE 0x0a // AUTHENTICATE_NATIVE
#define MFDES_AUTHENTICATE_ISO 0x1a // AUTHENTICATE_STANDARD
#define MFDES_AUTHENTICATE_AES 0xaa
#define MFDES_CHANGE_KEY_SETTINGS 0x54
#define MFDES_GET_KEY_SETTINGS 0x45 #define MFDES_GET_KEY_SETTINGS 0x45
#define MFDES_CHANGE_KEY 0xc4 #define MFDES_CHANGE_KEY_SETTINGS 0x54
#define MFDES_SELECT_APPLICATION 0x5A
#define MFDES_CHANGE_FILE_SETTINGS 0x5F
#define MFDES_GET_ISOFILE_IDS 0x61
#define MFDES_GET_KEY_VERSION 0x64 #define MFDES_GET_KEY_VERSION 0x64
#define MFDES_GET_APPLICATION_IDS 0x6A
#define MFDES_GET_VALUE 0x6C
#define MFDES_GET_FREE_MEMORY 0x6E
#define MFDES_GET_DF_NAMES 0x6D
#define MFDES_GET_FILE_IDS 0x6F
#define MFDES_ABORT_TRANSACTION 0xA7
#define MFDES_AUTHENTICATION_FRAME 0xAF #define MFDES_AUTHENTICATION_FRAME 0xAF
#define MFDES_ADDITIONAL_FRAME 0xAF #define MFDES_ADDITIONAL_FRAME 0xAF
#define MFDES_READSIG 0x3C #define MFDES_ADDITIONAL_FRAME_RESP 0x91AF
#define MFDES_SUCCESS_FRAME_RESP 0x9100
#define MFDES_EAUTH_RESP 0x91AE
#define MFDES_ENO_SUCH_KEY_RESP 0x9140
#define MFDES_READ_RECORDS 0xBB
#define MFDES_READ_DATA 0xBD
#define MFDES_CREATE_CYCLIC_RECORD_FILE 0xC0
#define MFDES_CREATE_LINEAR_RECORD_FILE 0xC1
#define MFDES_CHANGE_KEY 0xC4
#define MFDES_COMMIT_TRANSACTION 0xC7
#define MFDES_CREATE_APPLICATION 0xCA
#define MFDES_CREATE_BACKUP_DATA_FILE 0xCB
#define MFDES_CREATE_VALUE_FILE 0xCC
#define MFDES_CREATE_STD_DATA_FILE 0xCD
#define MFDES_CLEAR_RECORD_FILE 0xEB
#define MFDES_DELETE_APPLICATION 0xDA
#define MFDES_DELETE_FILE 0xDF
#define MFDES_GET_FILE_SETTINGS 0xF5
#define MFDES_FORMAT_PICC 0xFC
// LEGIC Commands // LEGIC Commands
#define LEGIC_MIM_22 0x0D #define LEGIC_MIM_22 0x0D