From b216af9a24fb5691ec47e6e961e0a61a343a16d7 Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Fri, 19 Dec 2014 12:13:18 -0800 Subject: [PATCH 01/15] Fixed build environment --- client/Makefile | 4 ++-- client/loclass/fileutils.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/client/Makefile b/client/Makefile index 2d52e3dfc..689bba3e1 100644 --- a/client/Makefile +++ b/client/Makefile @@ -13,13 +13,13 @@ CXX=g++ VPATH = ../common OBJDIR = obj -LDLIBS = -L/mingw/lib -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lm -lreadline -lpthread -lcrypto -lgdi32 +LDLIBS = -L/opt/local/lib -L/usr/local/lib ../liblua/liblua.a -lm -lreadline -lpthread -lcrypto LDFLAGS = $(COMMON_FLAGS) CFLAGS = -std=c99 -I. -I../include -I../common -I/mingw/include -I/opt/local/include -I../liblua -Wall $(COMMON_FLAGS) -g -O4 $(ICE_FLAGS) LUAPLATFORM = generic ifneq (,$(findstring MINGW,$(platform))) -CXXFLAGS = -I$(QTDIR)/include -I$(QTDIR)/include/QtCore -I$(QTDIR)/include/QtGui -I$(QTDIR)/include/QtWidgets -I/mingw/include +CXXFLAGS = -I$(QTDIR)/include -I$(QTDIR)/include/QtCore -I$(QTDIR)/include/QtGui -I$(QTDIR)/include/QtWidgets QTLDLIBS = -L$(QTDIR)/lib -lQt5Core -lQt5Gui -lQt5Widgets MOC = $(QTDIR)/bin/moc LUAPLATFORM = mingw diff --git a/client/loclass/fileutils.c b/client/loclass/fileutils.c index 6d9901718..c8d56ce3d 100644 --- a/client/loclass/fileutils.c +++ b/client/loclass/fileutils.c @@ -49,8 +49,8 @@ * @return */ int fileExists(const char *filename) { - struct _stat fileStat; - int result = _stat(filename, &fileStat); + struct stat st; + int result = stat(filename, &st); return result == 0; } From de9b66bc361b638b54c99eaec3d21dad9b04438d Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Fri, 19 Dec 2014 12:15:04 -0800 Subject: [PATCH 02/15] Added file demonstrating a singleDES AUTH operation using 'hf 14a raw' command --- client/loclass/blaine.c | 165 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 165 insertions(+) create mode 100644 client/loclass/blaine.c diff --git a/client/loclass/blaine.c b/client/loclass/blaine.c new file mode 100644 index 000000000..9f642fa9f --- /dev/null +++ b/client/loclass/blaine.c @@ -0,0 +1,165 @@ +#include +#include +#include "des.h" + +int main(int argc, const char* argv[]) { + des_context ctx; + + unsigned char key[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + printf("Key: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", key[i]); + } + printf("\n\n"); + + // This is the challange sent from PICC + unsigned char ek0RandB[8] = {0x4f, 0xb1, 0xed, 0x2e, 0x11, 0x37, 0xd5, 0x1a}; + + if (argc == 8 + 1) { + for (int i = 0 + 1; i < 8 + 1; i++) { + ek0RandB[i - 1] = strtol(argv[i], NULL, 16); + } + } + + printf("ek0RandB (Challange): "); + for (int i = 0; i < 8; i++) { + printf("%02x ", ek0RandB[i]); + } + printf("\n\n"); + + unsigned char RandB[8]; + unsigned char RandBP[8]; + unsigned char ek0RandBP[8]; + + // TODO: Make this randomly generated + unsigned char RandA[8] = {0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + unsigned char ek0RandA[8]; + + unsigned char sessionKey[8]; + + des_setkey_dec(&ctx, key); + + //Decrypt RandB from PICC + des_crypt_ecb(&ctx, ek0RandB, RandB); + + printf("RandB: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", RandB[i]); + } + printf("\n"); + + //Shift RandB left by 8 bits to produce RandB’ + for (int x = 0; x < 7; x++) { + RandBP[x] = RandB[x + 1]; + } + RandBP[7] = RandB[0]; + + printf("RandB’: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", RandBP[i]); + } + printf("\n"); + + //Print RandA + printf("RandA: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", RandA[i]); + } + printf("\n\n"); + + //Encrypt RandA into ek0RandA + des_crypt_ecb(&ctx, RandA, ek0RandA); + + printf("ek0RandA: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", ek0RandA[i]); + } + printf("\n"); + + //Encrypt ( ek0RandA XOR RandB' ) for CBC Mode chaining + for (int i = 0; i < 8; i++) { + ek0RandBP[i] = RandBP[i] ^ ek0RandA[i]; + } + + des_crypt_ecb(&ctx, ek0RandBP, ek0RandBP); + + printf("ek0(RandB' XOR ek0RandA): "); + for (int i = 0; i < 8; i++) { + printf("%02x ", ek0RandBP[i]); + } + printf("\n\n"); + + //Varibles used in checking for proper reply from PICC + unsigned char RandAP[8]; + unsigned char ek0RandAP[8]; + + //Shift RandA left by 8 bits to produce RandA’ + for (int x = 0; x < 7; x++) { + RandAP[x] = RandA[x + 1]; + } + RandAP[7] = RandA[0]; + + //Encrypt RandA' to check PICC's response. + des_crypt_ecb(&ctx, RandAP, ek0RandAP); + + printf("ek0RandA' (Expected reply): "); + for (int i = 0; i < 8; i++) { + printf("%02x ", ek0RandAP[i]); + } + printf("\n"); + + //Create session key + sessionKey[0] = RandA[0]; + sessionKey[1] = RandA[1]; + sessionKey[2] = RandA[2]; + sessionKey[3] = RandA[3]; + sessionKey[4] = RandB[0]; + sessionKey[5] = RandB[1]; + sessionKey[6] = RandB[2]; + sessionKey[7] = RandB[3]; + + printf("Session Key: "); + for (int i = 0; i < 8; i++) { + printf("%02x ", sessionKey[i]); + } + printf("\n"); + + return 1; +} + +/* + Recorded Activity + + Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer + All times are in carrier periods (1/13.56Mhz) + + Start | End | Src | Data + -----------|-----------|-----|-------- + 0 | 992 | Rdr | 52 + 2228 | 4596 | Tag | 44 03 + 1836032 | 1838496 | Rdr | 93 20 + 1839668 | 1845492 | Tag | 88 04 6e 22 c0 + 3806976 | 3817440 | Rdr | 93 70 88 04 6e 22 c0 dc b8 + 3818676 | 3822196 | Tag | 24 d8 36 + 5815808 | 5818272 | Rdr | 95 20 + 5819444 | 5825268 | Tag | 72 63 34 80 a5 + 7757824 | 7768288 | Rdr | 95 70 72 63 34 80 a5 a7 a5 + 7769524 | 7773108 | Tag | 20 fc 70 + 9715072 | 9719840 | Rdr | e0 80 31 73 + 9721012 | 9730292 | Tag | 06 75 77 81 02 80 02 f0 + 12074624 | 12080480 | Rdr | 02 0a 00 dc ed + 12111924 | 12125812 | Tag | 02 af 4f b1 ed 2e 11 37 d5 1a bf 55 + 229214720 | 229237856 | Rdr | 03 af f3 56 83 43 79 d1 65 cd 6c 6d 17 e8 14 6e 52 eb 6d 2b + 229268916 | 229282804 | Tag | 03 00 0d 9f 27 9b a5 d8 72 60 f3 6f +*/ + +/* + hf 14a raw -p -a -b 7 52 + hf 14a raw -p 93 20 + hf 14a raw -p -c 93 70 88 04 6e 22 c0 + hf 14a raw -p 95 20 + hf 14a raw -p -c 95 70 72 63 34 80 a5 + hf 14a raw -p e0 80 31 73 + hf 14a raw -p -c 02 0a 00 + hf 14a raw -p -c 03 af ... +*/ \ No newline at end of file From b6f41bfdfefaf5619853d8fb26e8e3c3dc425ad0 Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Fri, 19 Dec 2014 12:15:45 -0800 Subject: [PATCH 03/15] Successfully decrypted RandB from PICC challenge --- armsrc/mifaredesfire.c | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 60c941ebd..fef3e6913 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -1,4 +1,5 @@ #include "mifaredesfire.h" +#include "des.h" #define MAX_APPLICATION_COUNT 28 #define MAX_FILE_COUNT 16 @@ -186,7 +187,7 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain int len = 0; //uint8_t PICC_MASTER_KEY8[8] = { 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47}; uint8_t PICC_MASTER_KEY16[16] = { 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f }; - //uint8_t null_key_data8[8] = {0x00}; + uint8_t null_key_data8[8] = {0x00}; //uint8_t null_key_data16[16] = {0x00}; //uint8_t new_key_data8[8] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77}; //uint8_t new_key_data16[16] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF}; @@ -216,10 +217,31 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain // des, nyckel 0, switch (mode){ - case 1: - // if ( SendDesfireCommand(AUTHENTICATE, &keyno, resp) > 0 ){ - // // fick nonce från kortet - // } + case 1:{ + uint8_t keybytes[8]; + if (datain[1] == 0xff){ + memcpy(keybytes,null_key_data8,8); + } else{ + memcpy(keybytes, datain+1, datalen); + } + + cmd[0] = AUTHENTICATE; + cmd[1] = 0x00; //keynumber + len = DesfireAPDU(cmd, 2, resp); + if ( !len ) { + if (MF_DBGLEVEL >= 1) { + DbpString("Authentication failed. Card timeout."); + } + OnError(); + return; + } + + memcpy( encRndB, resp+3, 8); + + des_dec(&decRndB, &encRndB, &keybytes); + Dbprintf("RandB: %02x%02x%02x%02x%02x%02x%02x%02x",decRndB[0],decRndB[1],decRndB[2],decRndB[3],decRndB[4],decRndB[5],decRndB[6],decRndB[7]); + + } break; case 2: //SendDesfireCommand(AUTHENTICATE_ISO, &keyno, resp); From 0127902ee6bf5b7e7611a0d6daba4c136cd1caa0 Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Fri, 19 Dec 2014 19:36:19 -0800 Subject: [PATCH 04/15] Calculates response to PICC challenge --- armsrc/mifaredesfire.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index fef3e6913..b1a6b3fb5 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -239,7 +239,30 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain memcpy( encRndB, resp+3, 8); des_dec(&decRndB, &encRndB, &keybytes); - Dbprintf("RandB: %02x%02x%02x%02x%02x%02x%02x%02x",decRndB[0],decRndB[1],decRndB[2],decRndB[3],decRndB[4],decRndB[5],decRndB[6],decRndB[7]); + Dbprintf("RndB: %02x%02x%02x%02x%02x%02x%02x%02x",decRndB[0],decRndB[1],decRndB[2],decRndB[3],decRndB[4],decRndB[5],decRndB[6],decRndB[7]); + rol(decRndB,8); + Dbprintf("RndB': %02x%02x%02x%02x%02x%02x%02x%02x",decRndB[0],decRndB[1],decRndB[2],decRndB[3],decRndB[4],decRndB[5],decRndB[6],decRndB[7]); + + uint8_t decRndA[8] = {0x00}; + uint8_t encRndA[8] = {0x00}; + + des_dec(&encRndA, &decRndA, &keybytes); + Dbprintf("RndA: %02x%02x%02x%02x%02x%02x%02x%02x",decRndA[0],decRndA[1],decRndA[2],decRndA[3],decRndA[4],decRndA[5],decRndA[6],decRndA[7]); + Dbprintf("ek0RandA: %02x%02x%02x%02x%02x%02x%02x%02x",encRndA[0],encRndA[1],encRndA[2],encRndA[3],encRndA[4],encRndA[5],encRndA[6],encRndA[7]); + + memcpy(both, encRndA, 8); + + for (int x = 0; x < 8; x++) { + decRndB[x] = decRndB[x] ^ encRndA[x]; + + } + + des_dec(&encRndB, &decRndB, &keybytes); + + memcpy(both + 8, encRndB, 8); + Dbprintf("both: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",both[0],both[1],both[2],both[3],both[4],both[5],both[6],both[7],both[8],both[9],both[10],both[11],both[12],both[13],both[14],both[15]); + + // TODO: Send response } break; From 1051dee04a1cdba922e7a91acadfb7b44d244e7e Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Fri, 19 Dec 2014 19:44:32 -0800 Subject: [PATCH 05/15] Challenge is now sent to PICC --- armsrc/mifaredesfire.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index b1a6b3fb5..c56d8bc06 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -262,7 +262,19 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain memcpy(both + 8, encRndB, 8); Dbprintf("both: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",both[0],both[1],both[2],both[3],both[4],both[5],both[6],both[7],both[8],both[9],both[10],both[11],both[12],both[13],both[14],both[15]); - // TODO: Send response + cmd[0] = ADDITIONAL_FRAME; + memcpy(cmd+1, both, 16 ); + + len = DesfireAPDU(cmd, 17, resp); + if ( !len ) { + if (MF_DBGLEVEL >= 1) { + DbpString("Authentication failed. Card timeout."); + } + OnError(); + return; + } + + // TODO: Check returned RandA' } break; From a07a448220f85c4e27a9b50f412d376474ea4f69 Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Fri, 19 Dec 2014 20:38:25 -0800 Subject: [PATCH 06/15] Removed unneeded verbosity and checked for a 0x00 response from PICC after challenge response --- armsrc/mifaredesfire.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index c56d8bc06..66fe00bdd 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -239,16 +239,12 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain memcpy( encRndB, resp+3, 8); des_dec(&decRndB, &encRndB, &keybytes); - Dbprintf("RndB: %02x%02x%02x%02x%02x%02x%02x%02x",decRndB[0],decRndB[1],decRndB[2],decRndB[3],decRndB[4],decRndB[5],decRndB[6],decRndB[7]); rol(decRndB,8); - Dbprintf("RndB': %02x%02x%02x%02x%02x%02x%02x%02x",decRndB[0],decRndB[1],decRndB[2],decRndB[3],decRndB[4],decRndB[5],decRndB[6],decRndB[7]); uint8_t decRndA[8] = {0x00}; uint8_t encRndA[8] = {0x00}; des_dec(&encRndA, &decRndA, &keybytes); - Dbprintf("RndA: %02x%02x%02x%02x%02x%02x%02x%02x",decRndA[0],decRndA[1],decRndA[2],decRndA[3],decRndA[4],decRndA[5],decRndA[6],decRndA[7]); - Dbprintf("ek0RandA: %02x%02x%02x%02x%02x%02x%02x%02x",encRndA[0],encRndA[1],encRndA[2],encRndA[3],encRndA[4],encRndA[5],encRndA[6],encRndA[7]); memcpy(both, encRndA, 8); @@ -260,7 +256,6 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain des_dec(&encRndB, &decRndB, &keybytes); memcpy(both + 8, encRndB, 8); - Dbprintf("both: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",both[0],both[1],both[2],both[3],both[4],both[5],both[6],both[7],both[8],both[9],both[10],both[11],both[12],both[13],both[14],both[15]); cmd[0] = ADDITIONAL_FRAME; memcpy(cmd+1, both, 16 ); @@ -274,7 +269,15 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain return; } - // TODO: Check returned RandA' + if ( resp[2] == 0x00 ){ + // TODO: Create session key. + } else { + DbpString("Authetication failed."); + OnError(); + return; + } + + // TOD: Optionally, confirm ek0RndA' = RndA' to varify PICC } break; From 65348213652320c30ff5dce04374ac58c86b9acc Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Fri, 19 Dec 2014 21:37:06 -0800 Subject: [PATCH 07/15] Accept key number from command line --- armsrc/mifaredesfire.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 66fe00bdd..d46d29317 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -226,7 +226,7 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain } cmd[0] = AUTHENTICATE; - cmd[1] = 0x00; //keynumber + cmd[1] = keyno; //keynumber len = DesfireAPDU(cmd, 2, resp); if ( !len ) { if (MF_DBGLEVEL >= 1) { @@ -236,6 +236,13 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain return; } + if ( resp[2] == 0xaf ){ + } else { + DbpString("Authetication failed. Invalid key number."); + OnError(); + return; + } + memcpy( encRndB, resp+3, 8); des_dec(&decRndB, &encRndB, &keybytes); @@ -277,7 +284,7 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain return; } - // TOD: Optionally, confirm ek0RndA' = RndA' to varify PICC + // TODO: Optionally, confirm ek0RndA' = RndA' to varify PICC } break; From 085b0e2ea97ae0a8427cce867428b32c79d40f9d Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Sat, 20 Dec 2014 00:10:59 -0800 Subject: [PATCH 08/15] Create session key --- armsrc/mifaredesfire.c | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index d46d29317..85e317514 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -219,12 +219,19 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain switch (mode){ case 1:{ uint8_t keybytes[8]; + uint8_t RndA[8] = {0x00}; + uint8_t RndB[8] = {0x00}; + if (datain[1] == 0xff){ memcpy(keybytes,null_key_data8,8); } else{ memcpy(keybytes, datain+1, datalen); } + struct desfire_key defaultkey = {0}; + desfirekey_t key = &defaultkey; + Desfire_des_key_new(keybytes, key); + cmd[0] = AUTHENTICATE; cmd[1] = keyno; //keynumber len = DesfireAPDU(cmd, 2, resp); @@ -245,13 +252,15 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain memcpy( encRndB, resp+3, 8); - des_dec(&decRndB, &encRndB, &keybytes); + des_dec(&decRndB, &encRndB, key->data); + memcpy(RndB, decRndB, 8); rol(decRndB,8); uint8_t decRndA[8] = {0x00}; + memcpy(RndA, decRndA, 8); uint8_t encRndA[8] = {0x00}; - des_dec(&encRndA, &decRndA, &keybytes); + des_dec(&encRndA, &decRndA, key->data); memcpy(both, encRndA, 8); @@ -260,7 +269,7 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain } - des_dec(&encRndB, &decRndB, &keybytes); + des_dec(&encRndB, &decRndB, key->data); memcpy(both + 8, encRndB, 8); @@ -277,14 +286,29 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain } if ( resp[2] == 0x00 ){ - // TODO: Create session key. + + struct desfire_key sessionKey = {0}; + desfirekey_t skey = &sessionKey; + Desfire_session_key_new( RndA, RndB , key, skey ); + print_result("SESSION : ", skey->data, 8); + } else { DbpString("Authetication failed."); OnError(); return; } - // TODO: Optionally, confirm ek0RndA' = RndA' to varify PICC + memcpy(encRndA, resp+3, 8); + des_dec(&encRndA, &encRndA, key->data); + rol(decRndA,8); + for (int x = 0; x < 8; x++) { + if (decRndA[x] != encRndA[x]) { + DbpString("Authetication failed. Cannot varify PICC."); + OnError(); + return; + } + } + } break; From 3c05723ee224b72138884c150b78c4c45ae841ba Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Sat, 20 Dec 2014 17:18:26 -0800 Subject: [PATCH 09/15] Limit to single-DES operation and return session key to client. --- armsrc/mifaredesfire.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 85e317514..42ae48cac 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -218,6 +218,8 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain // des, nyckel 0, switch (mode){ case 1:{ + if (algo == 1) { + uint8_t keybytes[8]; uint8_t RndA[8] = {0x00}; uint8_t RndB[8] = {0x00}; @@ -256,6 +258,7 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain memcpy(RndB, decRndB, 8); rol(decRndB,8); + // This should be random uint8_t decRndA[8] = {0x00}; memcpy(RndA, decRndA, 8); uint8_t encRndA[8] = {0x00}; @@ -290,7 +293,8 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain struct desfire_key sessionKey = {0}; desfirekey_t skey = &sessionKey; Desfire_session_key_new( RndA, RndB , key, skey ); - print_result("SESSION : ", skey->data, 8); + //print_result("SESSION : ", skey->data, 8); + cmd_send(CMD_ACK,1,0,0,skey->data,8); } else { DbpString("Authetication failed."); @@ -310,6 +314,7 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain } + } } break; case 2: From 6a1aa12df0e5ed2f49b7b5810734b3b391cf8fc5 Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Sat, 20 Dec 2014 19:15:48 -0800 Subject: [PATCH 10/15] Called the OnSuccess() method for whatever reason that's there. --- armsrc/mifaredesfire.c | 1 + 1 file changed, 1 insertion(+) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 42ae48cac..0a3fdc349 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -294,6 +294,7 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain desfirekey_t skey = &sessionKey; Desfire_session_key_new( RndA, RndB , key, skey ); //print_result("SESSION : ", skey->data, 8); + OnSuccess(); cmd_send(CMD_ACK,1,0,0,skey->data,8); } else { From 06732632308cb40fba0cde7ad87bf455a2d42e50 Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Sat, 20 Dec 2014 19:25:31 -0800 Subject: [PATCH 11/15] code to check RndA' from PICC was unreachable --- armsrc/mifaredesfire.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 0a3fdc349..e5a2289b2 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -294,6 +294,18 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain desfirekey_t skey = &sessionKey; Desfire_session_key_new( RndA, RndB , key, skey ); //print_result("SESSION : ", skey->data, 8); + + memcpy(encRndA, resp+3, 8); + des_dec(&encRndA, &encRndA, key->data); + rol(decRndA,8); + for (int x = 0; x < 8; x++) { + if (decRndA[x] != encRndA[x]) { + DbpString("Authetication failed. Cannot varify PICC."); + OnError(); + return; + } + } + OnSuccess(); cmd_send(CMD_ACK,1,0,0,skey->data,8); @@ -303,18 +315,6 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain return; } - memcpy(encRndA, resp+3, 8); - des_dec(&encRndA, &encRndA, key->data); - rol(decRndA,8); - for (int x = 0; x < 8; x++) { - if (decRndA[x] != encRndA[x]) { - DbpString("Authetication failed. Cannot varify PICC."); - OnError(); - return; - } - } - - } } break; From 4e2e4bcf9b4399d8de4e7291298a9be5b0f9ef5d Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Sun, 21 Dec 2014 22:59:24 -0800 Subject: [PATCH 12/15] Tested by changing the master key from the default to a custom value --- armsrc/mifaredesfire.c | 46 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index e5a2289b2..132629912 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -306,6 +306,52 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain } } + /* + //Change the selected key to a new value. + + cmd[0] = 0xc4; + cmd[1] = keyno; + + uint8_t first,second; + + uint8_t newKey[16] = {0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77}; + + uint8_t buff1[8] = {0x00}; + uint8_t buff2[8] = {0x00}; + uint8_t buff3[8] = {0x00}; + + memcpy(buff1,newKey, 8); + memcpy(buff2,newKey + 8, 8); + + ComputeCrc14443(CRC_14443_A, newKey, 16, &first, &second); + + memcpy(buff3, &first, 1); + memcpy(buff3 + 1, &second, 1); + + des_dec(&buff1, &buff1, skey->data); + + for (int x = 0; x < 8; x++) { + buff2[x] = buff2[x] ^ buff1[x]; + } + des_dec(&buff2, &buff2, skey->data); + + for (int x = 0; x < 8; x++) { + buff3[x] = buff3[x] ^ buff2[x]; + } + des_dec(&buff3, &buff3, skey->data); + + memcpy(cmd+2,buff1,8); + memcpy(cmd+10,buff2,8); + memcpy(cmd+18,buff3,8); + + // The command always times out on the first attempt, this will retry until a response + // is recieved. + len = 0; + while(!len) { + len = DesfireAPDU(cmd,26,resp); + } + */ + OnSuccess(); cmd_send(CMD_ACK,1,0,0,skey->data,8); From f56bd0174ab251eee0363be50dea0f2f18f33a03 Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Sun, 21 Dec 2014 23:41:15 -0800 Subject: [PATCH 13/15] Remove unrelated file --- client/loclass/blaine.c | 165 ---------------------------------------- 1 file changed, 165 deletions(-) delete mode 100644 client/loclass/blaine.c diff --git a/client/loclass/blaine.c b/client/loclass/blaine.c deleted file mode 100644 index 9f642fa9f..000000000 --- a/client/loclass/blaine.c +++ /dev/null @@ -1,165 +0,0 @@ -#include -#include -#include "des.h" - -int main(int argc, const char* argv[]) { - des_context ctx; - - unsigned char key[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; - printf("Key: "); - for (int i = 0; i < 8; i++) { - printf("%02x ", key[i]); - } - printf("\n\n"); - - // This is the challange sent from PICC - unsigned char ek0RandB[8] = {0x4f, 0xb1, 0xed, 0x2e, 0x11, 0x37, 0xd5, 0x1a}; - - if (argc == 8 + 1) { - for (int i = 0 + 1; i < 8 + 1; i++) { - ek0RandB[i - 1] = strtol(argv[i], NULL, 16); - } - } - - printf("ek0RandB (Challange): "); - for (int i = 0; i < 8; i++) { - printf("%02x ", ek0RandB[i]); - } - printf("\n\n"); - - unsigned char RandB[8]; - unsigned char RandBP[8]; - unsigned char ek0RandBP[8]; - - // TODO: Make this randomly generated - unsigned char RandA[8] = {0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; - unsigned char ek0RandA[8]; - - unsigned char sessionKey[8]; - - des_setkey_dec(&ctx, key); - - //Decrypt RandB from PICC - des_crypt_ecb(&ctx, ek0RandB, RandB); - - printf("RandB: "); - for (int i = 0; i < 8; i++) { - printf("%02x ", RandB[i]); - } - printf("\n"); - - //Shift RandB left by 8 bits to produce RandB’ - for (int x = 0; x < 7; x++) { - RandBP[x] = RandB[x + 1]; - } - RandBP[7] = RandB[0]; - - printf("RandB’: "); - for (int i = 0; i < 8; i++) { - printf("%02x ", RandBP[i]); - } - printf("\n"); - - //Print RandA - printf("RandA: "); - for (int i = 0; i < 8; i++) { - printf("%02x ", RandA[i]); - } - printf("\n\n"); - - //Encrypt RandA into ek0RandA - des_crypt_ecb(&ctx, RandA, ek0RandA); - - printf("ek0RandA: "); - for (int i = 0; i < 8; i++) { - printf("%02x ", ek0RandA[i]); - } - printf("\n"); - - //Encrypt ( ek0RandA XOR RandB' ) for CBC Mode chaining - for (int i = 0; i < 8; i++) { - ek0RandBP[i] = RandBP[i] ^ ek0RandA[i]; - } - - des_crypt_ecb(&ctx, ek0RandBP, ek0RandBP); - - printf("ek0(RandB' XOR ek0RandA): "); - for (int i = 0; i < 8; i++) { - printf("%02x ", ek0RandBP[i]); - } - printf("\n\n"); - - //Varibles used in checking for proper reply from PICC - unsigned char RandAP[8]; - unsigned char ek0RandAP[8]; - - //Shift RandA left by 8 bits to produce RandA’ - for (int x = 0; x < 7; x++) { - RandAP[x] = RandA[x + 1]; - } - RandAP[7] = RandA[0]; - - //Encrypt RandA' to check PICC's response. - des_crypt_ecb(&ctx, RandAP, ek0RandAP); - - printf("ek0RandA' (Expected reply): "); - for (int i = 0; i < 8; i++) { - printf("%02x ", ek0RandAP[i]); - } - printf("\n"); - - //Create session key - sessionKey[0] = RandA[0]; - sessionKey[1] = RandA[1]; - sessionKey[2] = RandA[2]; - sessionKey[3] = RandA[3]; - sessionKey[4] = RandB[0]; - sessionKey[5] = RandB[1]; - sessionKey[6] = RandB[2]; - sessionKey[7] = RandB[3]; - - printf("Session Key: "); - for (int i = 0; i < 8; i++) { - printf("%02x ", sessionKey[i]); - } - printf("\n"); - - return 1; -} - -/* - Recorded Activity - - Start = Start of Start Bit, End = End of last modulation. Src = Source of Transfer - All times are in carrier periods (1/13.56Mhz) - - Start | End | Src | Data - -----------|-----------|-----|-------- - 0 | 992 | Rdr | 52 - 2228 | 4596 | Tag | 44 03 - 1836032 | 1838496 | Rdr | 93 20 - 1839668 | 1845492 | Tag | 88 04 6e 22 c0 - 3806976 | 3817440 | Rdr | 93 70 88 04 6e 22 c0 dc b8 - 3818676 | 3822196 | Tag | 24 d8 36 - 5815808 | 5818272 | Rdr | 95 20 - 5819444 | 5825268 | Tag | 72 63 34 80 a5 - 7757824 | 7768288 | Rdr | 95 70 72 63 34 80 a5 a7 a5 - 7769524 | 7773108 | Tag | 20 fc 70 - 9715072 | 9719840 | Rdr | e0 80 31 73 - 9721012 | 9730292 | Tag | 06 75 77 81 02 80 02 f0 - 12074624 | 12080480 | Rdr | 02 0a 00 dc ed - 12111924 | 12125812 | Tag | 02 af 4f b1 ed 2e 11 37 d5 1a bf 55 - 229214720 | 229237856 | Rdr | 03 af f3 56 83 43 79 d1 65 cd 6c 6d 17 e8 14 6e 52 eb 6d 2b - 229268916 | 229282804 | Tag | 03 00 0d 9f 27 9b a5 d8 72 60 f3 6f -*/ - -/* - hf 14a raw -p -a -b 7 52 - hf 14a raw -p 93 20 - hf 14a raw -p -c 93 70 88 04 6e 22 c0 - hf 14a raw -p 95 20 - hf 14a raw -p -c 95 70 72 63 34 80 a5 - hf 14a raw -p e0 80 31 73 - hf 14a raw -p -c 02 0a 00 - hf 14a raw -p -c 03 af ... -*/ \ No newline at end of file From 46e14b0f960dcd84fc41df32c74fb3fd89c0ac5c Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Sun, 21 Dec 2014 23:54:29 -0800 Subject: [PATCH 14/15] Minor formatting change --- armsrc/mifaredesfire.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 132629912..b7c1bc5b1 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -306,16 +306,15 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain } } - /* //Change the selected key to a new value. - + /* + cmd[0] = 0xc4; cmd[1] = keyno; - uint8_t first,second; - uint8_t newKey[16] = {0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77}; + uint8_t first, second; uint8_t buff1[8] = {0x00}; uint8_t buff2[8] = {0x00}; uint8_t buff3[8] = {0x00}; @@ -324,24 +323,22 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain memcpy(buff2,newKey + 8, 8); ComputeCrc14443(CRC_14443_A, newKey, 16, &first, &second); - memcpy(buff3, &first, 1); memcpy(buff3 + 1, &second, 1); des_dec(&buff1, &buff1, skey->data); + memcpy(cmd+2,buff1,8); for (int x = 0; x < 8; x++) { buff2[x] = buff2[x] ^ buff1[x]; } des_dec(&buff2, &buff2, skey->data); + memcpy(cmd+10,buff2,8); for (int x = 0; x < 8; x++) { buff3[x] = buff3[x] ^ buff2[x]; } des_dec(&buff3, &buff3, skey->data); - - memcpy(cmd+2,buff1,8); - memcpy(cmd+10,buff2,8); memcpy(cmd+18,buff3,8); // The command always times out on the first attempt, this will retry until a response From 082789c4dff22a567fb81db6faf28ec6dd4a79ae Mon Sep 17 00:00:00 2001 From: Blaine Forbort Date: Mon, 22 Dec 2014 00:21:20 -0800 Subject: [PATCH 15/15] Using defined command code --- armsrc/mifaredesfire.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index b7c1bc5b1..acb16c05b 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -309,7 +309,7 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain //Change the selected key to a new value. /* - cmd[0] = 0xc4; + cmd[0] = CHANGE_KEY; cmd[1] = keyno; uint8_t newKey[16] = {0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77};