diff --git a/CHANGELOG.md b/CHANGELOG.md index 0f15617c0..f32ea1497 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] + - Updates `hf mfdes` functions, improved logging and added new commands (@bkerler) - Updated 'legic.lua' and 'legic_clone.lua' script - works with current command set (@Pizza_4u) - Rewrote `hf mfdes` functions and added apdu debugging (@bkerler) - Add Mifare Desfire GetDFNames and improve HF MFDES Enum output (@bkerler) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index b2f45d117..ba2b20d2d 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -16,6 +16,7 @@ #include "commonutil.h" #include "util.h" #include "mifare.h" +#include "ticks.h" #define MAX_APPLICATION_COUNT 28 #define MAX_FILE_COUNT 16 @@ -103,7 +104,7 @@ void MifareDesfireGetInformation() { uint8_t versionSW[7]; uint8_t details[14]; } PACKED payload; - + /* 1 = PCB 1 2 = cid 2 @@ -137,7 +138,7 @@ void MifareDesfireGetInformation() { memcpy(payload.uid, card.uid, sizeof(payload.uid)); LED_A_ON(); - uint8_t cmd[] = {GET_VERSION, 0x00, 0x00, 0x00}; + uint8_t cmd[] = {0x90, GET_VERSION, 0x00, 0x00, 0x00}; size_t cmd_len = sizeof(cmd); len = DesfireAPDU(cmd, cmd_len, resp); @@ -152,7 +153,7 @@ void MifareDesfireGetInformation() { memcpy(payload.versionHW, resp + 1, sizeof(payload.versionHW)); // ADDITION_FRAME 1 - cmd[0] = ADDITIONAL_FRAME; + cmd[1] = ADDITIONAL_FRAME; len = DesfireAPDU(cmd, cmd_len, resp); if (!len) { print_result("ERROR <--: ", resp, len); @@ -178,7 +179,7 @@ void MifareDesfireGetInformation() { LED_B_ON(); reply_ng(CMD_HF_DESFIRE_INFO, PM3_SUCCESS, (uint8_t *)&payload, sizeof(payload)); LED_B_OFF(); - + // reset the pcb_blocknum, pcb_blocknum = 0; OnSuccess(); @@ -246,9 +247,15 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) else if (arg1 == 1) Desfire_des_key_new(keybytes, key); - cmd[0] = AUTHENTICATE; - cmd[1] = arg2; //keynumber - len = DesfireAPDU(cmd, 2, resp); + cmd[0] = 0x90; + cmd[1] = AUTHENTICATE; + cmd[2] = 0x0; + cmd[3] = 0x0; + cmd[4] = 0x1; + cmd[5] = arg2; //keynumber + cmd[6] = 0x0; + len = DesfireAPDU(cmd, 7, resp); + if (!len) { if (DBGLEVEL >= DBG_ERROR) { DbpString("Authentication failed. Card timeout."); @@ -257,14 +264,13 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) return; } - if (resp[2] == 0xaf) { - } else { + if (resp[2] == (uint8_t)0xaf) { DbpString("Authentication failed. Invalid key number."); OnError(3); return; } - memcpy(encRndB, resp + 3, 8); + memcpy(encRndB, resp + 1, 8); if (arg1 == 2) tdes_dec(&decRndB, &encRndB, key->data); else if (arg1 == 1) @@ -275,6 +281,11 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) // This should be random uint8_t decRndA[8] = {0x00}; + uint32_t value = prng_successor(GetTickCount(), 32); + num_to_bytes(value, 4, &decRndA[0]); + value = prng_successor(GetTickCount(), 32); + num_to_bytes(value, 4, &decRndA[4]); + memcpy(RndA, decRndA, 8); uint8_t encRndA[8] = {0x00}; @@ -297,10 +308,14 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) memcpy(both + 8, encRndB, 8); - cmd[0] = ADDITIONAL_FRAME; - memcpy(cmd + 1, both, 16); - - len = DesfireAPDU(cmd, 17, resp); + cmd[0] = 0x90; + cmd[1] = ADDITIONAL_FRAME; + cmd[2] = 0x00; + cmd[3] = 0x00; + cmd[4] = 0x10; + memcpy(cmd + 5, both, 16); + cmd[16 + 5] = 0x0; + len = DesfireAPDU(cmd, 5 + 16 + 1, resp); if (!len) { if (DBGLEVEL >= DBG_ERROR) { DbpString("Authentication failed. Card timeout."); @@ -309,14 +324,14 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) return; } - if (resp[2] == 0x00) { + if (resp[len - 3] == 0x00) { struct desfire_key sessionKey = {0}; desfirekey_t skey = &sessionKey; Desfire_session_key_new(RndA, RndB, key, skey); //print_result("SESSION : ", skey->data, 8); - memcpy(encRndA, resp + 3, 8); + memcpy(encRndA, resp + 1, 8); if (arg1 == 2) tdes_dec(&encRndA, &encRndA, key->data); @@ -326,19 +341,20 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) rol(decRndA, 8); for (int x = 0; x < 8; x++) { if (decRndA[x] != encRndA[x]) { - DbpString("Authentication failed. Cannot varify PICC."); + DbpString("Authentication failed. Cannot verify PICC."); OnError(4); return; } } //Change the selected key to a new value. - /* + /* // Current key is a 3DES key, change it to a DES key if (arg1 == 2) { - cmd[0] = CHANGE_KEY; - cmd[1] = arg2; + cmd[0] = 0x90; + cmd[1] = CHANGE_KEY; + cmd[2] = arg2; uint8_t newKey[16] = {0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77}; @@ -367,20 +383,21 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) buff3[x] = buff3[x] ^ buff2[x]; } tdes_dec(&buff3, &buff3, skey->data); - memcpy(cmd+18,buff3,8); + memcpy(cmd+19,buff3,8); // The command always times out on the first attempt, this will retry until a response // is recieved. len = 0; while(!len) { - len = DesfireAPDU(cmd,26,resp); + len = DesfireAPDU(cmd,27,resp); } } else { // Current key is a DES key, change it to a 3DES key if (arg1 == 1) { - cmd[0] = CHANGE_KEY; - cmd[1] = arg2; + cmd[0] = 0x90; + cmd[1] = CHANGE_KEY; + cmd[2] = arg2; uint8_t newKey[16] = {0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f}; @@ -397,31 +414,31 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) memcpy(buff3 + 1, &second, 1); des_dec(&buff1, &buff1, skey->data); - memcpy(cmd+2,buff1,8); + memcpy(cmd+3,buff1,8); for (int x = 0; x < 8; x++) { buff2[x] = buff2[x] ^ buff1[x]; } des_dec(&buff2, &buff2, skey->data); - memcpy(cmd+10,buff2,8); + memcpy(cmd+11,buff2,8); for (int x = 0; x < 8; x++) { buff3[x] = buff3[x] ^ buff2[x]; } des_dec(&buff3, &buff3, skey->data); - memcpy(cmd+18,buff3,8); + memcpy(cmd+19,buff3,8); // The command always times out on the first attempt, this will retry until a response // is recieved. len = 0; while(!len) { - len = DesfireAPDU(cmd,26,resp); + len = DesfireAPDU(cmd,27,resp); } } } */ - OnSuccess(); + //OnSuccess(); if (arg1 == 2) reply_old(CMD_ACK, 1, 0, 0, skey->data, 16); else if (arg1 == 1) @@ -433,11 +450,139 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) } } break; - case 2: + case 2: { //SendDesfireCommand(AUTHENTICATE_ISO, &arg2, resp); - break; - case 3: { + uint8_t keybytes[16]; + uint8_t RndA[8] = {0x00}; + uint8_t RndB[8] = {0x00}; + if (arg1 == 2) { + if (datain[1] == 0xff) { + memcpy(keybytes, PICC_MASTER_KEY16, 16); + } else { + memcpy(keybytes, datain + 1, datalen); + } + } else { + if (arg1 == 1) { + if (datain[1] == 0xff) { + uint8_t null_key_data8[8] = {0x00}; + memcpy(keybytes, null_key_data8, 8); + } else { + memcpy(keybytes, datain + 1, datalen); + } + } + } + + struct desfire_key defaultkey = {0}; + desfirekey_t key = &defaultkey; + + if (arg1 == 2) + Desfire_3des_key_new_with_version(keybytes, key); + else if (arg1 == 1) + Desfire_des_key_new(keybytes, key); + + cmd[0] = AUTHENTICATE; + cmd[1] = arg2; //keynumber + len = DesfireAPDU(cmd, 2, resp); + + if (!len) { + if (DBGLEVEL >= DBG_ERROR) { + DbpString("Authentication failed. Card timeout."); + } + OnError(3); + return; + } + + if (resp[2] == (uint8_t)0xaf) { + DbpString("Authentication failed. Invalid key number."); + OnError(3); + return; + } + + memcpy(encRndB, resp + 2, 8); + if (arg1 == 2) + tdes_dec(&decRndB, &encRndB, key->data); + else if (arg1 == 1) + des_dec(&decRndB, &encRndB, key->data); + + memcpy(RndB, decRndB, 8); + rol(decRndB, 8); + + // This should be random + uint8_t decRndA[8] = {0x00}; + uint32_t value = prng_successor(GetTickCount(), 32); + num_to_bytes(value, 4, &decRndA[0]); + value = prng_successor(GetTickCount(), 32); + num_to_bytes(value, 4, &decRndA[4]); + + memcpy(RndA, decRndA, 8); + uint8_t encRndA[8] = {0x00}; + + if (arg1 == 2) + tdes_dec(&encRndA, &decRndA, key->data); + else if (arg1 == 1) + des_dec(&encRndA, &decRndA, key->data); + + memcpy(both, encRndA, 8); + + for (int x = 0; x < 8; x++) { + decRndB[x] = decRndB[x] ^ encRndA[x]; + + } + + if (arg1 == 2) + tdes_dec(&encRndB, &decRndB, key->data); + else if (arg1 == 1) + des_dec(&encRndB, &decRndB, key->data); + + memcpy(both + 8, encRndB, 8); + + cmd[0] = ADDITIONAL_FRAME; + memcpy(cmd + 1, both, 16); + len = DesfireAPDU(cmd, 1 + 16, resp); + if (!len) { + if (DBGLEVEL >= DBG_ERROR) { + DbpString("Authentication failed. Card timeout."); + } + OnError(3); + return; + } + + if (resp[1] == 0x00) { + struct desfire_key sessionKey = {0}; + desfirekey_t skey = &sessionKey; + Desfire_session_key_new(RndA, RndB, key, skey); + //print_result("SESSION : ", skey->data, 8); + + memcpy(encRndA, resp + 2, 8); + + if (arg1 == 2) + tdes_dec(&encRndA, &encRndA, key->data); + else if (arg1 == 1) + des_dec(&encRndA, &encRndA, key->data); + + rol(decRndA, 8); + for (int x = 0; x < 8; x++) { + if (decRndA[x] != encRndA[x]) { + DbpString("Authentication failed. Cannot verify PICC."); + OnError(4); + return; + } + } + + //OnSuccess(); + if (arg1 == 2) + reply_old(CMD_ACK, 1, 0, 0, skey->data, 16); + else if (arg1 == 1) + reply_old(CMD_ACK, 1, 0, 0, skey->data, 8); + } else { + DbpString("Authentication failed."); + OnError(6); + return; + } + } + break; + case 3: { //defaultkey uint8_t keybytes[16] = {0x00}; if (datain[1] == 0xff) { @@ -454,13 +599,14 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) uint8_t IV[16] = {0x00}; mbedtls_aes_init(&ctx); - cmd[0] = AUTHENTICATE_AES; - cmd[1] = 0x0; + cmd[0] = 0x90; + cmd[1] = AUTHENTICATE_AES; cmd[2] = 0x0; - cmd[3] = 0x1; - cmd[4] = arg2; //keynumber - cmd[5] = 0x0; - len = DesfireAPDU(cmd, 6, resp); + cmd[3] = 0x0; + cmd[4] = 0x1; + cmd[5] = arg2; //keynumber + cmd[6] = 0x0; + len = DesfireAPDU(cmd, 7, resp); if (!len) { if (DBGLEVEL >= DBG_ERROR) { DbpString("Authentication failed. Card timeout."); @@ -482,6 +628,14 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_DECRYPT, 16, IV, encRndB, decRndB); rol(decRndB, 16); uint8_t nonce[16] = {0x00}; + uint32_t val = prng_successor(GetTickCount(), 32); + num_to_bytes(val, 4, &nonce[0]); + val = prng_successor(GetTickCount(), 32); + num_to_bytes(val, 4, &nonce[4]); + val = prng_successor(GetTickCount(), 32); + num_to_bytes(val, 4, &nonce[8]); + val = prng_successor(GetTickCount(), 32); + num_to_bytes(val, 4, &nonce[12]); memcpy(both, nonce, 16); memcpy(both + 16, decRndB, 16); uint8_t encBoth[32] = {0x00}; @@ -494,14 +648,15 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) } mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_ENCRYPT, 32, IV, both, encBoth); - cmd[0] = ADDITIONAL_FRAME; - cmd[1] = 0x00; + cmd[0] = 0x90; + cmd[1] = ADDITIONAL_FRAME; cmd[2] = 0x00; - cmd[3] = 0x20; - memcpy(cmd + 4, encBoth, 32); - cmd[36]=0x0; + cmd[3] = 0x00; + cmd[4] = 0x20; + memcpy(cmd + 5, encBoth, 32); + cmd[32 + 5] = 0x0; - len = DesfireAPDU(cmd, 37, resp); // 4 + 32 + 1 == 37 + len = DesfireAPDU(cmd, 5 + 32 + 1, resp); if (!len) { if (DBGLEVEL >= DBG_ERROR) { DbpString("Authentication failed. Card timeout."); @@ -510,7 +665,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) return; } - if ((resp[1+16] == 0x91)&&(resp[1+16+1] == 0x00)) { + if ((resp[1 + 16] == 0x91) && (resp[1 + 16 + 1] == 0x00)) { // Create AES Session key struct desfire_key sessionKey = {0}; desfirekey_t skey = &sessionKey; @@ -526,7 +681,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) } } - OnSuccess(); + //OnSuccess(); reply_mix(CMD_ACK, 1, len, 0, resp, len); } @@ -557,10 +712,10 @@ int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout) { // if we received an I- or R(ACK)-Block with a block number equal to the // current block number, toggle the current block number if (len >= 4 // PCB+CID+CRC = 4 bytes - && ((resp[0] & 0xC0) == 0 // I-Block - || (resp[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0 - && (resp[0] & 0x01) == pcb_blocknum) { // equal block numbers - pcb_blocknum ^= 1; //toggle next block + && ((resp[0] & 0xC0) == 0 // I-Block + || (resp[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0 + && (resp[0] & 0x01) == pcb_blocknum) { // equal block numbers + pcb_blocknum ^= 1; //toggle next block } memcpy(dataout, resp, len); @@ -570,7 +725,7 @@ int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout) { // CreateAPDU size_t CreateAPDU(uint8_t *datain, size_t len, uint8_t *dataout) { - size_t cmdlen = MIN(len + 4, PM3_CMD_DATA_SIZE - 1); + size_t cmdlen = MIN(len + 3, PM3_CMD_DATA_SIZE - 1); uint8_t cmd[cmdlen]; memset(cmd, 0, cmdlen); @@ -578,18 +733,18 @@ size_t CreateAPDU(uint8_t *datain, size_t len, uint8_t *dataout) { cmd[0] = 0x02; // 0x0A = send cid, 0x02 = no cid. cmd[0] |= pcb_blocknum; // OR the block number into the PCB - if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("pcb_blocknum %d == %d ", pcb_blocknum, cmd[0] ); + if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("pcb_blocknum %d == %d ", pcb_blocknum, cmd[0]); - cmd[1] = 0x90; // CID: 0x00 //TODO: allow multiple selected cards + //cmd[1] = 0x90; // CID: 0x00 //TODO: allow multiple selected cards - memcpy(cmd + 2, datain, len); - AddCrc14A(cmd, len + 2); - -/* -hf 14a apdu -sk 90 60 00 00 00 -hf 14a apdu -k 90 AF 00 00 00 -hf 14a apdu 90AF000000 -*/ + memcpy(cmd + 1, datain, len); + AddCrc14A(cmd, len + 1); + + /* + hf 14a apdu -sk 90 60 00 00 00 + hf 14a apdu -k 90 AF 00 00 00 + hf 14a apdu 90AF000000 + */ memcpy(dataout, cmd, cmdlen); return cmdlen; } diff --git a/armsrc/mifareutil.c b/armsrc/mifareutil.c index b0bf532b0..6d269e38e 100644 --- a/armsrc/mifareutil.c +++ b/armsrc/mifareutil.c @@ -697,7 +697,7 @@ int mifare_desfire_des_auth1(uint32_t uid, uint8_t *blockData) { int mifare_desfire_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData) { int len; - uint8_t data[17] = {MFDES_AUTHENTICATION_FRAME}; + uint8_t data[17] = {MFDES_ADDITIONAL_FRAME}; memcpy(data + 1, key, 16); uint8_t receivedAnswer[MAX_FRAME_SIZE] = {0x00}; diff --git a/client/cmdhflist.c b/client/cmdhflist.c index 871cd68a3..52894c52b 100644 --- a/client/cmdhflist.c +++ b/client/cmdhflist.c @@ -675,7 +675,7 @@ void annotateMfDesfire(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { // it's basically a ISO14443a tag, so try annotation from there if (applyIso14443a(exp, size, cmd, cmdsize) == 0) { - + // S-block 11xxx010 if ((cmd[0] & 0xC0) && (cmdsize == 3)) { switch ((cmd[0] & 0x30)) { @@ -707,9 +707,9 @@ void annotateMfDesfire(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { if ((cmd[0] & 0x04) == 0x04) // nad byte following pos++; - + for (uint8_t i = 0; i < 2; i++, pos++) { - + switch (cmd[pos]) { case MFDES_CREATE_APPLICATION: snprintf(exp, size, "CREATE APPLICATION"); @@ -819,7 +819,7 @@ void annotateMfDesfire(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { case MFDES_GET_KEY_VERSION: snprintf(exp, size, "GET KEY VERSION"); break; - case MFDES_AUTHENTICATION_FRAME: + case MFDES_ADDITIONAL_FRAME: snprintf(exp, size, "AUTH FRAME / NEXT FRAME"); break; default: diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index 931471961..3e21d60be 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -34,6 +34,8 @@ uint8_t key_ones_data[16] = { 0x01 }; uint8_t key_defa_data[16] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f }; uint8_t key_picc_data[16] = { 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f }; +#define status(x) ( ((uint16_t)(0x91<<8)) + x ) + typedef enum { UNKNOWN = 0, MF3ICD40, @@ -105,41 +107,186 @@ int DESFIRESendApdu(bool activate_field, bool leavefield_on, sAPDU apdu, uint8_t if (sw) *sw = isw; - if (isw != 0x9000 && isw != MFDES_SUCCESS_FRAME_RESP && isw != MFDES_ADDITIONAL_FRAME_RESP) { + if (isw != 0x9000 && isw != status(MFDES_OPERATION_OK) && isw != status(MFDES_SIGNATURE) && isw != status(MFDES_ADDITIONAL_FRAME) && isw != status(MFDES_NO_CHANGES)) { if (GetAPDULogging()) { if (isw >> 8 == 0x61) { - PrintAndLogEx(ERR, "APDU chaining len:%02x -->", isw & 0xff); + PrintAndLogEx(ERR, "APDU chaining len: 0x%02x -->", isw & 0xff); } else { - PrintAndLogEx(ERR, "APDU(%02x%02x) ERROR: [%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(isw >> 8, isw & 0xff)); + PrintAndLogEx(ERR, "APDU(%02x%02x) ERROR: [0x%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(isw >> 8, isw & 0xff)); return PM3_EAPDU_FAIL; } } + return PM3_EAPDU_FAIL; } - return PM3_SUCCESS; } +static char *getstatus(uint16_t *sw) { + if (sw == NULL) return "--> sw argument error. This should never happen !"; + if (((*sw >> 8) & 0xFF) == 0x91) { + switch (*sw & 0xFF) { + case MFDES_E_OUT_OF_EEPROM: + return "Out of Eeprom, insufficient NV-Memory to complete command"; + case MFDES_E_ILLEGAL_COMMAND_CODE: + return "Command code not supported"; + + case MFDES_E_INTEGRITY_ERROR: + return "CRC or MAC does not match data / Padding bytes invalid"; + + case MFDES_E_NO_SUCH_KEY: + return "Invalid key number specified"; + + case MFDES_E_LENGTH: + return "Length of command string invalid"; + + case MFDES_E_PERMISSION_DENIED: + return "Current configuration/status does not allow the requested command"; + + case MFDES_E_PARAMETER_ERROR: + return "Value of the parameter(s) invalid"; + + case MFDES_E_APPLICATION_NOT_FOUND: + return "Requested AID not present on PICC"; + + case MFDES_E_APPL_INTEGRITY: + return "Application integrity error, application will be disabled"; + + case MFDES_E_AUTHENTIFICATION_ERROR: + return "Current authentication status does not allow the requested command"; + + case MFDES_E_BOUNDARY: + return "Attempted to read/write data from/to beyong the file's/record's limit"; + + case MFDES_E_PICC_INTEGRITY: + return "PICC integrity error, PICC will be disabled"; + + case MFDES_E_COMMAND_ABORTED: + return "Previous command was not fully completed / Not all Frames were requested or provided by the PCD"; + + case MFDES_E_PICC_DISABLED: + return "PICC was disabled by an unrecoverable error"; + + case MFDES_E_COUNT: + return "Application count is limited to 28, not addition CreateApplication possible"; + + case MFDES_E_DUPLICATE: + return "Duplicate entry: File/Application does already exist"; + + case MFDES_E_EEPROM: + return "Eeprom error due to loss of power, internal backup/rollback mechanism activated"; + + case MFDES_E_FILE_NOT_FOUND: + return "Specified file number does not exist"; + + case MFDES_E_FILE_INTEGRITY: + return "File integrity error, file will be disabled"; + + default: + return "Unknown error"; + } + } + return "Unknown error"; +} + +static char *GetErrorString(int res, uint16_t *sw) { + switch (res) { + case PM3_EAPDU_FAIL: + return getstatus(sw); + case PM3_EUNDEF: + return "Undefined error"; + case PM3_EINVARG: + return "Invalid argument(s)"; + case PM3_EDEVNOTSUPP: + return "Operation not supported by device"; + case PM3_ETIMEOUT: + return "Operation timed out"; + case PM3_EOPABORTED: + return "Operation aborted (by user)"; + case PM3_ENOTIMPL: + return "Not (yet) implemented"; + case PM3_ERFTRANS: + return "Error while RF transmission"; + case PM3_EIO: + return "Input / output error"; + case PM3_EOVFLOW: + return "Buffer overflow"; + case PM3_ESOFT: + return "Software error"; + case PM3_EFLASH: + return "Flash error"; + case PM3_EMALLOC: + return "Memory allocation error"; + case PM3_EFILE: + return "File error"; + case PM3_ENOTTY: + return "Generic TTY error"; + case PM3_EINIT: + return "Initialization error"; + case PM3_EWRONGANSVER: + return "Expected a different answer error"; + case PM3_EOUTOFBOUND: + return "Memory out-of-bounds error"; + case PM3_ECARDEXCHANGE: + return "Exchange with card error"; + case PM3_EAPDU_ENCODEFAIL: + return "Failed to create APDU"; + case PM3_ENODATA: + return "No data"; + case PM3_EFATAL: + return "Fatal error"; + default: + break; + } + return ""; +} + + +static int send_desfire_cmd(sAPDU *apdu, bool select, uint8_t *dest, int *recv_len, uint16_t *sw, int splitbysize, bool readalldata) { + if (g_debugMode > 1) { + if (apdu == NULL) PrintAndLogEx(ERR, "APDU=NULL"); + if (dest == NULL) PrintAndLogEx(ERR, "DEST=NULL"); + if (sw == NULL) PrintAndLogEx(ERR, "SW=NULL"); + if (recv_len == NULL) PrintAndLogEx(ERR, "RECV_LEN=NULL"); + } + if (apdu == NULL || sw == NULL || recv_len == NULL) return PM3_EINVARG; -static int send_desfire_cmd(sAPDU *apdu, bool select, uint8_t *dest, int *recv_len, uint16_t *sw, int splitbysize) { - //SetAPDULogging(true); *sw = 0; uint8_t data[255 * 5] = {0x00}; int resplen = 0; int pos = 0; int i = 1; int res = DESFIRESendApdu(select, true, *apdu, data, sizeof(data), &resplen, sw); - if (res != PM3_SUCCESS) return res; - if (*sw != MFDES_ADDITIONAL_FRAME_RESP && *sw != MFDES_SUCCESS_FRAME_RESP) return PM3_ESOFT; + if (res != PM3_SUCCESS) { + if (g_debugMode > 1) GetErrorString(res, sw); + return res; + } if (dest != NULL) { memcpy(dest, data, resplen); } pos += resplen; - if (*sw == MFDES_ADDITIONAL_FRAME_RESP) { + if (!readalldata) { + if (*sw == status(MFDES_ADDITIONAL_FRAME)) { + apdu->INS = MFDES_ABORT_TRANSACTION; + apdu->Lc = 0; + apdu->P1 = 0; + apdu->P2 = 0; + res = DESFIRESendApdu(false, true, *apdu, data, sizeof(data), &resplen, sw); + return PM3_SUCCESS; + } + return res; + } + while (*sw == status(MFDES_ADDITIONAL_FRAME)) { apdu->INS = MFDES_ADDITIONAL_FRAME; //0xAF + apdu->Lc = 0; + apdu->P1 = 0; + apdu->P2 = 0; res = DESFIRESendApdu(false, true, *apdu, data, sizeof(data), &resplen, sw); - if (res != PM3_SUCCESS) return res; + if (res != PM3_SUCCESS) { + if (g_debugMode > 1) GetErrorString(res, sw); + return res; + } if (dest != NULL) { if (splitbysize) { memcpy(&dest[i * splitbysize], data, resplen); @@ -149,12 +296,12 @@ static int send_desfire_cmd(sAPDU *apdu, bool select, uint8_t *dest, int *recv_l } } pos += resplen; + if (*sw != status(MFDES_ADDITIONAL_FRAME)) break; } if (splitbysize) *recv_len = i; else { *recv_len = pos; } - //SetAPDULogging(false); return PM3_SUCCESS; } @@ -175,47 +322,48 @@ static desfire_cardtype_t getCardType(uint8_t major, uint8_t minor) { return UNKNOWN; } -//none +//none, verified static int test_desfire_authenticate() { uint8_t data[] = {0x00}; sAPDU apdu = {0x90, MFDES_AUTHENTICATE, 0x00, 0x00, 0x01, data}; // 0x0A, KEY 0 int recv_len = 0; uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0); + return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0, false); } -// none +// none, verified static int test_desfire_authenticate_iso() { uint8_t data[] = {0x00}; sAPDU apdu = {0x90, MFDES_AUTHENTICATE_ISO, 0x00, 0x00, 0x01, data}; // 0x1A, KEY 0 int recv_len = 0; uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0); + return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0, false); } -//none +//none, verified static int test_desfire_authenticate_aes() { uint8_t data[] = {0x00}; sAPDU apdu = {0x90, MFDES_AUTHENTICATE_AES, 0x00, 0x00, 0x01, data}; // 0xAA, KEY 0 int recv_len = 0; uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0); + return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0, false); } -// --- FREE MEM +// --- FREE MEM, verified static int desfire_print_freemem(uint32_t free_mem) { PrintAndLogEx(SUCCESS, " Available free memory on card : " _GREEN_("%d bytes"), free_mem); return PM3_SUCCESS; } -// init / disconnect +// init / disconnect, verified static int get_desfire_freemem(uint32_t *free_mem) { + if (free_mem == NULL) return PM3_EINVARG; sAPDU apdu = {0x90, MFDES_GET_FREE_MEMORY, 0x00, 0x00, 0x00, NULL}; // 0x6E int recv_len = 0; uint16_t sw = 0; uint8_t fmem[4] = {0}; - int res = send_desfire_cmd(&apdu, true, fmem, &recv_len, &sw, 0); + int res = send_desfire_cmd(&apdu, true, fmem, &recv_len, &sw, 0, true); if (res == PM3_SUCCESS) { *free_mem = le24toh(fmem); return res; @@ -225,9 +373,13 @@ static int get_desfire_freemem(uint32_t *free_mem) { } -// --- GET SIGNATURE +// --- GET SIGNATURE, verified static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t signature_len, desfire_cardtype_t card_type) { - + if (g_debugMode > 1) { + if (uid == NULL) PrintAndLogEx(ERR, "UID=NULL"); + if (signature == NULL) PrintAndLogEx(ERR, "SIGNATURE=NULL"); + } + if (uid == NULL || signature == NULL) return PM3_EINVARG; // DESFire Ev3 - wanted // ref: MIFARE Desfire Originality Signature Validation @@ -277,13 +429,18 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign return PM3_SUCCESS; } -// init / disconnect +// init / disconnect, verified static int get_desfire_signature(uint8_t *signature, size_t *signature_len) { + if (g_debugMode > 1) { + if (signature == NULL) PrintAndLogEx(ERR, "SIGNATURE=NULL"); + if (signature_len == NULL) PrintAndLogEx(ERR, "SIGNATURE_LEN=NULL"); + } + if (signature == NULL || signature_len == NULL) return PM3_EINVARG; uint8_t c = 0x00; sAPDU apdu = {0x90, MFDES_READSIG, 0x00, 0x00, 0x01, &c}; // 0x3C int recv_len = 0; uint16_t sw = 0; - int res = send_desfire_cmd(&apdu, true, signature, &recv_len, &sw, 0); + int res = send_desfire_cmd(&apdu, true, signature, &recv_len, &sw, 0, true); if (res == PM3_SUCCESS) { if (recv_len != 56) { *signature_len = 0; @@ -304,7 +461,7 @@ static int get_desfire_signature(uint8_t *signature, size_t *signature_len) { // --- KEY SETTING static int desfire_print_keysetting(uint8_t key_settings, uint8_t num_keys) { - PrintAndLogEx(SUCCESS, " AID Key settings : %02x", key_settings); + PrintAndLogEx(SUCCESS, " AID Key settings : 0x%02x", key_settings); PrintAndLogEx(SUCCESS, " Max number of keys in AID : %d", num_keys); PrintAndLogEx(INFO, "-------------------------------------------------------------"); PrintAndLogEx(SUCCESS, " Changekey Access rights"); @@ -333,19 +490,18 @@ static int desfire_print_keysetting(uint8_t key_settings, uint8_t num_keys) { return PM3_SUCCESS; } -// none +// none, verified static int get_desfire_keysettings(uint8_t *key_settings, uint8_t *num_keys) { + if (g_debugMode > 1) { + if (key_settings == NULL) PrintAndLogEx(ERR, "KEY_SETTINGS=NULL"); + if (num_keys == NULL) PrintAndLogEx(ERR, "NUM_KEYS=NULL"); + } + if (key_settings == NULL || num_keys == NULL) return PM3_EINVARG; sAPDU apdu = {0x90, MFDES_GET_KEY_SETTINGS, 0x00, 0x00, 0x00, NULL}; //0x45 int recv_len = 0; uint16_t sw = 0; uint8_t data[2] = {0}; - if (num_keys == NULL) return PM3_ESOFT; - if (key_settings == NULL) return PM3_ESOFT; - int res = send_desfire_cmd(&apdu, false, data, &recv_len, &sw, 0); - if (sw == MFDES_EAUTH_RESP) { - PrintAndLogEx(WARNING, _RED_("[get_desfire_keysettings] Authentication error")); - return PM3_ESOFT; - } + int res = send_desfire_cmd(&apdu, false, data, &recv_len, &sw, 0, true); if (res != PM3_SUCCESS) return res; *key_settings = data[0]; @@ -359,76 +515,361 @@ static int desfire_print_keyversion(uint8_t key_idx, uint8_t key_version) { return PM3_SUCCESS; } -// none +// none, verified static int get_desfire_keyversion(uint8_t curr_key, uint8_t *num_versions) { + if (g_debugMode > 1) { + if (num_versions == NULL) PrintAndLogEx(ERR, "NUM_VERSIONS=NULL"); + } + if (num_versions == NULL) return PM3_EINVARG; sAPDU apdu = {0x90, MFDES_GET_KEY_VERSION, 0x00, 0x00, 0x01, &curr_key}; //0x64 int recv_len = 0; uint16_t sw = 0; - if (num_versions == NULL) return PM3_ESOFT; - int res = send_desfire_cmd(&apdu, false, num_versions, &recv_len, &sw, 0); - if (sw == MFDES_ENO_SUCH_KEY_RESP) { - PrintAndLogEx(WARNING, _RED_("[get_desfire_keyversion] Key %d doesn't exist"), curr_key); - return PM3_ESOFT; - } + int res = send_desfire_cmd(&apdu, false, num_versions, &recv_len, &sw, 0, true); return res; } -// init / disconnect +// init / disconnect, verified static int get_desfire_appids(uint8_t *dest, uint8_t *app_ids_len) { + if (g_debugMode > 1) { + if (dest == NULL) PrintAndLogEx(ERR, "DEST=NULL"); + if (app_ids_len == NULL) PrintAndLogEx(ERR, "APP_IDS_LEN=NULL"); + } + if (dest == NULL || app_ids_len == NULL) return PM3_EINVARG; sAPDU apdu = {0x90, MFDES_GET_APPLICATION_IDS, 0x00, 0x00, 0x00, NULL}; //0x6a int recv_len = 0; uint16_t sw = 0; - if (dest == NULL) return PM3_ESOFT; - if (app_ids_len == NULL) return PM3_ESOFT; - int res = send_desfire_cmd(&apdu, true, dest, &recv_len, &sw, 0); + int res = send_desfire_cmd(&apdu, true, dest, &recv_len, &sw, 0, true); if (res != PM3_SUCCESS) return res; *app_ids_len = (uint8_t)recv_len & 0xFF; return res; } +// init, verified static int get_desfire_dfnames(dfname_t *dest, uint8_t *dfname_count) { + if (g_debugMode > 1) { + if (dest == NULL) PrintAndLogEx(ERR, "DEST=NULL"); + if (dfname_count == NULL) PrintAndLogEx(ERR, "DFNAME_COUNT=NULL"); + } + if (dest == NULL || dfname_count == NULL) return PM3_EINVARG; sAPDU apdu = {0x90, MFDES_GET_DF_NAMES, 0x00, 0x00, 0x00, NULL}; //0x6d int recv_len = 0; uint16_t sw = 0; - if (dest == NULL) return PM3_ESOFT; - if (dfname_count == NULL) return PM3_ESOFT; - int res = send_desfire_cmd(&apdu, true, (uint8_t *)dest, &recv_len, &sw, sizeof(dfname_t)); + int res = send_desfire_cmd(&apdu, true, (uint8_t *)dest, &recv_len, &sw, sizeof(dfname_t), true); if (res != PM3_SUCCESS) return res; *dfname_count = recv_len; return res; } -// init +// init, verified static int get_desfire_select_application(uint8_t *aid) { + if (g_debugMode > 1) { + if (aid == NULL) PrintAndLogEx(ERR, "AID=NULL"); + } + if (aid == NULL) return PM3_EINVARG; sAPDU apdu = {0x90, MFDES_SELECT_APPLICATION, 0x00, 0x00, 0x03, aid}; //0x5a int recv_len = 0; uint16_t sw = 0; - if (aid == NULL) return PM3_ESOFT; - return send_desfire_cmd(&apdu, true, NULL, &recv_len, &sw, sizeof(dfname_t)); + int res = send_desfire_cmd(&apdu, true, NULL, &recv_len, &sw, sizeof(dfname_t), true); + if (res != PM3_SUCCESS) { + PrintAndLogEx(WARNING, _RED_(" Can't select AID 0x%X -> %s"), (aid[0] << 16) + (aid[1] << 8) + aid[2], GetErrorString(res, &sw)); + DropField(); + return res; + } + return PM3_SUCCESS; } -// none +// none, verified static int get_desfire_fileids(uint8_t *dest, uint8_t *file_ids_len) { + if (g_debugMode > 1) { + if (dest == NULL) PrintAndLogEx(ERR, "DEST=NULL"); + if (file_ids_len == NULL) PrintAndLogEx(ERR, "FILE_IDS_LEN=NULL"); + } + if (dest == NULL || file_ids_len == NULL) return PM3_EINVARG; sAPDU apdu = {0x90, MFDES_GET_FILE_IDS, 0x00, 0x00, 0x00, NULL}; //0x6f int recv_len = 0; uint16_t sw = 0; - if (dest == NULL) return PM3_ESOFT; - if (file_ids_len == NULL) return PM3_ESOFT; *file_ids_len = 0; - int res = send_desfire_cmd(&apdu, false, dest, &recv_len, &sw, 0); - if (res != PM3_SUCCESS) return res; + int res = send_desfire_cmd(&apdu, false, dest, &recv_len, &sw, 0, true); + if (res != PM3_SUCCESS) { + PrintAndLogEx(WARNING, _RED_(" Can't get file ids -> %s"), GetErrorString(res, &sw)); + DropField(); + return res; + } *file_ids_len = recv_len; return res; } +// none, verified static int get_desfire_filesettings(uint8_t file_id, uint8_t *dest, int *destlen) { + if (g_debugMode > 1) { + if (dest == NULL) PrintAndLogEx(ERR, "DEST=NULL"); + if (destlen == NULL) PrintAndLogEx(ERR, "DESTLEN=NULL"); + } + if (dest == NULL || destlen == NULL) return PM3_EINVARG; sAPDU apdu = {0x90, MFDES_GET_FILE_SETTINGS, 0x00, 0x00, 0x01, &file_id}; // 0xF5 uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, dest, destlen, &sw, 0); + int res = send_desfire_cmd(&apdu, false, dest, destlen, &sw, 0, true); + if (res != PM3_SUCCESS) { + PrintAndLogEx(WARNING, _RED_(" Can't get file settings -> %s"), GetErrorString(res, &sw)); + DropField(); + return res; + } + return res; } +typedef struct { + uint8_t aid[3]; + uint8_t keysetting1; + uint8_t keysetting2; + uint8_t fid[2]; + uint8_t name[16]; +} aidhdr_t; + +static int get_desfire_createapp(aidhdr_t *aidhdr) { + if (aidhdr == NULL) return PM3_EINVARG; + sAPDU apdu = {0x90, MFDES_CREATE_APPLICATION, 0x00, 0x00, sizeof(aidhdr_t), (uint8_t *)aidhdr}; // 0xCA + uint16_t sw = 0; + int recvlen = 0; + int res = send_desfire_cmd(&apdu, false, NONE, &recvlen, &sw, 0, true); + if (res != PM3_SUCCESS) { + PrintAndLogEx(WARNING, _RED_(" Can't create aid -> %s"), GetErrorString(res, &sw)); + DropField(); + return res; + } + return res; +} + +static int get_desfire_deleteapp(uint8_t *aid) { + if (aid == NULL) return PM3_EINVARG; + sAPDU apdu = {0x90, MFDES_DELETE_APPLICATION, 0x00, 0x00, 3, aid}; // 0xDA + uint16_t sw = 0; + int recvlen = 0; + int res = send_desfire_cmd(&apdu, false, NONE, &recvlen, &sw, 0, true); + if (res != PM3_SUCCESS) { + PrintAndLogEx(WARNING, _RED_(" Can't delete aid -> %s"), GetErrorString(res, &sw)); + DropField(); + return res; + } + return res; +} + +static int CmdHF14ADesCreateApp(const char *Cmd) { + clearCommandBuffer(); + + CLIParserInit("hf mfdes createaid", + "Create Application ID", + "Usage:\n\t-m Auth type (1=normal, 2=iso, 3=aes)\n\t-t Crypt algo (1=DES, 2=3DES, 3=3K3DES, 4=aes)\n\t-a aid (3 bytes)\n\t-n keyno\n\t-k key (8-24 bytes)\n\n" + "Example:\n\thf mfdes createaid -a 123456 -f 1122 -k 0F -l 2E -n AppName\n" + ); + + void *argtable[] = { + arg_param_begin, + arg_strx0("aA", "aid", "", "App ID to create"), + arg_strx0("fF", "fid", "", "File ID"), + arg_strx0("kK", "keysetting1", "", "Key Setting 1 (Application Master Key Settings)"), + arg_strx0("lL", "keysetting2", "", "Key Setting 2"), + arg_str0("nN", "name", "", "App ISO-4 Name"), + arg_param_end + }; + CLIExecWithReturn(Cmd, argtable, true); + /* KeySetting 1 (AMK Setting): + 0: Allow change master key + 1: Free Directory list access without master key + 0: AMK auth needed for GetFileSettings and GetKeySettings + 1: No AMK auth needed for GetFileIDs, GetISOFileIDs, GetFileSettings, GetKeySettings + 2: Free create/delete without master key + 0: CreateFile/DeleteFile only with AMK auth + 1: CreateFile/DeleteFile always + 3: Configuration changable + 0: Configuration frozen + 1: Configuration changable if authenticated with AMK (default) + 4-7: ChangeKey Access Rights + 0: Application master key needed (default) + 0x1..0xD: Auth with specific key needed to change any key + 0xE: Auth with the key to be changed (same KeyNo) is necessary to change a key + 0xF: All Keys within this application are frozen + + */ + /* KeySetting 2: + 0..3: Number of keys stored within the application (max. 14 keys + 4: RFU + 5: Use of 2 byte ISO FID, 0: No, 1: Yes + 6..7: Crypto Method 00: DES/3DES, 01: 3K3DES, 10: AES + Example: + 2E = FID, DES, 14 keys + 6E = FID, 3K3DES, 14 keys + AE = FID, AES, 14 keys + */ + int aidlength = 3; + int fidlength = 2; + uint8_t aid[3] = {0}; + uint8_t fid[2] = {0}; + uint8_t name[16] = {0}; + uint8_t keysetting1 = 0; + uint8_t keysetting2 = 0; + int keylen1 = 1; + int keylen2 = 1; + int namelen = 16; + CLIGetHexWithReturn(1, aid, &aidlength); + CLIGetHexWithReturn(2, fid, &fidlength); + CLIGetHexWithReturn(3, &keysetting1, &keylen1); + CLIGetHexWithReturn(4, &keysetting2, &keylen2); + CLIGetStrWithReturn(5, name, &namelen); + CLIParserFree(); + + if (aidlength < 3) { + PrintAndLogEx(ERR, "AID must have 3 bytes length."); + return PM3_EINVARG; + } + + if (fidlength < 2) { + PrintAndLogEx(ERR, "FID must have 2 bytes length."); + return PM3_EINVARG; + } + + if (keylen1 < 1) { + PrintAndLogEx(ERR, "Keysetting1 must have 1 byte length."); + return PM3_EINVARG; + } + + if (keylen1 < 1) { + PrintAndLogEx(ERR, "Keysetting2 must have 1 byte length."); + return PM3_EINVARG; + } + + if (namelen > 16) { + PrintAndLogEx(ERR, "Name has a max. of 16 bytes length."); + return PM3_EINVARG; + } + + //90 ca 00 00 0e 3cb849 09 22 10e1 d27600 00850101 00 + /*char name[]="Test"; + uint8_t aid[]={0x12,0x34,0x56}; + uint8_t fid[]={0x11,0x22}; + uint8_t keysetting1=0xEE; + uint8_t keysetting2=0xEE;*/ + + if (memcmp(aid, "\x00\x00\x00", 3) == 0) { + PrintAndLogEx(WARNING, _RED_(" Creating root aid 000000 is forbidden.")); + return PM3_ESOFT; + } + + aidhdr_t aidhdr; + memcpy(aidhdr.aid, aid, sizeof(aid)); + aidhdr.keysetting1 = keysetting1; + aidhdr.keysetting2 = keysetting2; + memcpy(aidhdr.fid, fid, sizeof(fid)); + memcpy(aidhdr.name, name, sizeof(name)); + + uint8_t rootaid[3] = {0x00, 0x00, 0x00}; + int res = get_desfire_select_application(rootaid); + if (res != PM3_SUCCESS) return res; + + return get_desfire_createapp(&aidhdr); +} + +static int CmdHF14ADesDeleteApp(const char *Cmd) { + clearCommandBuffer(); + + CLIParserInit("hf mfdes deleteaid", + "Delete Application ID", + "Usage:\n\t-a aid (3 bytes)\n\n" + "Example:\n\thf mfdes deleteaid -a 123456\n" + ); + + void *argtable[] = { + arg_param_begin, + arg_strx0("aA", "aid", "", "App ID to delete"), + arg_param_end + }; + CLIExecWithReturn(Cmd, argtable, true); + int aidlength = 3; + uint8_t aid[3] = {0}; + CLIGetHexWithReturn(1, aid, &aidlength); + CLIParserFree(); + + if (aidlength < 3) { + PrintAndLogEx(ERR, "AID must have 3 bytes length."); + return PM3_EINVARG; + } + + if (memcmp(aid, "\x00\x00\x00", 3) == 0) { + PrintAndLogEx(WARNING, _RED_(" Deleting root aid 000000 is forbidden.")); + return PM3_ESOFT; + } + + uint8_t rootaid[3] = {0x00, 0x00, 0x00}; + int res = get_desfire_select_application(rootaid); + if (res != PM3_SUCCESS) return res; + return get_desfire_deleteapp(aid); +} + + +static int CmdHF14ADesFormatPICC(const char *Cmd) { + (void) Cmd; // Cmd is not used so far + CLIParserInit("hf mfdes formatpicc", + "Formats MIFARE DESFire PICC to factory state", + "Usage:\n\t-k PICC key (8 bytes)\n\n" + "Example:\n\thf mfdes formatpicc -k 0000000000000000\n" + ); + + void *argtable[] = { + arg_param_begin, + arg_str0("kK", "key", "", "Key for checking (HEX 16 bytes)"), + arg_param_end + }; + CLIExecWithReturn(Cmd, argtable, true); + + uint8_t key[8] = {0}; + int keylen = 8; + CLIGetHexWithReturn(1, key, &keylen); + CLIParserFree(); + + if ((keylen < 8) || (keylen > 8)) { + PrintAndLogEx(ERR, "Specified key must have 8 bytes length."); + //SetAPDULogging(false); + return PM3_EINVARG; + } + + clearCommandBuffer(); + DropField(); + uint8_t aid[3] = {0}; + int res = get_desfire_select_application(aid); + if (res != PM3_SUCCESS) return res; + uint8_t data[25] = {keylen}; // max length: 1 + 24 (3k3DES) + memcpy(data + 1, key, keylen); + SendCommandOLD(CMD_HF_DESFIRE_AUTH1, 2, 1, 0, data, keylen + 1); + PacketResponseNG resp; + + if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) { + PrintAndLogEx(WARNING, "Client command execute timeout"); + DropField(); + return PM3_ETIMEOUT; + } + + uint8_t isOK = resp.oldarg[0] & 0xff; + if (isOK) { + uint8_t rdata[] = {0xFC}; // 0xFC + SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(rdata), 0, rdata, sizeof(rdata)); + if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) { + PrintAndLogEx(WARNING, "Client reset command execute timeout"); + DropField(); + return PM3_ETIMEOUT; + } + if (resp.oldarg[0] & 0xFF) { + PrintAndLogEx(INFO, "Card successfully reset"); + return PM3_SUCCESS; + } + } else { + PrintAndLogEx(WARNING, _RED_("Auth command failed.")); + } + + return PM3_SUCCESS; +} + + static int CmdHF14ADesInfo(const char *Cmd) { (void)Cmd; // Cmd is not used so far @@ -520,6 +961,9 @@ static int CmdHF14ADesInfo(const char *Cmd) { if (get_desfire_signature(signature, &signature_len) == PM3_SUCCESS) desfire_print_signature(package->uid, signature, signature_len, cardtype); + else { + PrintAndLogEx(WARNING, "--- " _YELLOW_("Couldn't verify signature. Unknown public key ?")); + } // Master Key settings uint8_t master_aid[3] = {0x00, 0x00, 0x00}; @@ -609,22 +1053,21 @@ char *getVersionStr(uint8_t major, uint8_t minor) { return buf; } -void getKeySettings(uint8_t *aid) { - +int getKeySettings(uint8_t *aid) { + if (aid == NULL) return PM3_EINVARG; + int res = 0; if (memcmp(aid, "\x00\x00\x00", 3) == 0) { // CARD MASTER KEY //PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); - if (get_desfire_select_application(aid) != PM3_SUCCESS) { - PrintAndLogEx(WARNING, _RED_(" Can't select AID")); - DropField(); - return; - } + res = get_desfire_select_application(aid); + if (res != PM3_SUCCESS) return res; // KEY Settings - AMK uint8_t num_keys = 0; uint8_t key_setting = 0; - if (get_desfire_keysettings(&key_setting, &num_keys) == PM3_SUCCESS) { + res = get_desfire_keysettings(&key_setting, &num_keys); + if (res == PM3_SUCCESS) { // number of Master keys (0x01) PrintAndLogEx(SUCCESS, " Number of Masterkeys : " _YELLOW_("%u"), (num_keys & 0x3F)); @@ -661,15 +1104,15 @@ void getKeySettings(uint8_t *aid) { // Authentication tests int res = test_desfire_authenticate(); - if (res == PM3_ETIMEOUT) return; + if (res == PM3_ETIMEOUT) return res; PrintAndLogEx(SUCCESS, " [0x0A] Authenticate : %s", (res == PM3_SUCCESS) ? _YELLOW_("YES") : "NO"); res = test_desfire_authenticate_iso(); - if (res == PM3_ETIMEOUT) return; + if (res == PM3_ETIMEOUT) return res; PrintAndLogEx(SUCCESS, " [0x1A] Authenticate ISO : %s", (res == PM3_SUCCESS) ? _YELLOW_("YES") : "NO"); res = test_desfire_authenticate_aes(); - if (res == PM3_ETIMEOUT) return; + if (res == PM3_ETIMEOUT) return res; PrintAndLogEx(SUCCESS, " [0xAA] Authenticate AES : %s", (res == PM3_SUCCESS) ? _YELLOW_("YES") : "NO"); PrintAndLogEx(INFO, "-------------------------------------------------------------"); @@ -678,16 +1121,14 @@ void getKeySettings(uint8_t *aid) { // AID - APPLICATION MASTER KEYS //PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); - if (get_desfire_select_application(aid) != PM3_SUCCESS) { - PrintAndLogEx(WARNING, _RED_(" Can't select AID")); - DropField(); - return; - } + res = get_desfire_select_application(aid); + if (res != PM3_SUCCESS) return res; // KEY Settings - AMK uint8_t num_keys = 0; uint8_t key_setting = 0; - if (get_desfire_keysettings(&key_setting, &num_keys) == PM3_SUCCESS) { + res = get_desfire_keysettings(&key_setting, &num_keys); + if (res == PM3_SUCCESS) { desfire_print_keysetting(key_setting, num_keys); } else { PrintAndLogEx(WARNING, _RED_(" Can't read Application Master key settings")); @@ -717,6 +1158,106 @@ void getKeySettings(uint8_t *aid) { } DropField(); + return PM3_SUCCESS; +} + +static void DecodeFileType(uint8_t filetype) { + switch (filetype) { + case 0x00: + PrintAndLogEx(INFO, " File Type: 0x%02X -> Standard Data File", filetype); + break; + case 0x01: + PrintAndLogEx(INFO, " File Type: 0x%02X -> Backup Data File", filetype); + break; + case 0x02: + PrintAndLogEx(INFO, " File Type: 0x%02X -> Value Files with Backup", filetype); + break; + case 0x03: + PrintAndLogEx(INFO, " File Type: 0x%02X -> Linear Record Files with Backup", filetype); + break; + case 0x04: + PrintAndLogEx(INFO, " File Type: 0x%02X -> Cyclic Record Files with Backup", filetype); + break; + default: + PrintAndLogEx(INFO, " File Type: 0x%02X", filetype); + break; + } +} + +static void DecodeComSet(uint8_t comset) { + switch (comset) { + case 0x00: + PrintAndLogEx(INFO, " Com.Setting: 0x%02X -> Plain", comset); + break; + case 0x01: + PrintAndLogEx(INFO, " Com.Setting: 0x%02X -> Plain + MAC", comset); + break; + case 0x03: + PrintAndLogEx(INFO, " Com.Setting: 0x%02X -> Enciphered", comset); + break; + default: + PrintAndLogEx(INFO, " Com.Setting: 0x%02X", comset); + break; + } +} + +static char *DecodeAccessValue(uint8_t value) { + char *car = (char *)malloc(255); + memset(car, 0x0, 255); + switch (value) { + case 0xE: + strcat(car, "(Free Access)"); + break; + case 0xF: + strcat(car, "(Denied Access)"); + break; + default: + sprintf(car, "(Access Key: %d)", value); + break; + } + return car; +} + +static void DecodeAccessRights(uint16_t accrights) { + int change_access_rights = accrights & 0xF; + int read_write_access = (accrights >> 4) & 0xF; + int write_access = (accrights >> 8) & 0xF; + int read_access = (accrights >> 12) & 0xF; + char *car = DecodeAccessValue(change_access_rights); + char *rwa = DecodeAccessValue(read_write_access); + char *wa = DecodeAccessValue(write_access); + char *ra = DecodeAccessValue(read_access); + PrintAndLogEx(INFO, " Access Rights: 0x%04X - Change %s - RW %s - W %s - R %s", accrights, car, rwa, wa, ra); + free(car); + free(rwa); + free(wa); + free(ra); +} + +static int DecodeFileSettings(uint8_t *filesettings, int fileset_len, int maclen) { + uint8_t filetype = filesettings[0]; + uint8_t comset = filesettings[1]; + + uint16_t accrights = (filesettings[4] << 8) + filesettings[3]; + if (fileset_len == 1 + 1 + 2 + 3 + maclen) { + int filesize = (filesettings[7] << 16) + (filesettings[6] << 8) + filesettings[5]; + DecodeFileType(filetype); + DecodeComSet(comset); + DecodeAccessRights(accrights); + PrintAndLogEx(INFO, " Filesize: %d", filesize); + return PM3_SUCCESS; + } else if (fileset_len == 1 + 1 + 2 + 4 + 4 + 4 + 1 + maclen) { + int lowerlimit = (filesettings[8] << 24) + (filesettings[7] << 16) + (filesettings[6] << 8) + filesettings[5]; + int upperlimit = (filesettings[12] << 24) + (filesettings[11] << 16) + (filesettings[10] << 8) + filesettings[9]; + int limitcredvalue = (filesettings[16] << 24) + (filesettings[15] << 16) + (filesettings[14] << 8) + filesettings[13]; + uint8_t limited_credit_enabled = filesettings[17]; + DecodeFileType(filetype); + DecodeComSet(comset); + DecodeAccessRights(accrights); + PrintAndLogEx(INFO, " Lower limit: %d - Upper limit: %d - limited credit value: %d - limited credit enabled: %d", lowerlimit, upperlimit, limitcredvalue, limited_credit_enabled); + return PM3_SUCCESS; + } + return PM3_ESOFT; } static int CmdHF14ADesEnumApplications(const char *Cmd) { @@ -733,6 +1274,8 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { dfname_t dfnames[255]; uint8_t dfname_count = 0; + int res = 0; + if (get_desfire_appids(app_ids, &app_ids_len) != PM3_SUCCESS) { PrintAndLogEx(ERR, "Can't get list of applications on tag"); DropField(); @@ -772,14 +1315,11 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { } } - getKeySettings(aid); + res = getKeySettings(aid); + if (res != PM3_SUCCESS) return res; + res = get_desfire_select_application(aid); - if (get_desfire_select_application(aid) != PM3_SUCCESS) { - PrintAndLogEx(WARNING, _RED_(" Can't select AID")); - DropField(); - return PM3_ESOFT; - } // Get File IDs if (get_desfire_fileids(file_ids, &file_ids_len) == PM3_SUCCESS) { @@ -790,15 +1330,15 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { uint8_t filesettings[20] = {0}; int fileset_len = 0; int res = get_desfire_filesettings(j, filesettings, &fileset_len); + int maclen = 0; // To be implemented if (res == PM3_SUCCESS) { - PrintAndLogEx(INFO, " Settings [%u] %s", fileset_len, sprint_hex(filesettings, fileset_len)); + if (DecodeFileSettings(filesettings, fileset_len, maclen) != PM3_SUCCESS) { + PrintAndLogEx(INFO, " Settings [%u] %s", fileset_len, sprint_hex(filesettings, fileset_len)); + } } } } - - - /* // Get ISO File IDs { @@ -831,6 +1371,8 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { // #define BUFSIZE 256 static int CmdHF14ADesAuth(const char *Cmd) { + int res = 0; + DropField(); clearCommandBuffer(); // NR DESC KEYLENGHT // ------------------------ @@ -939,21 +1481,16 @@ static int CmdHF14ADesAuth(const char *Cmd) { return PM3_EINVARG; } - if (get_desfire_select_application(aid) != PM3_SUCCESS) { - PrintAndLogEx(WARNING, _RED_(" Can't select AID")); - DropField(); - return PM3_ESOFT; - } - uint8_t file_ids[33] = {0}; - uint8_t file_ids_len = 0; - int res = get_desfire_fileids(file_ids, &file_ids_len); - if (res != PM3_SUCCESS) { - PrintAndLogEx(WARNING, "Get file ids error."); - DropField(); - return res; - } + res = get_desfire_select_application(aid); + if (res != PM3_SUCCESS) return res; + if (memcmp(aid, "\x00\x00\x00", 3) != 0) { + uint8_t file_ids[33] = {0}; + uint8_t file_ids_len = 0; + res = get_desfire_fileids(file_ids, &file_ids_len); + if (res != PM3_SUCCESS) return res; + } // algo, keylength, uint8_t data[25] = {keylength}; // max length: 1 + 24 (3k3DES) @@ -993,6 +1530,9 @@ static command_t CommandTable[] = { {"list", CmdHF14ADesList, AlwaysAvailable, "List DESFire (ISO 14443A) history"}, {"enum", CmdHF14ADesEnumApplications, IfPm3Iso14443a, "Tries enumerate all applications"}, {"auth", CmdHF14ADesAuth, IfPm3Iso14443a, "Tries a MIFARE DesFire Authentication"}, + {"createaid", CmdHF14ADesCreateApp, IfPm3Iso14443a, "Create Application ID"}, + {"deleteaid", CmdHF14ADesDeleteApp, IfPm3Iso14443a, "Delete Application ID"}, + {"formatpicc", CmdHF14ADesFormatPICC, IfPm3Iso14443a, "Format PICC"}, // {"rdbl", CmdHF14ADesRb, IfPm3Iso14443a, "Read MIFARE DesFire block"}, // {"wrbl", CmdHF14ADesWb, IfPm3Iso14443a, "write MIFARE DesFire block"}, {NULL, NULL, NULL, NULL} @@ -1007,5 +1547,6 @@ static int CmdHelp(const char *Cmd) { int CmdHFMFDes(const char *Cmd) { // flush clearCommandBuffer(); + //g_debugMode=2; return CmdsParse(CommandTable, Cmd); } diff --git a/client/cmdhfmfdes.h b/client/cmdhfmfdes.h index 4f6605cff..c1ed4ed60 100644 --- a/client/cmdhfmfdes.h +++ b/client/cmdhfmfdes.h @@ -17,7 +17,7 @@ int CmdHFMFDes(const char *Cmd); char *getCardSizeStr(uint8_t fsize); char *getProtocolStr(uint8_t id); char *getVersionStr(uint8_t major, uint8_t minor); -void getKeySettings(uint8_t *aid); +int getKeySettings(uint8_t *aid); // Ev1 card limits #define MAX_NUM_KEYS 0x0F @@ -28,55 +28,6 @@ void getKeySettings(uint8_t *aid); #define NOT_YET_AUTHENTICATED 0xFF -// status- and error codes | -#define OPERATION_OK 0x00 // Successful operation -#define NO_CHANGES 0x0C // No changes done to backup files -// ,CommitTransaction/ -// AbortTransaction not necessary -#define OUT_OF_EEPROM_ERROR 0x0E // Insufficient NV-Memory to -// complete command -#define ILLEGAL_COMMAND_CODE 0x1C // Command code not supported -#define INTEGRITY_ERROR 0x1E // CRC or MAC does not match data -// Padding bytes not valid -#define NO_SUCH_KEY 0x40 // Invalid key number specified -#define LENGTH_ERROR 0x7E // Length of command string invalid -#define PERMISSION_DENIED 0x9D // Current configuration status -// does not allow the requested -// command -#define PARAMETER_ERROR 0x9E // Value of the parameter(s) inval. -#define APPLICATION_NOT_FOUND 0xA0 // Requested AID not present on PIC -#define APPL_INTEGRITY_ERROR 0xA1 // [1] // Unrecoverable error within app- -// lication, app will be disabled -#define AUTHENTICATION_ERROR 0xAE // Current authentication status -// does not allow the requested -// command -#define ADDITIONAL_FRAME 0xAF // Additional data frame is -// expected to be sent -#define BOUNDARY_ERROR 0xBE // Attempt to read/write data from/ -// to beyond the file's/record's -// limits. Attempt to exceed the -// limits of a value file. -#define PICC_INTEGRITY_ERROR 0xC1 // [1] // Unrecoverable error within PICC -// ,PICC will be disabled -#define COMMAND_ABORTED 0xCA // Previous Command was not fully -// completed Not all Frames were -// requested or provided by PCD -#define PICC_DISABLED_ERROR 0xCD // [1] // PICC was disabled by an unrecoverable error -#define COUNT_ERROR 0xCE // Number of Applications limited -// to 28, no additional -// CreateApplication possible -#define DUPLICATE_ERROR 0xDE // Creation of file/application -// failed because file/application -// with same number already exists -#define EEPROM_ERROR 0xEE // [1] // Could not complete NV-write -// operation due to loss of power, -// internal backup/rollback -// mechanism activated -#define FILE_NOT_FOUND_ERROR 0xF0 // Specified file number does not -// exist -#define FILE_INTEGRITY_ERROR 0xF1 // [1] // Unrecoverable error within file, -// file will be disabled -// -// [1] These errors are not expected to appear during normal operation + #endif diff --git a/include/protocols.h b/include/protocols.h index 03953fcc6..357fa9e4d 100644 --- a/include/protocols.h +++ b/include/protocols.h @@ -350,21 +350,18 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. // MIFARE DESFire command set: - #define MFDES_GET_VERSION 0x60 - #define MFDES_AUTHENTICATE 0x0A // AUTHENTICATE_NATIVE #define MFDES_AUTHENTICATE_ISO 0x1A // AUTHENTICATE_STANDARD #define MFDES_AUTHENTICATE_AES 0xAA - +#define MFDES_CREATE_APPLICATION 0xCA +#define MFDES_DELETE_APPLICATION 0xDA #define MFDES_CREDIT 0x0C #define MFDES_LIMITED_CREDIT 0x1C #define MFDES_DEBIT 0xDC - #define MFDES_WRITE_RECORD 0x3B #define MFDES_READSIG 0x3C #define MFDES_WRITE_DATA 0x3D - #define MFDES_GET_KEY_SETTINGS 0x45 #define MFDES_CHANGE_KEY_SETTINGS 0x54 #define MFDES_SELECT_APPLICATION 0x5A @@ -376,18 +373,36 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. #define MFDES_GET_FREE_MEMORY 0x6E #define MFDES_GET_DF_NAMES 0x6D #define MFDES_GET_FILE_IDS 0x6F - - -#define MFDES_ABORT_TRANSACTION 0xA7 -#define MFDES_AUTHENTICATION_FRAME 0xAF -#define MFDES_ADDITIONAL_FRAME 0xAF -#define MFDES_ADDITIONAL_FRAME_RESP 0x91AF -#define MFDES_SUCCESS_FRAME_RESP 0x9100 -#define MFDES_EAUTH_RESP 0x91AE -#define MFDES_ENO_SUCH_KEY_RESP 0x9140 - #define MFDES_READ_RECORDS 0xBB #define MFDES_READ_DATA 0xBD +#define MFDES_ABORT_TRANSACTION 0xA7 + +// MIFARE DESFire status set: + +#define MFDES_OPERATION_OK 0x00 +#define MFDES_NO_CHANGES 0x0C +#define MFDES_ADDITIONAL_FRAME 0xAF +#define MFDES_E_OUT_OF_EEPROM 0x0E +#define MFDES_E_ILLEGAL_COMMAND_CODE 0x1C +#define MFDES_E_INTEGRITY_ERROR 0x1E +#define MFDES_E_NO_SUCH_KEY 0x40 +#define MFDES_E_LENGTH 0x7E +#define MFDES_E_PERMISSION_DENIED 0x9D +#define MFDES_E_PARAMETER_ERROR 0x9E +#define MFDES_E_APPLICATION_NOT_FOUND 0xA0 +#define MFDES_E_APPL_INTEGRITY 0xA1 +#define MFDES_E_AUTHENTIFICATION_ERROR 0xAE +#define MFDES_E_BOUNDARY 0xBE +#define MFDES_E_PICC_INTEGRITY 0xC1 +#define MFDES_E_COMMAND_ABORTED 0xCA +#define MFDES_E_PICC_DISABLED 0xCD +#define MFDES_E_COUNT 0xCE +#define MFDES_E_DUPLICATE 0xDE +#define MFDES_E_EEPROM 0xEE +#define MFDES_E_FILE_NOT_FOUND 0xF0 +#define MFDES_E_FILE_INTEGRITY 0xF1 +#define MFDES_SIGNATURE 0x90 + #define MFDES_CREATE_CYCLIC_RECORD_FILE 0xC0 #define MFDES_CREATE_LINEAR_RECORD_FILE 0xC1