From 6a6ec86791ee95eebd43a51163894ba338e8ff7c Mon Sep 17 00:00:00 2001
From: merlokk <807634+merlokk@users.noreply.github.com>
Date: Fri, 16 Jul 2021 20:45:32 +0300
Subject: [PATCH] fix 2tdea/d40 authentication

---
 client/src/cmdhfmfdes.c         |  2 +-
 client/src/mifare/desfirecore.c | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c
index 2f3bcf30b..6889465e8 100644
--- a/client/src/cmdhfmfdes.c
+++ b/client/src/cmdhfmfdes.c
@@ -4986,7 +4986,7 @@ static int CmdHF14ADesChangeKey(const char *Cmd) {
         PrintAndLogEx(INFO, _CYAN_("Changing PICC key"));
     PrintAndLogEx(INFO, "auth key %d: %s [%d] %s", dctx.keyNum, CLIGetOptionListStr(DesfireAlgoOpts, dctx.keyType), desfire_get_key_length(dctx.keyType), sprint_hex(dctx.key, desfire_get_key_length(dctx.keyType)));
     PrintAndLogEx(INFO, "changing key number  " _YELLOW_("0x%02x") " (%d)", newkeynum, newkeynum);
-    PrintAndLogEx(INFO, "old key: %s [%d] %s", CLIGetOptionListStr(DesfireAlgoOpts, newkeytype), desfire_get_key_length(oldkeytype), sprint_hex(oldkey, desfire_get_key_length(oldkeytype)));
+    PrintAndLogEx(INFO, "old key: %s [%d] %s", CLIGetOptionListStr(DesfireAlgoOpts, oldkeytype), desfire_get_key_length(oldkeytype), sprint_hex(oldkey, desfire_get_key_length(oldkeytype)));
     PrintAndLogEx(INFO, "new key: %s [%d] %s", CLIGetOptionListStr(DesfireAlgoOpts, newkeytype), desfire_get_key_length(newkeytype), sprint_hex(newkey, desfire_get_key_length(newkeytype)));
     if (newkeyver < 0x100 || newkeytype == T_AES)
         PrintAndLogEx(INFO, "new key version: 0x%02x", newkeyver & 0x00);
diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c
index 0045ca1b0..8dd599142 100644
--- a/client/src/mifare/desfirecore.c
+++ b/client/src/mifare/desfirecore.c
@@ -764,7 +764,15 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel
             des_decrypt(encRndB, rotRndB, key->data);
             memcpy(both + rndlen, encRndB, rndlen);
         } else if (dctx->keyType == T_3DES) {
-            //TODO
+            des3_decrypt(encRndA, RndA, key->data, 2);
+            memcpy(both, encRndA, rndlen);
+
+            for (uint32_t x = 0; x < rndlen; x++) {
+                rotRndB[x] = rotRndB[x] ^ encRndA[x];
+            }
+
+            des3_decrypt(encRndB, rotRndB, key->data, 2);
+            memcpy(both + rndlen, encRndB, rndlen);
         }
     } else if (secureChannel == DACEV1 && dctx->keyType != T_AES) {
         if (dctx->keyType == T_DES) {
@@ -857,7 +865,10 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel
         if (secureChannel == DACEV1)
             des_decrypt_cbc(encRndA, encRndA, rndlen, key->data, IV);
     } else if (dctx->keyType == T_3DES)
-        tdes_nxp_receive(encRndA, encRndA, rndlen, key->data, IV, 2);
+        if (secureChannel == DACd40)
+            des3_decrypt(encRndA, encRndA, key->data, 2);
+        else
+            tdes_nxp_receive(encRndA, encRndA, rndlen, key->data, IV, 2);
     else if (dctx->keyType == T_3K3DES)
         tdes_nxp_receive(encRndA, encRndA, rndlen, key->data, IV, 3);
     else if (dctx->keyType == T_AES) {