diff --git a/CHANGELOG.md b/CHANGELOG.md index 0f15617c0..946b7c541 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,13 +3,8 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] - - Updated 'legic.lua' and 'legic_clone.lua' script - works with current command set (@Pizza_4u) - - Rewrote `hf mfdes` functions and added apdu debugging (@bkerler) - - Add Mifare Desfire GetDFNames and improve HF MFDES Enum output (@bkerler) - - Fix Mifare Desfire select appid handling (@bkerler) - - Improved `hf 14a info` - card detection handling (@bkerler) - Updated helptext layout in all luascripts (@iceman1001) - - Change `hf mfdes info` - output and logging (@bkerler) + - Change `hf mfdes info` - output and logging (@brkeler) - Updated texts in legic commands (@ikarus23) - Fix timing bug inside 40x5 (@mwalker33) - Refactored all Hitag2 attacks (@doegox) diff --git a/armsrc/desfire.h b/armsrc/desfire.h index e753106e7..5fa7e8d48 100644 --- a/armsrc/desfire.h +++ b/armsrc/desfire.h @@ -150,7 +150,6 @@ enum DESFIRE_CMD { GET_FREE_MEMORY = 0x6e, GET_FILE_IDS = 0x6f, GET_FILE_SETTINGS = 0xf5, - GET_DF_NAMES = 0x6d, CHANGE_FILE_SETTINGS = 0x5f, CREATE_STD_DATA_FILE = 0xcd, CREATE_BACKUP_DATA_FILE = 0xcb, diff --git a/armsrc/epa.c b/armsrc/epa.c index 3a44502ba..f535b89a3 100644 --- a/armsrc/epa.c +++ b/armsrc/epa.c @@ -263,7 +263,7 @@ static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return) { EPA_Finish(); // send the USB packet - reply_mix(CMD_ACK, step, func_return, 0, 0, 0); + reply_old(CMD_ACK, step, func_return, 0, 0, 0); } //----------------------------------------------------------------------------- @@ -280,8 +280,12 @@ void EPA_PACE_Collect_Nonce(PacketCommandNG *c) { * d: * Encrypted nonce */ + + // return value of a function + int func_return = 0; + // set up communication - int func_return = EPA_Setup(); + func_return = EPA_Setup(); if (func_return != 0) { EPA_PACE_Collect_Nonce_Abort(1, func_return); return; @@ -331,7 +335,7 @@ void EPA_PACE_Collect_Nonce(PacketCommandNG *c) { EPA_Finish(); // save received information - reply_mix(CMD_ACK, 0, func_return, 0, nonce, func_return); + reply_old(CMD_ACK, 0, func_return, 0, nonce, func_return); } //----------------------------------------------------------------------------- @@ -443,7 +447,7 @@ void EPA_PACE_Replay(PacketCommandNG *c) { if (c->oldarg[0] != 0) { // make sure it's not too big if (c->oldarg[2] > apdus_replay[c->oldarg[0] - 1].len) { - reply_mix(CMD_ACK, 1, 0, 0, NULL, 0); + reply_old(CMD_ACK, 1, 0, 0, NULL, 0); } memcpy(apdus_replay[c->oldarg[0] - 1].data + c->oldarg[1], c->data.asBytes, @@ -454,7 +458,7 @@ void EPA_PACE_Replay(PacketCommandNG *c) { } else { apdu_lengths_replay[c->oldarg[0] - 1] += c->oldarg[2]; } - reply_mix(CMD_ACK, 0, 0, 0, NULL, 0); + reply_old(CMD_ACK, 0, 0, 0, NULL, 0); return; } @@ -465,7 +469,7 @@ void EPA_PACE_Replay(PacketCommandNG *c) { func_return = EPA_Setup(); if (func_return != 0) { EPA_Finish(); - reply_mix(CMD_ACK, 2, func_return, 0, NULL, 0); + reply_old(CMD_ACK, 2, func_return, 0, NULL, 0); return; } @@ -488,12 +492,12 @@ void EPA_PACE_Replay(PacketCommandNG *c) { || response_apdu[func_return - 4] != 0x90 || response_apdu[func_return - 3] != 0x00)) { EPA_Finish(); - reply_mix(CMD_ACK, 3 + i, func_return, 0, timings, 20); + reply_old(CMD_ACK, 3 + i, func_return, 0, timings, 20); return; } } EPA_Finish(); - reply_mix(CMD_ACK, 0, 0, 0, timings, 20); + reply_old(CMD_ACK, 0, 0, 0, timings, 20); return; } @@ -502,13 +506,14 @@ void EPA_PACE_Replay(PacketCommandNG *c) { // Returns 0 on success or a non-zero error code on failure //----------------------------------------------------------------------------- int EPA_Setup() { + uint8_t uid[10]; + iso14a_card_select_t card_a_info; // first, look for type A cards // power up the field iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD); - iso14a_card_select_t card_a_info; - int return_code = iso14443a_select_card(NULL, &card_a_info, NULL, true, 0, false); - + // select the card + int return_code = iso14443a_select_card(uid, &card_a_info, NULL, true, 0, false); if (return_code == 1) { uint8_t pps_response[3]; uint8_t pps_response_par[1]; @@ -523,14 +528,12 @@ int EPA_Setup() { return 0; } - FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); - // if we're here, there is no type A card, so we look for type B // power up the field iso14443b_setup(); iso14b_card_select_t card_b_info; + // select the card return_code = iso14443b_select_card(&card_b_info); - if (return_code == 0) { Dbprintf("ISO 14443 Type B"); iso_type = 'b'; diff --git a/armsrc/felica.c b/armsrc/felica.c index 2cb23b48c..b1e0253a2 100644 --- a/armsrc/felica.c +++ b/armsrc/felica.c @@ -621,7 +621,7 @@ void felica_sniff(uint32_t samplesToSkip, uint32_t triggersToSkip) { set_tracelen(BigBuf_max_traceLen()); Dbprintf("Felica sniffing done, tracelen: %i, use hf list felica for annotations", BigBuf_get_traceLen()); - reply_mix(CMD_ACK, 1, numbts, 0, 0, 0); + reply_old(CMD_ACK, 1, numbts, 0, 0, 0); LED_D_OFF(); } @@ -812,5 +812,5 @@ void felica_dump_lite_s() { //setting tracelen - important! it was set by buffer overflow before set_tracelen(cnt); - reply_mix(CMD_ACK, isOK, cnt, 0, 0, 0); + reply_old(CMD_ACK, isOK, cnt, 0, 0, 0); } diff --git a/armsrc/hitagS.c b/armsrc/hitagS.c index 4268e82e5..78009496e 100644 --- a/armsrc/hitagS.c +++ b/armsrc/hitagS.c @@ -1407,7 +1407,7 @@ void ReadHitagS(hitag_function htf, hitag_data *htd) { set_tracing(false); lf_finalize(); - reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0); + reply_old(CMD_ACK, bSuccessful, 0, 0, 0, 0); } /* @@ -1624,7 +1624,7 @@ void WritePageHitagS(hitag_function htf, hitag_data *htd, int page) { lf_finalize(); - reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0); + reply_old(CMD_ACK, bSuccessful, 0, 0, 0, 0); } /* @@ -1860,5 +1860,5 @@ void check_challenges(bool file_given, uint8_t *data) { set_tracing(false); lf_finalize(); - reply_mix(CMD_ACK, bSuccessful, 0, 0, 0, 0); + reply_old(CMD_ACK, bSuccessful, 0, 0, 0, 0); } diff --git a/armsrc/legicrf.c b/armsrc/legicrf.c index b411efcaf..35b638298 100644 --- a/armsrc/legicrf.c +++ b/armsrc/legicrf.c @@ -438,7 +438,7 @@ void LegicRfInfo(void) { } // OK - reply_mix(CMD_ACK, 1, 0, 0, (uint8_t *)&card, sizeof(legic_card_select_t)); + reply_old(CMD_ACK, 1, 0, 0, (uint8_t *)&card, sizeof(legic_card_select_t)); OUT: switch_off(); @@ -513,7 +513,7 @@ void LegicRfReader(uint16_t offset, uint16_t len, uint8_t iv) { } // OK - reply_mix(CMD_ACK, 1, len, 0, 0, 0); + reply_old(CMD_ACK, 1, len, 0, legic_mem, len); OUT: switch_off(); @@ -552,7 +552,7 @@ void LegicRfWriter(uint16_t offset, uint16_t len, uint8_t iv, uint8_t *data) { } // OK - reply_mix(CMD_ACK, 1, len, 0, 0, 0); + reply_old(CMD_ACK, 1, len, 0, legic_mem, len); OUT: switch_off(); diff --git a/armsrc/lfops.c b/armsrc/lfops.c index a5104d98e..65f9e8422 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -2040,7 +2040,7 @@ void T55xx_ChkPwds(uint8_t flags) { if (isok != sizeof(counter)) goto OUT; - pwdCount = (uint16_t)(counter[1] << 8 | counter[0]); + pwdCount = counter[1] << 8 | counter[0]; if (pwdCount == 0 || pwdCount == 0xFFFF) goto OUT; diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index b2f45d117..5b8ed289e 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -204,7 +204,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) uint8_t decRndB[16] = {0x00}; uint8_t both[32] = {0x00}; - //InitDesfireCard(); + InitDesfireCard(); LED_A_ON(); LED_B_OFF(); @@ -455,12 +455,8 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) mbedtls_aes_init(&ctx); cmd[0] = AUTHENTICATE_AES; - cmd[1] = 0x0; - cmd[2] = 0x0; - cmd[3] = 0x1; - cmd[4] = arg2; //keynumber - cmd[5] = 0x0; - len = DesfireAPDU(cmd, 6, resp); + cmd[1] = 0x00; //keynumber + len = DesfireAPDU(cmd, 2, resp); if (!len) { if (DBGLEVEL >= DBG_ERROR) { DbpString("Authentication failed. Card timeout."); @@ -469,7 +465,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) return; } - memcpy(encRndB, resp + 1, 16); + memcpy(encRndB, resp + 3, 16); // dekryptera tagnonce. if (mbedtls_aes_setkey_dec(&ctx, key->data, 128) != 0) { @@ -495,13 +491,9 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_ENCRYPT, 32, IV, both, encBoth); cmd[0] = ADDITIONAL_FRAME; - cmd[1] = 0x00; - cmd[2] = 0x00; - cmd[3] = 0x20; - memcpy(cmd + 4, encBoth, 32); - cmd[36]=0x0; + memcpy(cmd + 1, encBoth, 32); - len = DesfireAPDU(cmd, 37, resp); // 4 + 32 + 1 == 37 + len = DesfireAPDU(cmd, 33, resp); // 1 + 32 == 33 if (!len) { if (DBGLEVEL >= DBG_ERROR) { DbpString("Authentication failed. Card timeout."); @@ -510,7 +502,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) return; } - if ((resp[1+16] == 0x91)&&(resp[1+16+1] == 0x00)) { + if (resp[2] == 0x00) { // Create AES Session key struct desfire_key sessionKey = {0}; desfirekey_t skey = &sessionKey; @@ -609,6 +601,6 @@ void OnSuccess() { } void OnError(uint8_t reason) { - reply_mix(CMD_ACK, 0, reason, 0, 0, 0); + reply_old(CMD_ACK, 0, reason, 0, 0, 0); OnSuccess(); } diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index 2e5fcb69e..f737ff485 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -193,7 +193,7 @@ static int usage_hf_14a_sim(void) { PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sim t 1 u 11223344")); PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sim t 1 u 11223344556677")); // PrintAndLogEx(NORMAL, " hf 14a sim t 1 u 11223445566778899AA\n"); - return PM3_SUCCESS; + return 0; } static int usage_hf_14a_sniff(void) { PrintAndLogEx(NORMAL, "It get data from the field and saves it into command buffer."); @@ -203,7 +203,7 @@ static int usage_hf_14a_sniff(void) { PrintAndLogEx(NORMAL, "r - triggered by first 7-bit request from reader (REQ,WUP,...)"); PrintAndLogEx(NORMAL, "Examples:"); PrintAndLogEx(NORMAL, _YELLOW_(" hf 14a sniff c r")); - return PM3_SUCCESS; + return 0; } static int usage_hf_14a_raw(void) { PrintAndLogEx(NORMAL, "Usage: hf 14a raw [-h] [-r] [-c] [-p] [-a] [-T] [-t] [-b] <0A 0B 0C ... hex>"); @@ -217,7 +217,7 @@ static int usage_hf_14a_raw(void) { PrintAndLogEx(NORMAL, " -t timeout in ms"); PrintAndLogEx(NORMAL, " -T use Topaz protocol to send command"); PrintAndLogEx(NORMAL, " -3 ISO14443-3 select only (skip RATS)"); - return PM3_SUCCESS; + return 0; } static int usage_hf_14a_reader(void) { PrintAndLogEx(NORMAL, "Usage: hf 14a reader [k|s|x] [3]"); @@ -225,7 +225,7 @@ static int usage_hf_14a_reader(void) { PrintAndLogEx(NORMAL, " s silent (no messages)"); PrintAndLogEx(NORMAL, " x just drop the signal field"); PrintAndLogEx(NORMAL, " 3 ISO14443-3 select only (skip RATS)"); - return PM3_SUCCESS; + return 0; } static int CmdHF14AList(const char *Cmd) { @@ -580,7 +580,7 @@ int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leav if (resp.oldarg[0] == 2) { // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision // get ATS uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 - SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, 2, 0, rats, sizeof(rats)); + SendCommandOLD(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, 2, 0, rats, 2); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { if (!silentMode) PrintAndLogEx(ERR, "Proxmark3 connection timeout."); return 1; @@ -674,7 +674,7 @@ static int SelectCard14443_4(bool disconnect, iso14a_card_select_t *card) { if (resp.oldarg[0] == 2) { // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision // get ATS uint8_t rats[] = { 0xE0, 0x80 }; // FSDI=8 (FSD=256), CID=0 - SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, sizeof(rats), 0, rats, sizeof(rats)); + SendCommandOLD(CMD_HF_ISO14443A_READER, ISO14A_RAW | ISO14A_APPEND_CRC | ISO14A_NO_DISCONNECT, sizeof(rats), 0, rats, sizeof(rats)); if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { PrintAndLogEx(ERR, "Proxmark3 connection timeout."); return 1; @@ -1237,7 +1237,7 @@ static command_t CommandTable[] = { static int CmdHelp(const char *Cmd) { (void)Cmd; // Cmd is not used so far CmdsHelp(CommandTable); - return PM3_SUCCESS; + return 0; } int CmdHF14A(const char *Cmd) { @@ -1246,92 +1246,89 @@ int CmdHF14A(const char *Cmd) { } static void printTag(char *tag) { - PrintAndLogEx(SUCCESS, "POSSIBLE TYPE:" _YELLOW_(" %s"), tag); + PrintAndLogEx(SUCCESS, _YELLOW_(" %s"), tag); } typedef enum { - MTNONE = 0, - MTCLASSIC = 1, - MTMINI = 2, - MTDESFIRE = 4, - MTPLUS = 8, - MTULTRALIGHT = 16, - MTOTHER = 32 -} nxp_mifare_type_t; + mtNone = 0, + mtClassic = 1, + mtMini = 2, + mtDESFire = 4, + mtPlus = 8, + mtUltralight = 16, + mtOther = 32 +} nxp_mifare_type; // According to NXP AN10833 Rev 3.6 MIFARE Type Identification, Table 6 int detect_nxp_card(uint8_t sak, uint16_t atqa) { - int type = MTNONE; + int type = mtNone; if (sak == 0x00) { - printTag("NTAG 20x / 21x / 21x TT / I2C plus"); - printTag("MIFARE Ultralight / C / EV1 / Nano"); - type = MTULTRALIGHT; + printTag("MIFARE Ultralight C / Ultralight CL2"); + type = mtUltralight; } if (sak == 0x01) { printTag("TNP3xxx (Activision Game Appliance)"); - type = MTCLASSIC; + type = mtOther; } if ((sak & 0x04) == 0x04) { - printTag("Any MIFARE CL1 / NTAG424DNA"); - type |= MTDESFIRE; + printTag("Any MIFARE CL1"); + type |= mtDESFire; } if ((sak & 0x08) == 0x08) { printTag("MIFARE Classic 1K / Classic 1K CL2"); printTag("MIFARE Plus 2K / Plus EV1 2K"); printTag("MIFARE Plus CL2 2K / Plus CL2 EV1 2K"); - type |= MTCLASSIC; - type |= MTPLUS; + type |= mtClassic; + type |= mtPlus; } if ((sak & 0x09) == 0x09) { printTag("MIFARE Mini 0.3K / Mini CL2 0.3K"); - type |= MTMINI; + type |= mtMini; } if ((sak & 0x10) == 0x10) { printTag("MIFARE Plus 2K / Plus CL2 2K"); - type |= MTPLUS; + type |= mtPlus; } if ((sak & 0x11) == 0x11) { printTag("MIFARE Plus 4K / Plus CL2 4K"); - type |= MTPLUS; + type |= mtPlus; } if ((sak & 0x18) == 0x18) { if (atqa == 0x0042) { printTag("MIFARE Plus 4K / Plus EV1 4K"); printTag("MIFARE Plus CL2 4K / Plus CL2 EV1 4K"); - type |= MTPLUS; + type |= mtPlus; } else { printTag("MIFARE Classic 4K / Classic 4K CL2"); - type |= MTCLASSIC; + type |= mtClassic; } } if ((sak & 0x20) == 0x20) { if (atqa == 0x0344) { printTag("MIFARE DESFire EV1 2K/4K/8K / DESFire EV1 CL2 2K/4K/8K"); - printTag("MIFARE NTAG424DNA"); - type |= MTDESFIRE; - } else if (atqa == 0x0304) { - printTag("MIFARE NTAG424DNA (Random ID feature)"); - type |= MTDESFIRE; + type |= mtDESFire; } else { - printTag("MIFARE Plus 2K/4K / Plus EV1 2K/4K"); - printTag("MIFARE Plus CL2 2K/4K / Plus CL2 EV1 2K/4K"); - type |= MTPLUS; + printTag("MIFARE Plus 2K / Plus EV1 2K"); + printTag("MIFARE Plus 4K / Plus EV1 4K"); + printTag("MIFARE Plus CL2 2K / Plus CL2 EV1 4K"); + printTag("MIFARE Plus CL2 4K / Plus CL2 EV1 4K"); + type |= mtPlus; } } if ((sak & 0x24) == 0x24) { if (atqa == 0x0344) { printTag("MIFARE DESFire CL1 / DESFire EV1 CL1"); - type |= MTDESFIRE; + type |= mtDESFire; } } if ((sak & 0x28) == 0x28) { if (atqa == 0x0344) { printTag("MIFARE DESFire CL1 / DESFire EV1 CL1"); - type |= MTDESFIRE; + type |= mtDESFire; } } return type; @@ -1345,6 +1342,16 @@ typedef struct { const uidname uidmap[] = { // UID0, UID1, TEXT + {0x02, 0x00, "SR176"}, + {0x02, 0x03, "SRIX4K"}, + {0x02, 0x0C, "SRT512"}, + {0x02, 0x0F, "SRI2K"}, + {0x02, 0x1B, "25TB512-AC"}, + {0x02, 0x3D, "SRIX4K"}, + {0x02, 0x3F, "25TB02K"}, + {0x02, 0x4D, "SRIX512"}, + {0x02, 0x6D, "SRI512"}, + {0x02, 0x7D, "SRI4K"}, {0x02, 0x84, "M24SR64-Y"}, {0x02, 0xA3, "25TA02KB-P"}, {0x02, 0xC4, "25TA64K"}, @@ -1415,33 +1422,42 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) { bool isMifareDESFire = false; bool isMifarePlus = false; bool isMifareUltralight = false; - int nxptype = MTNONE; + int nxptype = mtNone; // Double & triple sized UID, can be mapped to a manufacturer. if (card.uidlen <= 4) { nxptype = detect_nxp_card(card.sak, ((card.atqa[1] << 8) + card.atqa[0])); - - isMifareClassic = ((nxptype & MTCLASSIC) == MTCLASSIC); - isMifareDESFire = ((nxptype & MTDESFIRE) == MTDESFIRE); - isMifarePlus = ((nxptype & MTPLUS) == MTPLUS); - isMifareUltralight = ((nxptype & MTULTRALIGHT) == MTULTRALIGHT); - - if ((nxptype & MTOTHER) == MTOTHER) - isMifareClassic = true; + if ((nxptype & mtClassic) == mtClassic) isMifareClassic = true; + else isMifareClassic = false; + if ((nxptype & mtDESFire) == mtDESFire) { + isMifareDESFire = true; + } else { + isMifareDESFire = false; + } + if ((nxptype & mtPlus) == mtPlus) isMifarePlus = true; + else isMifarePlus = false; + if ((nxptype & mtUltralight) == mtUltralight) isMifareUltralight = true; + else isMifareUltralight = false; + if ((nxptype & mtOther) == mtOther) isMifareClassic = true; } if (card.uidlen > 4) { - PrintAndLogEx(SUCCESS, "MANUFACTURER: " _YELLOW_("%s"), getTagInfo(card.uid[0])); + PrintAndLogEx(SUCCESS, "MANUFACTURER: " _YELLOW_("%s"), getTagInfo(card.uid[0])); + + PrintAndLogEx(SUCCESS, "Possible Type:"); switch (card.uid[0]) { case 0x04: // NXP nxptype = detect_nxp_card(card.sak, ((card.atqa[1] << 8) + card.atqa[0])); - - isMifareClassic = ((nxptype & MTCLASSIC) == MTCLASSIC); - isMifareDESFire = ((nxptype & MTDESFIRE) == MTDESFIRE); - isMifarePlus = ((nxptype & MTPLUS) == MTPLUS); - isMifareUltralight = ((nxptype & MTULTRALIGHT) == MTULTRALIGHT); - - if ((nxptype & MTOTHER) == MTOTHER) - isMifareClassic = true; - + if ((nxptype & mtClassic) == mtClassic) isMifareClassic = true; + else isMifareClassic = false; + if ((nxptype & mtDESFire) == mtDESFire) { + isMifareDESFire = true; + } else { + isMifareDESFire = false; + } + if ((nxptype & mtPlus) == mtPlus) isMifarePlus = true; + else isMifarePlus = false; + if ((nxptype & mtUltralight) == mtUltralight) isMifareUltralight = true; + else isMifareUltralight = false; + if ((nxptype & mtOther) == mtOther) isMifareClassic = true; break; case 0x05: // Infineon if ((card.uid[1] & 0xF0) == 0x10) { @@ -1462,7 +1478,7 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) { default: getTagLabel(card.uid[0], card.uid[1]); switch (card.sak) { - case 0x00: { + case 0x00: isMifareClassic = false; // ******** is card of the MFU type (UL/ULC/NTAG/ etc etc) @@ -1491,30 +1507,23 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) { return select_status; } break; - } - case 0x0A: { + case 0x0A: printTag("FM11RF005SH (Shanghai Metro)"); break; - } - case 0x20: { + case 0x20: printTag("JCOP 31/41"); break; - } - case 0x28: { + case 0x28: printTag("JCOP31 or JCOP41 v2.3.1"); break; - } - case 0x38: { + case 0x38: printTag("Nokia 6212 or 6131"); break; - } - case 0x98: { + case 0x98: printTag("Gemplus MPCOS"); break; - } - default: { + default: break; - } } break; } @@ -1756,7 +1765,7 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) { PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`hf mfdes info`")); } - if (isMifareClassic || isMifareUltralight) { + if (((card.sak & 0x08) == 0x08) || ((card.sak & 0x18) == 0x18)) { detect_classic_magic(); if (isMifareClassic) { @@ -1766,7 +1775,7 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) { else if (res == 0) PrintAndLogEx(SUCCESS, "Prng detection: " _YELLOW_("hard")); else - PrintAndLogEx(FAILED, "Prng detection: " _RED_("fail")); + PrintAndLogEx(FAILED, "prng detection: " _RED_("fail")); if (do_nack_test) detect_classic_nackbug(false); @@ -1780,6 +1789,5 @@ int infoHF14A(bool verbose, bool do_nack_test, bool do_aid_search) { } } - DropField(); return select_status; } diff --git a/client/cmdhflegic.c b/client/cmdhflegic.c index 5c007f9f9..c6de1379d 100644 --- a/client/cmdhflegic.c +++ b/client/cmdhflegic.c @@ -658,16 +658,6 @@ static int CmdLegicWrbl(const char *Cmd) { } } } - - // OUT-OF-BOUNDS checks - // UID 4+1 bytes can't be written to. - if (offset < 5) { - if (data) - free(data); - PrintAndLogEx(WARNING, "Out-of-bounds, bytes 0-1-2-3-4 can't be written to. Offset = %d", offset); - return PM3_EOUTOFBOUND; - } - //Validations if (errors || cmdp == 0) { if (data) @@ -684,7 +674,14 @@ static int CmdLegicWrbl(const char *Cmd) { legic_print_type(card.cardsize, 0); - if (len + offset > card.cardsize) { + // OUT-OF-BOUNDS checks + // UID 4+1 bytes can't be written to. + if (offset < 5) { + PrintAndLogEx(WARNING, "Out-of-bounds, bytes 0-1-2-3-4 can't be written to. Offset = %d", offset); + return PM3_EOUTOFBOUND; + } + + if (len + offset >= card.cardsize) { PrintAndLogEx(WARNING, "Out-of-bounds, Cardsize = %d, [offset+len = %d ]", card.cardsize, len + offset); return PM3_EOUTOFBOUND; } diff --git a/client/cmdhflist.c b/client/cmdhflist.c index 871cd68a3..b35e4d622 100644 --- a/client/cmdhflist.c +++ b/client/cmdhflist.c @@ -674,8 +674,7 @@ void annotateIso7816(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { void annotateMfDesfire(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { // it's basically a ISO14443a tag, so try annotation from there - if (applyIso14443a(exp, size, cmd, cmdsize) == 0) { - + if (!applyIso14443a(exp, size, cmd, cmdsize)) { // S-block 11xxx010 if ((cmd[0] & 0xC0) && (cmdsize == 3)) { switch ((cmd[0] & 0x30)) { @@ -699,132 +698,123 @@ void annotateMfDesfire(char *exp, size_t size, uint8_t *cmd, uint8_t cmdsize) { } // I-block 000xCN1x else if ((cmd[0] & 0xC0) == 0x00) { - // PCB [CID] [NAD] [INF] CRC CRC int pos = 1; if ((cmd[0] & 0x08) == 0x08) // cid byte following - pos++; - + pos = pos + 1; if ((cmd[0] & 0x04) == 0x04) // nad byte following - pos++; - - for (uint8_t i = 0; i < 2; i++, pos++) { - - switch (cmd[pos]) { - case MFDES_CREATE_APPLICATION: - snprintf(exp, size, "CREATE APPLICATION"); - break; - case MFDES_DELETE_APPLICATION: - snprintf(exp, size, "DELETE APPLICATION"); - break; - case MFDES_GET_APPLICATION_IDS: - snprintf(exp, size, "GET APPLICATION IDS"); - break; - case MFDES_SELECT_APPLICATION: - snprintf(exp, size, "SELECT APPLICATION"); - break; - case MFDES_FORMAT_PICC: - snprintf(exp, size, "FORMAT PICC"); - break; - case MFDES_GET_VERSION: - snprintf(exp, size, "GET VERSION"); - break; - case MFDES_READ_DATA: - snprintf(exp, size, "READ DATA"); - break; - case MFDES_WRITE_DATA: - snprintf(exp, size, "WRITE DATA"); - break; - case MFDES_GET_VALUE: - snprintf(exp, size, "GET VALUE"); - break; - case MFDES_CREDIT: - snprintf(exp, size, "CREDIT"); - break; - case MFDES_DEBIT: - snprintf(exp, size, "DEBIT"); - break; - case MFDES_LIMITED_CREDIT: - snprintf(exp, size, "LIMITED CREDIT"); - break; - case MFDES_WRITE_RECORD: - snprintf(exp, size, "WRITE RECORD"); - break; - case MFDES_READ_RECORDS: - snprintf(exp, size, "READ RECORDS"); - break; - case MFDES_CLEAR_RECORD_FILE: - snprintf(exp, size, "CLEAR RECORD FILE"); - break; - case MFDES_COMMIT_TRANSACTION: - snprintf(exp, size, "COMMIT TRANSACTION"); - break; - case MFDES_ABORT_TRANSACTION: - snprintf(exp, size, "ABORT TRANSACTION"); - break; - case MFDES_GET_FREE_MEMORY: - snprintf(exp, size, "GET FREE MEMORY"); - break; - case MFDES_GET_FILE_IDS: - snprintf(exp, size, "GET FILE IDS"); - break; - case MFDES_GET_DF_NAMES: - snprintf(exp, size, "GET DF NAMES"); - break; - case MFDES_GET_ISOFILE_IDS: - snprintf(exp, size, "GET ISOFILE IDS"); - break; - case MFDES_GET_FILE_SETTINGS: - snprintf(exp, size, "GET FILE SETTINGS"); - break; - case MFDES_CHANGE_FILE_SETTINGS: - snprintf(exp, size, "CHANGE FILE SETTINGS"); - break; - case MFDES_CREATE_STD_DATA_FILE: - snprintf(exp, size, "CREATE STD DATA FILE"); - break; - case MFDES_CREATE_BACKUP_DATA_FILE: - snprintf(exp, size, "CREATE BACKUP DATA FILE"); - break; - case MFDES_CREATE_VALUE_FILE: - snprintf(exp, size, "CREATE VALUE FILE"); - break; - case MFDES_CREATE_LINEAR_RECORD_FILE: - snprintf(exp, size, "CREATE LINEAR RECORD FILE"); - break; - case MFDES_CREATE_CYCLIC_RECORD_FILE: - snprintf(exp, size, "CREATE CYCLIC RECORD FILE"); - break; - case MFDES_DELETE_FILE: - snprintf(exp, size, "DELETE FILE"); - break; - case MFDES_AUTHENTICATE: - snprintf(exp, size, "AUTH NATIVE (keyNo %d)", cmd[pos + 1]); - break; // AUTHENTICATE_NATIVE - case MFDES_AUTHENTICATE_ISO: - snprintf(exp, size, "AUTH ISO (keyNo %d)", cmd[pos + 1]); - break; // AUTHENTICATE_STANDARD - case MFDES_AUTHENTICATE_AES: - snprintf(exp, size, "AUTH AES (keyNo %d)", cmd[pos + 1]); - break; - case MFDES_CHANGE_KEY_SETTINGS: - snprintf(exp, size, "CHANGE KEY SETTINGS"); - break; - case MFDES_GET_KEY_SETTINGS: - snprintf(exp, size, "GET KEY SETTINGS"); - break; - case MFDES_CHANGE_KEY: - snprintf(exp, size, "CHANGE KEY"); - break; - case MFDES_GET_KEY_VERSION: - snprintf(exp, size, "GET KEY VERSION"); - break; - case MFDES_AUTHENTICATION_FRAME: - snprintf(exp, size, "AUTH FRAME / NEXT FRAME"); - break; - default: - break; - } + pos = pos + 1; + switch (cmd[pos]) { + case MFDES_CREATE_APPLICATION: + snprintf(exp, size, "CREATE APPLICATION"); + break; + case MFDES_DELETE_APPLICATION: + snprintf(exp, size, "DELETE APPLICATION"); + break; + case MFDES_GET_APPLICATION_IDS: + snprintf(exp, size, "GET APPLICATION IDS"); + break; + case MFDES_SELECT_APPLICATION: + snprintf(exp, size, "SELECT APPLICATION"); + break; + case MFDES_FORMAT_PICC: + snprintf(exp, size, "FORMAT PICC"); + break; + case MFDES_GET_VERSION: + snprintf(exp, size, "GET VERSION"); + break; + case MFDES_READ_DATA: + snprintf(exp, size, "READ DATA"); + break; + case MFDES_WRITE_DATA: + snprintf(exp, size, "WRITE DATA"); + break; + case MFDES_GET_VALUE: + snprintf(exp, size, "GET VALUE"); + break; + case MFDES_CREDIT: + snprintf(exp, size, "CREDIT"); + break; + case MFDES_DEBIT: + snprintf(exp, size, "DEBIT"); + break; + case MFDES_LIMITED_CREDIT: + snprintf(exp, size, "LIMITED CREDIT"); + break; + case MFDES_WRITE_RECORD: + snprintf(exp, size, "WRITE RECORD"); + break; + case MFDES_READ_RECORDS: + snprintf(exp, size, "READ RECORDS"); + break; + case MFDES_CLEAR_RECORD_FILE: + snprintf(exp, size, "CLEAR RECORD FILE"); + break; + case MFDES_COMMIT_TRANSACTION: + snprintf(exp, size, "COMMIT TRANSACTION"); + break; + case MFDES_ABORT_TRANSACTION: + snprintf(exp, size, "ABORT TRANSACTION"); + break; + case MFDES_GET_FREE_MEMORY: + snprintf(exp, size, "GET FREE MEMORY"); + break; + case MFDES_GET_FILE_IDS: + snprintf(exp, size, "GET FILE IDS"); + break; + case MFDES_GET_ISOFILE_IDS: + snprintf(exp, size, "GET ISOFILE IDS"); + break; + case MFDES_GET_FILE_SETTINGS: + snprintf(exp, size, "GET FILE SETTINGS"); + break; + case MFDES_CHANGE_FILE_SETTINGS: + snprintf(exp, size, "CHANGE FILE SETTINGS"); + break; + case MFDES_CREATE_STD_DATA_FILE: + snprintf(exp, size, "CREATE STD DATA FILE"); + break; + case MFDES_CREATE_BACKUP_DATA_FILE: + snprintf(exp, size, "CREATE BACKUP DATA FILE"); + break; + case MFDES_CREATE_VALUE_FILE: + snprintf(exp, size, "CREATE VALUE FILE"); + break; + case MFDES_CREATE_LINEAR_RECORD_FILE: + snprintf(exp, size, "CREATE LINEAR RECORD FILE"); + break; + case MFDES_CREATE_CYCLIC_RECORD_FILE: + snprintf(exp, size, "CREATE CYCLIC RECORD FILE"); + break; + case MFDES_DELETE_FILE: + snprintf(exp, size, "DELETE FILE"); + break; + case MFDES_AUTHENTICATE: + snprintf(exp, size, "AUTH NATIVE (keyNo %d)", cmd[pos + 1]); + break; // AUTHENTICATE_NATIVE + case MFDES_AUTHENTICATE_ISO: + snprintf(exp, size, "AUTH ISO (keyNo %d)", cmd[pos + 1]); + break; // AUTHENTICATE_STANDARD + case MFDES_AUTHENTICATE_AES: + snprintf(exp, size, "AUTH AES (keyNo %d)", cmd[pos + 1]); + break; + case MFDES_CHANGE_KEY_SETTINGS: + snprintf(exp, size, "CHANGE KEY SETTINGS"); + break; + case MFDES_GET_KEY_SETTINGS: + snprintf(exp, size, "GET KEY SETTINGS"); + break; + case MFDES_CHANGE_KEY: + snprintf(exp, size, "CHANGE KEY"); + break; + case MFDES_GET_KEY_VERSION: + snprintf(exp, size, "GET KEY VERSION"); + break; + case MFDES_AUTHENTICATION_FRAME: + snprintf(exp, size, "AUTH FRAME / NEXT FRAME"); + break; + default: + break; } } else { // anything else diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index 931471961..1c5a0ee48 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -16,18 +16,11 @@ #include "cmdparser.h" // command_t #include "comms.h" #include "ui.h" -#include "cmdhw.h" #include "cmdhf14a.h" #include "mbedtls/des.h" #include "crypto/libpcrypto.h" #include "protocols.h" #include "mifare.h" // desfire raw command options -#include "cmdtrace.h" -#include "cliparser/cliparser.h" -#include "emv/apduinfo.h" // APDU manipulation / errorcodes -#include "emv/emvcore.h" // APDU logging -#include "util_posix.h" // msleep -#include "mifare/mifare4.h" // MIFARE Authenticate / MAC uint8_t key_zero_data[16] = { 0x00 }; uint8_t key_ones_data[16] = { 0x01 }; @@ -39,126 +32,36 @@ typedef enum { MF3ICD40, EV1, EV2, - EV3, LIGHT, } desfire_cardtype_t; -typedef struct { - uint8_t aid[3]; - uint8_t fid[2]; - uint8_t name[16]; -} dfname_t; static int CmdHelp(const char *Cmd); -/* - uint8_t cmd[3 + 16] = {0xa8, 0x90, 0x90, 0x00}; - int res = ExchangeRAW14a(cmd, sizeof(cmd), false, false, data, sizeof(data), &datalen, false); - if (!res && datalen > 1 && data[0] == 0x09) { - SLmode = 0; - } +static int SendDesfireCmd(uint8_t *c, size_t len, int p0, int p1, int p2, PacketResponseNG *response, int timeout) { + PacketResponseNG resp; -*/ + if (response == NULL) + response = &resp; -int DESFIRESendApdu(bool activate_field, bool leavefield_on, sAPDU apdu, uint8_t *result, int max_result_len, int *result_len, uint16_t *sw) { + clearCommandBuffer(); + SendCommandMIX(CMD_HF_DESFIRE_COMMAND, p0, p1, p2, c, len); - *result_len = 0; - if (sw) *sw = 0; - - uint16_t isw = 0; - int res = 0; - - if (activate_field) { + if (!WaitForResponseTimeout(CMD_ACK, response, timeout)) { + PrintAndLogEx(WARNING, "[SendDesfireCmd] Timed-out: " _RED_("%s"), sprint_hex(c, len)); DropField(); - msleep(50); + return PM3_ETIMEOUT; } - // select? - uint8_t data[APDU_RES_LEN] = {0}; - - // COMPUTE APDU - int datalen = 0; - //if (APDUEncodeS(&apdu, false, IncludeLe ? 0x100 : 0x00, data, &datalen)) { - if (APDUEncodeS(&apdu, false, 0x100, data, &datalen)) { - PrintAndLogEx(ERR, "APDU encoding error."); - return PM3_EAPDU_ENCODEFAIL; + uint8_t isOK = response->data.asBytes[0] & 0xff; + if (!isOK) { + PrintAndLogEx(WARNING, "[SendDesfireCmd] Unsuccessful: " _RED_("%s"), sprint_hex(c, len)); + return PM3_ESOFT; } - - if (GetAPDULogging() || (g_debugMode > 1)) - PrintAndLogEx(SUCCESS, ">>>> %s", sprint_hex(data, datalen)); - - res = ExchangeAPDU14a(data, datalen, activate_field, leavefield_on, result, max_result_len, result_len); - if (res) { - return res; - } - - if (GetAPDULogging() || (g_debugMode > 1)) - PrintAndLogEx(SUCCESS, "<<<< %s", sprint_hex(result, *result_len)); - - if (*result_len < 2) { - return PM3_SUCCESS; - } - - *result_len -= 2; - isw = (result[*result_len] << 8) + result[*result_len + 1]; - if (sw) - *sw = isw; - - if (isw != 0x9000 && isw != MFDES_SUCCESS_FRAME_RESP && isw != MFDES_ADDITIONAL_FRAME_RESP) { - if (GetAPDULogging()) { - if (isw >> 8 == 0x61) { - PrintAndLogEx(ERR, "APDU chaining len:%02x -->", isw & 0xff); - } else { - PrintAndLogEx(ERR, "APDU(%02x%02x) ERROR: [%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(isw >> 8, isw & 0xff)); - return PM3_EAPDU_FAIL; - } - } - } - return PM3_SUCCESS; } - -static int send_desfire_cmd(sAPDU *apdu, bool select, uint8_t *dest, int *recv_len, uint16_t *sw, int splitbysize) { - //SetAPDULogging(true); - *sw = 0; - uint8_t data[255 * 5] = {0x00}; - int resplen = 0; - int pos = 0; - int i = 1; - int res = DESFIRESendApdu(select, true, *apdu, data, sizeof(data), &resplen, sw); - if (res != PM3_SUCCESS) return res; - if (*sw != MFDES_ADDITIONAL_FRAME_RESP && *sw != MFDES_SUCCESS_FRAME_RESP) return PM3_ESOFT; - if (dest != NULL) { - memcpy(dest, data, resplen); - } - - pos += resplen; - if (*sw == MFDES_ADDITIONAL_FRAME_RESP) { - apdu->INS = MFDES_ADDITIONAL_FRAME; //0xAF - - res = DESFIRESendApdu(false, true, *apdu, data, sizeof(data), &resplen, sw); - if (res != PM3_SUCCESS) return res; - if (dest != NULL) { - if (splitbysize) { - memcpy(&dest[i * splitbysize], data, resplen); - i += 1; - } else { - memcpy(&dest[pos], data, resplen); - } - } - pos += resplen; - } - if (splitbysize) *recv_len = i; - else { - *recv_len = pos; - } - //SetAPDULogging(false); - return PM3_SUCCESS; - -} - static desfire_cardtype_t getCardType(uint8_t major, uint8_t minor) { if (major == 0x00) @@ -167,39 +70,59 @@ static desfire_cardtype_t getCardType(uint8_t major, uint8_t minor) { return EV1; else if (major == 0x12 && minor == 0x00) return EV2; -// else if (major == 0x13 && minor == 0x00) -// return EV3; else if (major == 0x30 && minor == 0x00) return LIGHT; else return UNKNOWN; } +//ICEMAN: Turn on field method? //none static int test_desfire_authenticate() { - uint8_t data[] = {0x00}; - sAPDU apdu = {0x90, MFDES_AUTHENTICATE, 0x00, 0x00, 0x01, data}; // 0x0A, KEY 0 - int recv_len = 0; - uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0); + uint8_t c[] = {AUTHENTICATE, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x0A, KEY 0 + SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); + PacketResponseNG resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { + DropField(); + return PM3_ETIMEOUT; + } + if (resp.length == 13) + return PM3_SUCCESS; + return PM3_ESOFT; } - // none static int test_desfire_authenticate_iso() { - uint8_t data[] = {0x00}; - sAPDU apdu = {0x90, MFDES_AUTHENTICATE_ISO, 0x00, 0x00, 0x01, data}; // 0x1A, KEY 0 - int recv_len = 0; - uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0); + uint8_t c[] = {AUTHENTICATE_ISO, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x1A, KEY 0 + SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); + PacketResponseNG resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { + DropField(); + return PM3_ETIMEOUT; + } + if (resp.length >= 13) + return PM3_SUCCESS; + return PM3_ESOFT; } - //none static int test_desfire_authenticate_aes() { - uint8_t data[] = {0x00}; - sAPDU apdu = {0x90, MFDES_AUTHENTICATE_AES, 0x00, 0x00, 0x01, data}; // 0xAA, KEY 0 - int recv_len = 0; - uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, NULL, &recv_len, &sw, 0); + /* Just left here for future use, from TI TRF7970A sloa213 document + const static u08_t CustomKey1[16] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; + const static u08_t CustomKey2[16] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, + 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}; + const static u08_t CustomKey3[16] = {0x79, 0x70, 0x25, 0x53, 0x79, 0x70, 0x25, + 0x53, 0x79, 0x70, 0x25, 0x53, 0x79, 0x70, 0x25, 0x53}; + */ + uint8_t c[] = {AUTHENTICATE_AES, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0xAA, KEY 0 + SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(c), 0, c, sizeof(c)); + PacketResponseNG resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { + DropField(); + return PM3_ETIMEOUT; + } + if (resp.length >= 13) + return PM3_SUCCESS; + return PM3_ESOFT; } // --- FREE MEM @@ -210,18 +133,20 @@ static int desfire_print_freemem(uint32_t free_mem) { // init / disconnect static int get_desfire_freemem(uint32_t *free_mem) { - sAPDU apdu = {0x90, MFDES_GET_FREE_MEMORY, 0x00, 0x00, 0x00, NULL}; // 0x6E - int recv_len = 0; - uint16_t sw = 0; - uint8_t fmem[4] = {0}; - - int res = send_desfire_cmd(&apdu, true, fmem, &recv_len, &sw, 0); - if (res == PM3_SUCCESS) { - *free_mem = le24toh(fmem); - return res; + uint8_t c[] = {GET_FREE_MEMORY, 0x00, 0x00, 0x00}; // 0x6E + SendCommandMIX(CMD_HF_DESFIRE_COMMAND, (INIT | DISCONNECT), sizeof(c), 0, c, sizeof(c)); + PacketResponseNG resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { + return PM3_ETIMEOUT; } + + if (resp.length == 8) { + *free_mem = le24toh(resp.data.asBytes + 1); + return PM3_SUCCESS; + } + *free_mem = 0; - return res; + return PM3_ESOFT; } @@ -236,9 +161,9 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign {"NTAG424DNA, DESFire EV2", "048A9B380AF2EE1B98DC417FECC263F8449C7625CECE82D9B916C992DA209D68422B81EC20B65A66B5102A61596AF3379200599316A00A1410"}, {"NTAG413DNA, DESFire EV1", "04BB5D514F7050025C7D0F397310360EEC91EAF792E96FC7E0F496CB4E669D414F877B7B27901FE67C2E3B33CD39D1C797715189AC951C2ADD"}, {"DESFire EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3A"}, - {"NTAG424DNA, NTAG424DNATT, DESFire Light EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3B"}, + {"NTAG424DNA,NTAG424DNATT, DESFire Light EV2", "04B304DC4C615F5326FE9383DDEC9AA892DF3A57FA7FFB3276192BC0EAA252ED45A865E3B093A3D0DCE5BE29E92F1392CE7DE321E3E5C52B3B"}, {"DESFire Light EV1", "040E98E117AAA36457F43173DC920A8757267F44CE4EC5ADD3C54075571AEBBF7B942A9774A1D94AD02572427E5AE0A2DD36591B1FB34FCF3D"}, - {"Mifare Plus EV1", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"} + {"Mifare Plus", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"} }; uint8_t i; @@ -263,41 +188,36 @@ static int desfire_print_signature(uint8_t *uid, uint8_t *signature, size_t sign PrintAndLogEx(NORMAL, ""); PrintAndLogEx(INFO, "--- " _CYAN_("Tag Signature")); - PrintAndLogEx(INFO, " IC signature public key name: " _GREEN_("%s"), nxp_desfire_public_keys[i].desc); + PrintAndLogEx(INFO, " IC signature public key name: %s", nxp_desfire_public_keys[i].desc); PrintAndLogEx(INFO, "IC signature public key value: %.32s", nxp_desfire_public_keys[i].value); PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 16); PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 32); PrintAndLogEx(INFO, " : %.32s", nxp_desfire_public_keys[i].value + 48); PrintAndLogEx(INFO, " Elliptic curve parameters: NID_secp224r1"); - PrintAndLogEx(INFO, " TAG IC Signature: %s", sprint_hex_inrow(signature, 16)); - PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 16, 16)); - PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 32, 16)); - PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 48, signature_len - 48)); - PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful")); + PrintAndLogEx(INFO, " TAG IC Signature: %s", sprint_hex(signature, 16)); + PrintAndLogEx(INFO, " : %s", sprint_hex(signature + 16, 16)); + PrintAndLogEx(INFO, " : %s", sprint_hex(signature + 32, 16)); + PrintAndLogEx(INFO, " : %s", sprint_hex(signature + 48, signature_len - 48)); + PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful")); return PM3_SUCCESS; } // init / disconnect static int get_desfire_signature(uint8_t *signature, size_t *signature_len) { - uint8_t c = 0x00; - sAPDU apdu = {0x90, MFDES_READSIG, 0x00, 0x00, 0x01, &c}; // 0x3C - int recv_len = 0; - uint16_t sw = 0; - int res = send_desfire_cmd(&apdu, true, signature, &recv_len, &sw, 0); - if (res == PM3_SUCCESS) { - if (recv_len != 56) { - *signature_len = 0; - DropField(); - return PM3_ESOFT; - } else { - *signature_len = recv_len; + uint8_t c[] = {MFDES_READSIG, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x3C + SendCommandMIX(CMD_HF_DESFIRE_COMMAND, (INIT | DISCONNECT), sizeof(c), 0, c, sizeof(c)); + PacketResponseNG resp; + if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) + return PM3_ETIMEOUT; - } - DropField(); + if (resp.length == 61) { + memcpy(signature, resp.data.asBytes + 1, 56); + *signature_len = 56; return PM3_SUCCESS; + } else { + *signature_len = 0; + return PM3_ESOFT; } - DropField(); - return res; } @@ -335,21 +255,18 @@ static int desfire_print_keysetting(uint8_t key_settings, uint8_t num_keys) { // none static int get_desfire_keysettings(uint8_t *key_settings, uint8_t *num_keys) { - sAPDU apdu = {0x90, MFDES_GET_KEY_SETTINGS, 0x00, 0x00, 0x00, NULL}; //0x45 - int recv_len = 0; - uint16_t sw = 0; - uint8_t data[2] = {0}; - if (num_keys == NULL) return PM3_ESOFT; - if (key_settings == NULL) return PM3_ESOFT; - int res = send_desfire_cmd(&apdu, false, data, &recv_len, &sw, 0); - if (sw == MFDES_EAUTH_RESP) { + PacketResponseNG resp; + uint8_t c[] = {MFDES_GET_KEY_SETTINGS, 0x00, 0x00, 0x00}; // 0x45 + int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); + if (ret != PM3_SUCCESS) return ret; + + if (resp.data.asBytes[1] == 0x91 && resp.data.asBytes[2] == 0xae) { PrintAndLogEx(WARNING, _RED_("[get_desfire_keysettings] Authentication error")); return PM3_ESOFT; } - if (res != PM3_SUCCESS) return res; - - *key_settings = data[0]; - *num_keys = data[1]; +// PrintAndLogEx(INFO, "ICE: KEYSETTING resp :: %s", sprint_hex(resp.data.asBytes, resp.length)); + *key_settings = resp.data.asBytes[1]; + *num_keys = resp.data.asBytes[2]; return PM3_SUCCESS; } @@ -361,72 +278,83 @@ static int desfire_print_keyversion(uint8_t key_idx, uint8_t key_version) { // none static int get_desfire_keyversion(uint8_t curr_key, uint8_t *num_versions) { - sAPDU apdu = {0x90, MFDES_GET_KEY_VERSION, 0x00, 0x00, 0x01, &curr_key}; //0x64 - int recv_len = 0; - uint16_t sw = 0; - if (num_versions == NULL) return PM3_ESOFT; - int res = send_desfire_cmd(&apdu, false, num_versions, &recv_len, &sw, 0); - if (sw == MFDES_ENO_SUCH_KEY_RESP) { - PrintAndLogEx(WARNING, _RED_("[get_desfire_keyversion] Key %d doesn't exist"), curr_key); + PacketResponseNG resp; + uint8_t c[] = {MFDES_GET_KEY_VERSION, 0x00, 0x00, 0x01, curr_key, 0x00}; // 0x64 + int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); + if (ret != PM3_SUCCESS) return ret; + + if (resp.data.asBytes[1] == 0x91 && resp.data.asBytes[2] == 0x40) { return PM3_ESOFT; } - return res; -} - -// init / disconnect -static int get_desfire_appids(uint8_t *dest, uint8_t *app_ids_len) { - sAPDU apdu = {0x90, MFDES_GET_APPLICATION_IDS, 0x00, 0x00, 0x00, NULL}; //0x6a - int recv_len = 0; - uint16_t sw = 0; - if (dest == NULL) return PM3_ESOFT; - if (app_ids_len == NULL) return PM3_ESOFT; - int res = send_desfire_cmd(&apdu, true, dest, &recv_len, &sw, 0); - if (res != PM3_SUCCESS) return res; - *app_ids_len = (uint8_t)recv_len & 0xFF; - return res; -} - -static int get_desfire_dfnames(dfname_t *dest, uint8_t *dfname_count) { - sAPDU apdu = {0x90, MFDES_GET_DF_NAMES, 0x00, 0x00, 0x00, NULL}; //0x6d - int recv_len = 0; - uint16_t sw = 0; - if (dest == NULL) return PM3_ESOFT; - if (dfname_count == NULL) return PM3_ESOFT; - int res = send_desfire_cmd(&apdu, true, (uint8_t *)dest, &recv_len, &sw, sizeof(dfname_t)); - if (res != PM3_SUCCESS) return res; - *dfname_count = recv_len; - return res; + *num_versions = resp.data.asBytes[1]; + return PM3_SUCCESS; } // init static int get_desfire_select_application(uint8_t *aid) { - sAPDU apdu = {0x90, MFDES_SELECT_APPLICATION, 0x00, 0x00, 0x03, aid}; //0x5a - int recv_len = 0; - uint16_t sw = 0; if (aid == NULL) return PM3_ESOFT; - return send_desfire_cmd(&apdu, true, NULL, &recv_len, &sw, sizeof(dfname_t)); + + uint8_t c[] = {SELECT_APPLICATION, 0x00, 0x00, 0x03, aid[0], aid[1], aid[2], 0x00}; // 0x5a + PacketResponseNG resp; + int ret = SendDesfireCmd(c, sizeof(c), INIT, sizeof(c), 0, &resp, 3000); + if (ret != PM3_SUCCESS) { + if (ret == PM3_ESOFT) { + PrintAndLogEx(WARNING, "[get_desfire_select_application] Can't select AID: " _RED_("%s"), sprint_hex(aid, 3)); + } + return ret; + } + + if (resp.data.asBytes[1] == 0x91 && resp.data.asBytes[2] == 0x00) { + return PM3_SUCCESS; + } + + return PM3_ESOFT; } + +// init / disconnect +static int get_desfire_appids(uint8_t *dest, uint8_t *app_ids_len) { + + uint8_t c[] = {GET_APPLICATION_IDS, 0x00, 0x00, 0x00}; //0x6a + PacketResponseNG resp; + int ret = SendDesfireCmd(c, sizeof(c), INIT | CLEARTRACE | DISCONNECT, sizeof(c), 0, &resp, 1500); + if (ret != PM3_SUCCESS) return ret; + + *app_ids_len = resp.length - 5; + + // resp.length - 2crc, 2status, 1pcb... + memcpy(dest, resp.data.asBytes + 1, *app_ids_len); + + if (resp.data.asBytes[resp.length - 3] == MFDES_ADDITIONAL_FRAME) { + + c[0] = MFDES_ADDITIONAL_FRAME; //0xAF + ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); + if (ret != PM3_SUCCESS) return ret; + + memcpy(dest + *app_ids_len, resp.data.asBytes + 1, resp.length - 5); + + *app_ids_len += (resp.length - 5); + } + return PM3_SUCCESS; +} + + // none static int get_desfire_fileids(uint8_t *dest, uint8_t *file_ids_len) { - sAPDU apdu = {0x90, MFDES_GET_FILE_IDS, 0x00, 0x00, 0x00, NULL}; //0x6f - int recv_len = 0; - uint16_t sw = 0; - if (dest == NULL) return PM3_ESOFT; - if (file_ids_len == NULL) return PM3_ESOFT; - *file_ids_len = 0; - int res = send_desfire_cmd(&apdu, false, dest, &recv_len, &sw, 0); - if (res != PM3_SUCCESS) return res; - *file_ids_len = recv_len; - return res; -} + uint8_t c[] = {MFDES_GET_FILE_IDS, 0x00, 0x00, 0x00}; // 0x6f + PacketResponseNG resp; + int ret = SendDesfireCmd(c, sizeof(c), NONE, sizeof(c), 0, &resp, 1500); + if (ret != PM3_SUCCESS) return ret; -static int get_desfire_filesettings(uint8_t file_id, uint8_t *dest, int *destlen) { - sAPDU apdu = {0x90, MFDES_GET_FILE_SETTINGS, 0x00, 0x00, 0x01, &file_id}; // 0xF5 - uint16_t sw = 0; - return send_desfire_cmd(&apdu, false, dest, destlen, &sw, 0); + if (resp.data.asBytes[resp.length - 4] == 0x91 && resp.data.asBytes[resp.length - 3] == 0x00) { + *file_ids_len = resp.length - 5; + memcpy(dest, resp.data.asBytes + 1, *file_ids_len); + return PM3_SUCCESS; + } + + return PM3_ESOFT; } static int CmdHF14ADesInfo(const char *Cmd) { @@ -502,13 +430,11 @@ static int CmdHF14ADesInfo(const char *Cmd) { if (major == 0 && minor == 6) PrintAndLogEx(INFO, "\t0.6 - DESFire MF3ICD40, Add ISO/IEC 7816 command set compatibility"); if (major == 1 && minor == 3) - PrintAndLogEx(INFO, "\t1.3 - DESFire Ev1 MF3ICD21/41/81, Support extended APDU commands, EAL4+"); + PrintAndLogEx(INFO, "\t1.3 - DESFire Ev1, Support extended APDU commands"); if (major == 1 && minor == 4) - PrintAndLogEx(INFO, "\t1.4 - DESFire Ev1 MF3ICD21/41/81, EAL4+, N/A (report to iceman!)"); + PrintAndLogEx(INFO, "\t1.4 - DESFire Ev1, N/A information about this version. report to iceman!"); if (major == 2 && minor == 0) - PrintAndLogEx(INFO, "\t2.0 - DESFire Ev2, Originality check, proximity check, EAL5"); -// if (major == 3 && minor == 0) -// PrintAndLogEx(INFO, "\t3.0 - DESFire Ev3, Originality check, proximity check, badass EAL5"); + PrintAndLogEx(INFO, "\t2.0 - DESFire Ev2, Originality check, proximity check"); if (major == 0 && minor == 2) PrintAndLogEx(INFO, "\t0.2 - DESFire Light, Originality check, "); @@ -600,8 +526,6 @@ char *getVersionStr(uint8_t major, uint8_t minor) { sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV1") ")", major, minor); else if (major == 0x12 && minor == 0x00) sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV2") ")", major, minor); -// else if (major == 0x13 && minor == 0x00) -// sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV3") ")", major, minor); else if (major == 0x30 && minor == 0x00) sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire Light") ")", major, minor); else @@ -614,7 +538,9 @@ void getKeySettings(uint8_t *aid) { if (memcmp(aid, "\x00\x00\x00", 3) == 0) { // CARD MASTER KEY - //PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); + if (get_desfire_select_application(aid) != PM3_SUCCESS) { PrintAndLogEx(WARNING, _RED_(" Can't select AID")); DropField(); @@ -677,7 +603,9 @@ void getKeySettings(uint8_t *aid) { } else { // AID - APPLICATION MASTER KEYS - //PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); + if (get_desfire_select_application(aid) != PM3_SUCCESS) { PrintAndLogEx(WARNING, _RED_(" Can't select AID")); DropField(); @@ -723,25 +651,15 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { (void)Cmd; // Cmd is not used so far // uint8_t isOK = 0x00; - uint8_t aid[3] = {0}; + uint8_t aid[3]; uint8_t app_ids[78] = {0}; uint8_t app_ids_len = 0; uint8_t file_ids[33] = {0}; uint8_t file_ids_len = 0; - dfname_t dfnames[255]; - uint8_t dfname_count = 0; - if (get_desfire_appids(app_ids, &app_ids_len) != PM3_SUCCESS) { PrintAndLogEx(ERR, "Can't get list of applications on tag"); - DropField(); - return PM3_ESOFT; - } - - if (get_desfire_dfnames(dfnames, &dfname_count) != PM3_SUCCESS) { - PrintAndLogEx(WARNING, _RED_("Can't get DF Names")); - DropField(); return PM3_ESOFT; } @@ -756,49 +674,18 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { aid[1] = app_ids[i + 1]; aid[2] = app_ids[i + 2]; - PrintAndLogEx(NORMAL, ""); - - if (memcmp(aid, "\x00\x00\x00", 3) == 0) { - // CARD MASTER KEY - PrintAndLogEx(INFO, "--- " _CYAN_("CMK - PICC, Card Master Key settings")); - } else { - PrintAndLogEx(SUCCESS, "--- " _CYAN_("AMK - Application Master Key settings")); - } - - PrintAndLogEx(SUCCESS, " AID : " _GREEN_("%02X %02X %02X"), aid[0], aid[1], aid[2]); - for (int m = 0; m < dfname_count; m++) { - if (dfnames[m].aid[0] == aid[0] && dfnames[m].aid[1] == aid[1] && dfnames[m].aid[2] == aid[2]) { - PrintAndLogEx(SUCCESS, " - DF " _YELLOW_("%02X %02X") " Name : " _YELLOW_("%s"), dfnames[m].fid[0], dfnames[m].fid[1], dfnames[m].name); - } - } + PrintAndLogEx(SUCCESS, " AID %d : " _GREEN_("%02X %02X %02X"), i, app_ids[i], app_ids[i + 1], app_ids[i + 2]); getKeySettings(aid); - - if (get_desfire_select_application(aid) != PM3_SUCCESS) { - PrintAndLogEx(WARNING, _RED_(" Can't select AID")); - DropField(); - return PM3_ESOFT; - } - // Get File IDs if (get_desfire_fileids(file_ids, &file_ids_len) == PM3_SUCCESS) { PrintAndLogEx(SUCCESS, " Tag report " _GREEN_("%d") "file%c", file_ids_len, (file_ids_len == 1) ? ' ' : 's'); for (int j = 0; j < file_ids_len; ++j) { PrintAndLogEx(SUCCESS, " Fileid %d (0x%02x)", file_ids[j], file_ids[j]); - - uint8_t filesettings[20] = {0}; - int fileset_len = 0; - int res = get_desfire_filesettings(j, filesettings, &fileset_len); - if (res == PM3_SUCCESS) { - PrintAndLogEx(INFO, " Settings [%u] %s", fileset_len, sprint_hex(filesettings, fileset_len)); - } } } - - - /* // Get ISO File IDs { @@ -826,90 +713,70 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) { DropField(); return PM3_SUCCESS; } +/* + uint8_t cmd[3 + 16] = {0xa8, 0x90, 0x90, 0x00}; + int res = ExchangeRAW14a(cmd, sizeof(cmd), false, false, data, sizeof(data), &datalen, false); + + if (!res && datalen > 1 && data[0] == 0x09) { + SLmode = 0; + } + +*/ + + // MIAFRE DESFire Authentication // #define BUFSIZE 256 static int CmdHF14ADesAuth(const char *Cmd) { - clearCommandBuffer(); + // NR DESC KEYLENGHT // ------------------------ // 1 = DES 8 // 2 = 3DES 16 // 3 = 3K 3DES 24 // 4 = AES 16 - //SetAPDULogging(true); + uint8_t keylength = 8; + unsigned char key[24]; - CLIParserInit("hf mfdes auth", - "Authenticates Mifare DESFire using Key", - "Usage:\n\t-m Auth type (1=normal, 2=iso, 3=aes)\n\t-t Crypt algo (1=DES, 2=3DES, 3=3K3DES, 4=aes)\n\t-a aid (3 bytes)\n\t-n keyno\n\t-k key (8-24 bytes)\n\n" - "Example:\n\thf mfdes auth -m 3 -t 4 -a 018380 -n 0 -k 404142434445464748494a4b4c4d4e4f\n" - ); - - void *argtable[] = { - arg_param_begin, - arg_int0("mM", "type", "Auth type (1=normal, 2=iso, 3=aes)", NULL), - arg_int0("tT", "algo", "Crypt algo (1=DES, 2=3DES, 3=3K3DES, 4=aes)", NULL), - arg_strx0("aA", "aid", "", "AID used for authentification"), - arg_int0("nN", "keyno", "Key number used for authentification", NULL), - arg_str0("kK", "key", "", "Key for checking (HEX 16 bytes)"), - arg_param_end - }; - CLIExecWithReturn(Cmd, argtable, true); - - uint8_t cmdAuthMode = arg_get_int_def(1, 0); - uint8_t cmdAuthAlgo = arg_get_int_def(2, 0); - - int aidlength = 3; - uint8_t aid[3] = {0}; - CLIGetHexWithReturn(3, aid, &aidlength); - - uint8_t cmdKeyNo = arg_get_int_def(4, 0); - - uint8_t key[24] = {0}; - int keylen = 0; - CLIGetHexWithReturn(5, key, &keylen); - CLIParserFree(); - - if ((keylen < 8) || (keylen > 24)) { - PrintAndLogEx(ERR, "Specified key must have 16 bytes length."); - //SetAPDULogging(false); - return PM3_EINVARG; - } - - // AID - if (aidlength != 3) { - PrintAndLogEx(WARNING, "aid must include %d HEX symbols", 3); - //SetAPDULogging(false); - return PM3_EINVARG; + if (strlen(Cmd) < 3) { + PrintAndLogEx(NORMAL, "Usage: hf mfdes auth <1|2|3> <1|2|3|4> "); + PrintAndLogEx(NORMAL, " Auth modes"); + PrintAndLogEx(NORMAL, " 1 = normal, 2 = iso, 3 = aes"); + PrintAndLogEx(NORMAL, " Crypto"); + PrintAndLogEx(NORMAL, " 1 = DES 2 = 3DES 3 = 3K3DES 4 = AES"); + PrintAndLogEx(NORMAL, ""); + PrintAndLogEx(NORMAL, "Examples:"); + PrintAndLogEx(NORMAL, _YELLOW_(" hf mfdes auth 1 1 0 11223344")); + PrintAndLogEx(NORMAL, _YELLOW_(" hf mfdes auth 3 4 0 404142434445464748494a4b4c4d4e4f")); + return PM3_SUCCESS; } + uint8_t cmdAuthMode = param_get8(Cmd, 0); + uint8_t cmdAuthAlgo = param_get8(Cmd, 1); + uint8_t cmdKeyNo = param_get8(Cmd, 2); switch (cmdAuthMode) { case 1: if (cmdAuthAlgo != 1 && cmdAuthAlgo != 2) { PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode"); - //SetAPDULogging(false); return PM3_EINVARG; } break; case 2: if (cmdAuthAlgo != 1 && cmdAuthAlgo != 2 && cmdAuthAlgo != 3) { PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode"); - //SetAPDULogging(false); return PM3_EINVARG; } break; case 3: if (cmdAuthAlgo != 4) { PrintAndLogEx(NORMAL, "Crypto algo not valid for the auth mode"); - //SetAPDULogging(false); return PM3_EINVARG; } break; default: - PrintAndLogEx(WARNING, "Wrong Auth mode (%d) -> (1=normal, 2=iso, 3=aes)", cmdAuthMode); - //SetAPDULogging(false); + PrintAndLogEx(WARNING, "Wrong Auth mode"); return PM3_EINVARG; } @@ -933,37 +800,21 @@ static int CmdHF14ADesAuth(const char *Cmd) { break; } - // KEY - if (keylen != keylength) { + // key + if (param_gethex(Cmd, 3, key, keylength * 2)) { PrintAndLogEx(WARNING, "Key must include %d HEX symbols", keylength); return PM3_EINVARG; } - if (get_desfire_select_application(aid) != PM3_SUCCESS) { - PrintAndLogEx(WARNING, _RED_(" Can't select AID")); - DropField(); - return PM3_ESOFT; - } - - uint8_t file_ids[33] = {0}; - uint8_t file_ids_len = 0; - int res = get_desfire_fileids(file_ids, &file_ids_len); - if (res != PM3_SUCCESS) { - PrintAndLogEx(WARNING, "Get file ids error."); - DropField(); - return res; - } - - // algo, keylength, uint8_t data[25] = {keylength}; // max length: 1 + 24 (3k3DES) memcpy(data + 1, key, keylength); + clearCommandBuffer(); SendCommandOLD(CMD_HF_DESFIRE_AUTH1, cmdAuthMode, cmdAuthAlgo, cmdKeyNo, data, keylength + 1); PacketResponseNG resp; if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) { PrintAndLogEx(WARNING, "Client command execute timeout"); - DropField(); return PM3_ETIMEOUT; } @@ -982,15 +833,9 @@ static int CmdHF14ADesAuth(const char *Cmd) { return PM3_SUCCESS; } -static int CmdHF14ADesList(const char *Cmd) { - (void)Cmd; // Cmd is not used so far - return CmdTraceList("des"); -} - static command_t CommandTable[] = { {"help", CmdHelp, AlwaysAvailable, "This help"}, {"info", CmdHF14ADesInfo, IfPm3Iso14443a, "Tag information"}, - {"list", CmdHF14ADesList, AlwaysAvailable, "List DESFire (ISO 14443A) history"}, {"enum", CmdHF14ADesEnumApplications, IfPm3Iso14443a, "Tries enumerate all applications"}, {"auth", CmdHF14ADesAuth, IfPm3Iso14443a, "Tries a MIFARE DesFire Authentication"}, // {"rdbl", CmdHF14ADesRb, IfPm3Iso14443a, "Read MIFARE DesFire block"}, diff --git a/client/cmdhfmfdes.h b/client/cmdhfmfdes.h index 4f6605cff..5c4dcb5e2 100644 --- a/client/cmdhfmfdes.h +++ b/client/cmdhfmfdes.h @@ -19,14 +19,50 @@ char *getProtocolStr(uint8_t id); char *getVersionStr(uint8_t major, uint8_t minor); void getKeySettings(uint8_t *aid); -// Ev1 card limits +#define CREATE_APPLICATION 0xca +#define DELETE_APPLICATION 0xda +#define GET_APPLICATION_IDS 0x6a +#define SELECT_APPLICATION 0x5a +#define FORMAT_PICC 0xfc +#define GET_VERSION 0x60 +#define READ_DATA 0xbd +#define WRITE_DATA 0x3d +#define GET_VALUE 0x6c +#define CREDIT 0x0c +#define DEBIT 0xdc +#define LIMITED_CREDIT 0x1c +#define WRITE_RECORD 0x3b +#define READ_RECORDS 0xbb +#define CLEAR_RECORD_FILE 0xeb +#define COMMIT_TRANSACTION 0xc7 +#define ABORT_TRANSACTION 0xa7 +#define GET_FREE_MEMORY 0x6e +#define GET_FILE_IDS 0x6f +#define GET_ISOFILE_IDS 0x61 +#define GET_FILE_SETTINGS 0xf5 +#define CHANGE_FILE_SETTINGS 0x5f +#define CREATE_STD_DATA_FILE 0xcd +#define CREATE_BACKUP_DATA_FILE 0xcb +#define CREATE_VALUE_FILE 0xcc +#define CREATE_LINEAR_RECORD_FILE 0xc1 +#define CREATE_CYCLIC_RECORD_FILE 0xc0 +#define DELETE_FILE 0xdf +#define AUTHENTICATE 0x0a // AUTHENTICATE_NATIVE +#define AUTHENTICATE_ISO 0x1a // AUTHENTICATE_STANDARD +#define AUTHENTICATE_AES 0xaa +#define CHANGE_KEY_SETTINGS 0x54 +#define GET_KEY_SETTINGS 0x45 +#define CHANGE_KEY 0xc4 +#define GET_KEY_VERSION 0x64 +#define AUTHENTICATION_FRAME 0xAF + #define MAX_NUM_KEYS 0x0F #define MAX_APPLICATION_COUNT 28 #define MAX_FILE_COUNT 32 #define MAX_FRAME_SIZE 60 +#define NOT_YET_AUTHENTICATED 255 #define FRAME_PAYLOAD_SIZE (MAX_FRAME_SIZE - 5) -#define NOT_YET_AUTHENTICATED 0xFF // status- and error codes | #define OPERATION_OK 0x00 // Successful operation diff --git a/client/cmdhfmfp.c b/client/cmdhfmfp.c index 71da93bcc..56963819c 100644 --- a/client/cmdhfmfp.c +++ b/client/cmdhfmfp.c @@ -10,9 +10,12 @@ //----------------------------------------------------------------------------- #include "cmdhfmfp.h" + #include + #include "cmdparser.h" // command_t #include "commonutil.h" // ARRAYLEN + #include "comms.h" #include "ui.h" #include "cmdhf14a.h" @@ -24,9 +27,6 @@ #include "mifare/mifaredefault.h" #include "util_posix.h" #include "fileutils.h" -#include "protocols.h" -#include "crypto/libpcrypto.h" - static const uint8_t DefaultKey[16] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; @@ -34,188 +34,21 @@ uint16_t CardAddresses[] = {0x9000, 0x9001, 0x9002, 0x9003, 0x9004, 0xA000, 0xA0 static int CmdHelp(const char *Cmd); -/* - The 7 MSBits (= n) code the storage size itself based on 2^n, - the LSBit is set to '0' if the size is exactly 2^n - and set to '1' if the storage size is between 2^n and 2^(n+1). - For this version of DESFire the 7 MSBits are set to 0x0C (2^12 = 4096) and the LSBit is '0'. -*/ -static char *getCardSizeStr(uint8_t fsize) { - - static char buf[40] = {0x00}; - char *retStr = buf; - - uint16_t usize = 1 << ((fsize >> 1) + 1); - uint16_t lsize = 1 << (fsize >> 1); - - // is LSB set? - if (fsize & 1) - sprintf(retStr, "0x%02X ( " _YELLOW_("%d - %d bytes") ")", fsize, usize, lsize); - else - sprintf(retStr, "0x%02X ( " _YELLOW_("%d bytes") ")", fsize, lsize); - return buf; -} - -static char *getProtocolStr(uint8_t id) { - - static char buf[40] = {0x00}; - char *retStr = buf; - - if (id == 0x05) - sprintf(retStr, "0x%02X ( " _YELLOW_("ISO 14443-3, 14443-4") ")", id); - else - sprintf(retStr, "0x%02X ( " _YELLOW_("Unknown") ")", id); - return buf; -} - -static char *getVersionStr(uint8_t major, uint8_t minor) { - - static char buf[40] = {0x00}; - char *retStr = buf; - - if (major == 0x00) - sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire MF3ICD40") ")", major, minor); - else if (major == 0x01 && minor == 0x00) - sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV1") ")", major, minor); - else if (major == 0x12 && minor == 0x00) - sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV2") ")", major, minor); -// else if (major == 0x13 && minor == 0x00) -// sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire EV3") ")", major, minor); - else if (major == 0x30 && minor == 0x00) - sprintf(retStr, "%x.%x ( " _YELLOW_("DESFire Light") ")", major, minor); - - else if (major == 0x11 && minor == 0x00) - sprintf(retStr, "%x.%x ( " _YELLOW_("Plus EV1") ")", major, minor); - else - sprintf(retStr, "%x.%x ( " _YELLOW_("Unknown") ")", major, minor); - return buf; -} - -// --- GET SIGNATURE -static int plus_print_signature(uint8_t *uid, uint8_t uidlen, uint8_t *signature, int signature_len) { - - // ref: MIFARE Plus EV1 Originality Signature Validation - #define PUBLIC_PLUS_ECDA_KEYLEN 57 - const ecdsa_publickey_t nxp_plus_public_keys[] = { - {"Mifare Plus EV1", "044409ADC42F91A8394066BA83D872FB1D16803734E911170412DDF8BAD1A4DADFD0416291AFE1C748253925DA39A5F39A1C557FFACD34C62E"} - }; - - uint8_t i; - int res; - bool is_valid = false; - - for (i = 0; i < ARRAYLEN(nxp_plus_public_keys); i++) { - - int dl = 0; - uint8_t key[PUBLIC_PLUS_ECDA_KEYLEN]; - param_gethex_to_eol(nxp_plus_public_keys[i].value, 0, key, PUBLIC_PLUS_ECDA_KEYLEN, &dl); - - res = ecdsa_signature_r_s_verify(MBEDTLS_ECP_DP_SECP224R1, key, uid, uidlen, signature, signature_len, false); - is_valid = (res == 0); - if (is_valid) - break; - } - if (is_valid == false) { - PrintAndLogEx(SUCCESS, "Signature verification " _RED_("failed")); - return PM3_ESOFT; - } - - PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(INFO, "--- " _CYAN_("Tag Signature")); - PrintAndLogEx(INFO, " IC signature public key name: " _GREEN_("%s"), nxp_plus_public_keys[i].desc); - PrintAndLogEx(INFO, "IC signature public key value: %.32s", nxp_plus_public_keys[i].value); - PrintAndLogEx(INFO, " : %.32s", nxp_plus_public_keys[i].value + 16); - PrintAndLogEx(INFO, " : %.32s", nxp_plus_public_keys[i].value + 32); - PrintAndLogEx(INFO, " : %.32s", nxp_plus_public_keys[i].value + 48); - PrintAndLogEx(INFO, " Elliptic curve parameters: NID_secp224r1"); - PrintAndLogEx(INFO, " TAG IC Signature: %s", sprint_hex_inrow(signature, 16)); - PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 16, 16)); - PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 32, 16)); - PrintAndLogEx(INFO, " : %s", sprint_hex_inrow(signature + 48, signature_len - 48)); - PrintAndLogEx(SUCCESS, " Signature verified: " _GREEN_("successful")); - return PM3_SUCCESS; -} - -static int get_plus_signature(uint8_t *signature, int *signature_len) { - - mfpSetVerboseMode(false); - - uint8_t data[59] = {0}; - int resplen = 0, retval = PM3_SUCCESS; - MFPGetSignature(true, false, data, sizeof(data), &resplen); - - if (resplen == 59) { - memcpy(signature, data + 1, 56); - *signature_len = 56; - } else { - *signature_len = 0; - retval = PM3_ESOFT; - } - mfpSetVerboseMode(false); - return retval; -} -// GET VERSION -static int plus_print_version(uint8_t *version) { - PrintAndLogEx(SUCCESS, " UID: " _GREEN_("%s"), sprint_hex(version + 14, 7)); - PrintAndLogEx(SUCCESS, " Batch number: " _GREEN_("%s"), sprint_hex(version + 21, 5)); - PrintAndLogEx(SUCCESS, " Production date: week " _GREEN_("%02x") "/ " _GREEN_("20%02x"), version[7+7+7+5], version[7+7+7+5+1]); - PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(INFO, "--- " _CYAN_("Hardware Information")); - PrintAndLogEx(INFO, " Vendor Id: " _YELLOW_("%s"), getTagInfo(version[0])); - PrintAndLogEx(INFO, " Type: " _YELLOW_("0x%02X"), version[1]); - PrintAndLogEx(INFO, " Subtype: " _YELLOW_("0x%02X"), version[2]); - PrintAndLogEx(INFO, " Version: %s", getVersionStr(version[3], version[4])); - PrintAndLogEx(INFO, " Storage size: %s", getCardSizeStr(version[5])); - PrintAndLogEx(INFO, " Protocol: %s", getProtocolStr(version[6])); - PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(INFO, "--- " _CYAN_("Software Information")); - PrintAndLogEx(INFO, " Vendor Id: " _YELLOW_("%s"), getTagInfo(version[0])); - PrintAndLogEx(INFO, " Type: " _YELLOW_("0x%02X"), version[1]); - PrintAndLogEx(INFO, " Subtype: " _YELLOW_("0x%02X"), version[2]); - PrintAndLogEx(INFO, " Version: " _YELLOW_("%d.%d"), version[3], version[4]); - PrintAndLogEx(INFO, " Storage size: %s", getCardSizeStr(version[5])); - PrintAndLogEx(INFO, " Protocol: %s", getProtocolStr(version[6])); - return PM3_SUCCESS; -} -static int get_plus_version(uint8_t *version, int *version_len) { - - int resplen = 0, retval = PM3_SUCCESS; - mfpSetVerboseMode(false); - MFPGetVersion(true, false, version, *version_len, &resplen); - mfpSetVerboseMode(false); - - *version_len = resplen; - if (resplen != 28) { - retval = PM3_ESOFT; - } - return retval; -} - static int CmdHFMFPInfo(const char *Cmd) { if (Cmd && strlen(Cmd) > 0) PrintAndLogEx(WARNING, "command don't have any parameters.\n"); PrintAndLogEx(NORMAL, ""); - PrintAndLogEx(INFO, "--- " _CYAN_("Tag Information") "---------------------------"); + PrintAndLogEx(INFO, "-- Mifare Plus Tag Information ------------------------------"); PrintAndLogEx(INFO, "-------------------------------------------------------------"); - bool supportVersion = false; - bool supportSignature = false; + // info about 14a part + infoHF14A(false, false, false); - // version check - uint8_t version[30] = {0}; - int version_len = sizeof(version); - if (get_plus_version(version, &version_len) == PM3_SUCCESS) { - plus_print_version(version); - supportVersion = true; - } else { - // info about 14a part - infoHF14A(false, false, false); - } - // Mifare Plus info SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_CONNECT, 0, 0, NULL, 0); + PacketResponseNG resp; WaitForResponse(CMD_ACK, &resp); @@ -224,60 +57,55 @@ static int CmdHFMFPInfo(const char *Cmd) { uint64_t select_status = resp.oldarg[0]; // 0: couldn't read, 1: OK, with ATS, 2: OK, no ATS, 3: proprietary Anticollision - // Signature originality check - uint8_t signature[56] = {0}; - int signature_len = sizeof(signature); - if (get_plus_signature(signature, &signature_len) == PM3_SUCCESS) { - plus_print_signature(card.uid, card.uidlen, signature, signature_len); - supportSignature = true; - } - if (select_status == 1 || select_status == 2) { - PrintAndLogEx(INFO, "--- " _CYAN_("Fingerprint")); - - if (supportVersion && supportSignature) { - PrintAndLogEx(INFO, " Tech: " _GREEN_("MIFARE Plus EV1")); - } else { - PrintAndLogEx(INFO, " Tech: " _YELLOW_("MIFARE Plus SE/X")); - } + PrintAndLogEx(INFO, "-------------------------------------------------------------"); + PrintAndLogEx(INFO, " Fingerprint"); // MIFARE Type Identification Procedure // https://www.nxp.com/docs/en/application-note/AN10833.pdf uint16_t ATQA = card.atqa[0] + (card.atqa[1] << 8); bool isPlus = false; - if (ATQA & 0x0004) { - PrintAndLogEx(INFO, " SIZE: " _GREEN_("2K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); + if (ATQA == 0x0004) { + PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 2K") " (4b UID)"); isPlus = true; } - if (ATQA & 0x0002) { - PrintAndLogEx(INFO, " SIZE: " _GREEN_("4K") "(%s UID)", (ATQA & 0x0040) ? "7" : "4"); + if (ATQA == 0x0002) { + PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 4K") " (4b UID)"); + isPlus = true; + } + if (ATQA == 0x0044) { + PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 2K") " (7b UID)"); + isPlus = true; + } + if (ATQA == 0x0042) { + PrintAndLogEx(INFO, " ATQA - " _GREEN_("Mifare Plus 4K") " (7b UID)"); isPlus = true; } - uint8_t SLmode = 0xFF; + uint8_t SLmode = 0xff; if (isPlus) { if (card.sak == 0x08) { - PrintAndLogEx(INFO, " SAK: " _GREEN_("2K 7b UID")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 2K 7b UID")); if (select_status == 2) SLmode = 1; } if (card.sak == 0x18) { - PrintAndLogEx(INFO, " SAK: " _GREEN_("4K 7b UID")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 4K 7b UID")); if (select_status == 2) SLmode = 1; } if (card.sak == 0x10) { - PrintAndLogEx(INFO, " SAK: " _GREEN_("2K")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 2K")); if (select_status == 2) SLmode = 2; } if (card.sak == 0x11) { - PrintAndLogEx(INFO, " SAK: " _GREEN_("4K")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus 4K")); if (select_status == 2) SLmode = 2; } } if (card.sak == 0x20) { - PrintAndLogEx(INFO, " SAK: " _GREEN_("MIFARE Plus SL0/SL3") "or " _GREEN_("MIFARE DESFire")); + PrintAndLogEx(INFO, " SAK - " _GREEN_("Mifare Plus SL0/SL3") "or " _GREEN_("Mifare DESFire")); if (card.ats_len > 0) { @@ -290,7 +118,7 @@ static int CmdHFMFPInfo(const char *Cmd) { int res = ExchangeRAW14a(cmd, sizeof(cmd), true, false, data, sizeof(data), &datalen, false); if (memcmp(data, "\x67\x00", 2) == 0) { - PrintAndLogEx(INFO, "\tMost likely a MIFARE DESFire tag"); + PrintAndLogEx(INFO, "\tMost likely a Mifare DESFire tag"); PrintAndLogEx(HINT, "Hint: Try " _YELLOW_("`hf mfdes info`")); DropField(); return PM3_SUCCESS; @@ -302,35 +130,33 @@ static int CmdHFMFPInfo(const char *Cmd) { } } - if (isPlus) { - // How do we detect SL0 / SL1 / SL2 / SL3 modes?!? - PrintAndLogEx(INFO, "--- " _CYAN_("Security Level (SL)")); - - if (SLmode != 0xFF ) - PrintAndLogEx(SUCCESS, " SL mode: " _YELLOW_("SL%d"), SLmode); - else - PrintAndLogEx(WARNING, " SL mode: " _YELLOW_("unknown")); - switch(SLmode) { - case 0: - PrintAndLogEx(INFO, " SL 0: initial delivery configuration, used for card personalization"); - break; - case 1: - PrintAndLogEx(INFO, " SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication"); - break; - case 2: - PrintAndLogEx(INFO, " SL 2: 3-Pass Authentication based on AES followed by MIFARE CRYPTO1 authentication, communication secured by MIFARE CRYPTO1"); - break; - case 3: - PrintAndLogEx(INFO, " SL 3: 3-Pass authentication based on AES, data manipulation commands secured by AES encryption and an AES based MACing method."); - break; - default: - break; - } + // How do we detect SL0 / SL1 / SL2 / SL3 modes?!? + PrintAndLogEx(INFO, "Security Level (SL)"); + switch(SLmode) { + case 0: + PrintAndLogEx(INFO, "SL 0: initial delivery configuration, used for card personalization"); + break; + case 1: + PrintAndLogEx(INFO, "SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication"); + break; + case 2: + PrintAndLogEx(INFO, "SL 2: 3-Pass Authentication based on AES followed by MIFARE CRYPTO1 authentication, communication secured by MIFARE CRYPTO1"); + break; + case 3: + PrintAndLogEx(INFO, "SL 3: 3-Pass authentication based on AES, data manipulation commands secured by AES encryption and an AES based MACing method."); + break; + default: + break; } + + if (SLmode != 0xFF) + PrintAndLogEx(SUCCESS, "\tMifare Plus SL mode: " _YELLOW_("SL%d"), SLmode); + else + PrintAndLogEx(WARNING, "\tMifare Plus SL mode: " _YELLOW_("unknown")); } else { PrintAndLogEx(INFO, "\tMifare Plus info not available."); } - PrintAndLogEx(NORMAL, ""); + DropField(); return PM3_SUCCESS; } diff --git a/client/emv/apduinfo.c b/client/emv/apduinfo.c index b64696628..35735fb47 100644 --- a/client/emv/apduinfo.c +++ b/client/emv/apduinfo.c @@ -503,17 +503,7 @@ void APDUPrint(APDUStruct apdu) { void APDUPrintEx(APDUStruct apdu, size_t maxdatalen) { PrintAndLogEx(INFO, "APDU: %scase=0x%02x cla=0x%02x ins=0x%02x p1=0x%02x p2=0x%02x Lc=0x%02x(%d) Le=0x%02x(%d)", - apdu.extended_apdu ? "[e]" : "", - apdu.case_type, - apdu.cla, - apdu.ins, - apdu.p1, - apdu.p2, - apdu.lc, - apdu.lc, - apdu.le, - apdu.le - ); + apdu.extended_apdu ? "[e]" : "", apdu.case_type, apdu.cla, apdu.ins, apdu.p1, apdu.p2, apdu.lc, apdu.lc, apdu.le, apdu.le); if (maxdatalen > 0) PrintAndLogEx(INFO, "data: %s%s", sprint_hex(apdu.data, MIN(apdu.lc, maxdatalen)), apdu.lc > maxdatalen ? "..." : ""); } diff --git a/client/emv/emvcore.c b/client/emv/emvcore.c index 852d801c7..fe5ff3a31 100644 --- a/client/emv/emvcore.c +++ b/client/emv/emvcore.c @@ -136,10 +136,6 @@ void SetAPDULogging(bool logging) { APDULogging = logging; } -bool GetAPDULogging(void) { - return APDULogging; -} - enum CardPSVendor GetCardPSVendor(uint8_t *AID, size_t AIDlen) { char buf[100] = {0}; if (AIDlen < 1) diff --git a/client/emv/emvcore.h b/client/emv/emvcore.h index 1c422e483..d5dccd037 100644 --- a/client/emv/emvcore.h +++ b/client/emv/emvcore.h @@ -57,7 +57,6 @@ struct tlvdb *GetPANFromTrack2(const struct tlv *track2); struct tlvdb *GetdCVVRawFromTrack2(const struct tlv *track2); void SetAPDULogging(bool logging); -bool GetAPDULogging(void); // exchange int EMVExchange(EMVCommandChannel channel, bool LeaveFieldON, sAPDU apdu, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv); diff --git a/client/luascripts/legic.lua b/client/luascripts/legic.lua index 393cc9e52..7e0f8d3be 100644 --- a/client/luascripts/legic.lua +++ b/client/luascripts/legic.lua @@ -91,20 +91,14 @@ CRC1 = crc8 over addr 0x00..0x03+0x07..0x0E (special 'gantner crc8') CRC2 = MCD + MSB0..2+ addr 0x06 + addr 0x05 + addr 0x07 + Stamp (regular Master-Token-CRC) --]] ---[[ -Known issues; needs to be fixed: -* last byte in last segment is handled incorrectly when it is the last bytes on the card itself (MIM256: => byte 256) ---]] - example = "script run legic" -author = "Mosci, uhei" -version = "1.0.4" +author = "Mosci" +version = "1.0.3" desc = [[ This script helps you to read, create and modify Legic Prime Tags (MIM22, MIM256, MIM1024) -The virtual tag (and therefore the file to be saved) is always a MIM1024 tag. it's kinda interactive with following commands in three categories: Data I/O Segment Manipulation Token-Data @@ -114,8 +108,8 @@ it's kinda interactive with following commands in three categories: ed => edit Segment Data tk => toggle KGH-Flag File I/O rs => remove Segment ----------------- cc => check Segment-CRC - lf => load bin File ck => check KGH - sf => save eml/bin File ds => dump Segments + lf => load File ck => check KGH + sf => save File ds => dump Segments xf => xor to File @@ -134,8 +128,8 @@ it's kinda interactive with following commands in three categories: without the need of changing anything - MCD,MSN,MCC will be read from the tag before and applied to the output. - lf: 'load file' - load a (xored) binary file (*.bin) from the local Filesystem into the 'virtual inTag' - sf: 'save file' - saves the 'virtual inTag' to the local Filesystem as eml and bin (xored with Tag-MCC) + lf: 'load file' - load a (xored) file from the local Filesystem into the 'virtual inTag' + sf: 'save file' - saves the 'virtual inTag' to the local Filesystem (xored with Tag-MCC) xf: 'xor file' - saves the 'virtual inTag' to the local Filesystem (xored with choosen MCC - use '00' for plain values) ct: 'copy tag' - copy the 'virtual Tag' to a second 'virtual TAG' - not usefull yet, but inernally needed @@ -248,16 +242,6 @@ function istable(t) return type(t) == 'table' end ---- --- To have two char string for a byte -local function padString(str) - if (#str == 1) then - return '0'..str - end - - return str -end - --- -- creates a 'deep copy' of a table (a=b only references) function deepCopy(object) @@ -403,15 +387,15 @@ end function bytesToTag(bytes, tag) if istable(tag) == false then return oops("tag is no table in: bytesToTag ("..type(tag)..")") end - tag.MCD =padString(bytes[1]); - tag.MSN0=padString(bytes[2]); - tag.MSN1=padString(bytes[3]); - tag.MSN2=padString(bytes[4]); - tag.MCC =padString(bytes[5]); - tag.DCFl=padString(bytes[6]); - tag.DCFh=padString(bytes[7]); - tag.raw =padString(bytes[8]); - tag.SSC =padString(bytes[9]); + tag.MCD =bytes[1]; + tag.MSN0=bytes[2]; + tag.MSN1=bytes[3]; + tag.MSN2=bytes[4]; + tag.MCC =bytes[5]; + tag.DCFl=bytes[6]; + tag.DCFh=bytes[7]; + tag.raw =bytes[8]; + tag.SSC =bytes[9]; tag.Type=getTokenType(tag.DCFl); tag.OLE=bbit("0x"..tag.DCFl,7,1) tag.WRP=("%d"):format(bbit("0x"..bytes[8],0,4)) @@ -516,26 +500,42 @@ function tagToBytes(tag) return bytes end +--- PM3 I/O --- +--- +-- read from pm3 into virtual-tag +function readFromPM3() + local tag, bytes, infile + infile="legic.temp" + -- core.console("hf legic reader") + -- core.console("hf legic esave "..infile) + core.console("hf legic dump o "..infile) + tag=readFile(infile..".bin") + return tag +end + +local function padString(str) + if (#str == 1) then + return '0'..str + end + + return str +end --- ---- PM3 I/O --- -- write virtual Tag to real Tag function writeToTag(tag) local bytes + local filename = 'MylegicClone.hex' local taglen = 22 - local writeDCF = false - if(utils.confirm(acred.."\nPlace the (empty) Tag onto the PM3\nand confirm writing to this Tag: "..acoff) == false) then + if(utils.confirm(acred.."\nplace the (empty) Tag onto the PM3\nand confirm writing to this Tag: "..acoff) == false) then return end - if(utils.confirm(acred.."\nShould the decremental field (DCF) be written?: "..acoff) == true) then - writeDCF = true - end -- get used bytes / tag-len if (istable(tag.SEG)) then if (istable(tag.Bck)) then for i=0, #tag.SEG do - taglen = taglen + tag.SEG[i] . len + taglen = taglen + tag.SEG[i] . len + 5 end end local uid_old = tag.MCD..tag.MSN0..tag.MSN1..tag.MSN2 @@ -571,32 +571,37 @@ function writeToTag(tag) bytes[22] = calcMtCrc(bytes) end if (bytes) then - bytes = xorBytes(bytes,tag.MCC) + print("write temp-file '"..filename.."'") + print(accyan) + writeFile(bytes, filename..".bin") + print(acoff) end end - -- write data to file if (taglen > 0) then WriteBytes = input(acyellow.."enter number of bytes to write?"..acoff, taglen) + -- load file into pm3-buffer + if (type(filename) ~= "string") then + filename = input(acyellow.."filename to load to pm3-buffer?"..acoff, "legic.temp") + end + + cmd = 'hf legic eload 2 '..filename + core.console(cmd) -- write pm3-buffer to Tag - for i=1, WriteBytes do - if (i > 7) then - cmd = ("hf legic wrbl o %02x d %s "):format(i-1, padString(bytes[i])) + for i=0, WriteBytes do + if (i > 6) then + cmd = ("hf legic write o %x d %s "):format(i, padString(bytes[i])) print(acgreen..cmd..acoff) core.console(cmd) core.clearCommandBuffer() - elseif (i == 7) then - if (writeDCF) then - -- write DCF in reverse order (requires 'mosci-patch') - cmd = ('hf legic wrbl o 05 d %s%s'):format(padString(bytes[i-1]), padString(bytes[i])) - print(acgreen..cmd..acoff) - core.console(cmd) - core.clearCommandBuffer() - else - print(acgreen.."skip byte 0x05-0x06 - DCF"..acoff) - end elseif (i == 6) then + -- write DCF in reverse order (requires 'mosci-patch') + cmd = ('hf legic write o 05 d %s%s'):format(padString(bytes[i-1]), padString(bytes[i])) + print(acgreen..cmd..acoff) + core.console(cmd) + core.clearCommandBuffer() + elseif (i == 5) then print(acgreen.."skip byte 0x05 - will be written next step"..acoff) else print(acgreen.."skip byte 0x00-0x04 - unwritable area"..acoff) @@ -636,12 +641,12 @@ end local function save_BIN(data, filename) local outfile local counter = 1 - local ext = ".bin" - local fn = filename..ext + local ext = filename:match("^.+(%..+)$") or '' + local fn = filename -- Make sure we don't overwrite a file while file_check(fn) do - fn = filename..ext:gsub(ext, "-"..tostring(counter)..ext) + fn = filename:gsub(ext, tostring(counter)..ext) counter = counter + 1 end @@ -659,27 +664,26 @@ end --- -- write bytes to file function writeFile(bytes, filename) - local emlext = ".eml" - if (filename ~= 'MyLegicClone') then - if (file_check(filename..emlext)) then - local answer = confirm("\nthe output-file "..filename..emlext.." already exists!\nthis will delete the previous content!\ncontinue?") + if (filename ~= 'MylegicClone.hex') then + if (file_check(filename)) then + local answer = confirm("\nthe output-file "..filename.." already exists!\nthis will delete the previous content!\ncontinue?") if not answer then return print("user abort") end end end local line local bcnt = 0 - local fho, err = io.open(filename..emlext, "w") + local fho, err = io.open(filename, "w") if err then - return oops("OOps ... failed to open output-file ".. filename..emlext) + return oops("OOps ... failed to open output-file ".. filename) end bytes = xorBytes(bytes, bytes[5]) for i = 1, #bytes do if (bcnt == 0) then - line = padString(bytes[i]) + line = bytes[i] elseif (bcnt <= 7) then - line = line.." "..padString(bytes[i]) + line = line.." "..bytes[i] end if (bcnt == 7) then -- write line to new file @@ -695,7 +699,7 @@ function writeFile(bytes, filename) -- save binary local fn_bin, fn_bin_num = save_BIN(bytes, filename) - print("\nwrote "..acyellow..(#bytes * 3)..acoff.." bytes to " ..acyellow..filename..emlext..acoff) + print("\nwrote "..acyellow..(#bytes * 3)..acoff.." bytes to " ..acyellow..filename..acoff) if fn_bin and fn_bin_num then print("\nwrote "..acyellow..fn_bin_num..acoff.." bytes to BINARY file "..acyellow..fn_bin..acoff) @@ -704,21 +708,6 @@ function writeFile(bytes, filename) return true end ---- --- read from pm3 into virtual-tag -function readFromPM3() - local tag, bytes, infile - --infile="legic.temp" - infile=os.tmpname() - core.console("hf legic dump f "..infile) - tag=readFile(infile..".bin") - os.remove(infile) - os.remove(infile..".bin") - os.remove(infile..".eml") - os.remove(infile..".json") - return tag -end - --- Map related --- --- -- make tagMap @@ -2276,8 +2265,8 @@ function modifyHelp() ed => edit Segment Data tk => toggle KGH-Flag File I/O rs => remove Segment ----------------- cc => check Segment-CRC - lf => load bin File ck => check KGH - sf => save eml/bin File ds => dump Segments + lf => load File ck => check KGH + sf => save File ds => dump Segments xf => xor to File @@ -2363,10 +2352,10 @@ function modifyMode() -- save values of mainTAG to a file (xored with MCC of mainTAG) ["sf"] = function(x) if istable(inTAG) then - outfile = input("enter filename:", "hf-legic-"..inTAG.MCD..inTAG.MSN0..inTAG.MSN1..inTAG.MSN2) + outfile = input("enter filename:", "legic.temp") bytes = tagToBytes(inTAG) --bytes=xorBytes(bytes, inTAG.MCC) - if (bytes) then + if bytes then writeFile(bytes, outfile) end end @@ -2375,7 +2364,7 @@ function modifyMode() -- save values of mainTAG to a file (xored with 'specific' MCC) ["xf"] = function(x) if istable(inTAG) then - outfile = input("enter filename:", "hf-legic-"..inTAG.MCD..inTAG.MSN0..inTAG.MSN1..inTAG.MSN2) + outfile = input("enter filename:", "legic.temp") crc = input("enter new crc: ('00' for a plain dump)", inTAG.MCC) print("obfuscate with: "..crc) bytes=tagToBytes(inTAG) diff --git a/client/mifare/mifare4.c b/client/mifare/mifare4.c index 848528611..966a2027d 100644 --- a/client/mifare/mifare4.c +++ b/client/mifare/mifare4.c @@ -429,46 +429,6 @@ int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *data return 0; } -int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) { - uint8_t c[] = {0x3c, 0x00}; - return intExchangeRAW14aPlus(c, sizeof(c), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen); -} - -int MFPGetVersion(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) { - uint8_t tmp[20] = {0}; - uint8_t c[] = {0x60}; - int res = intExchangeRAW14aPlus(c, sizeof(c), activateField, true, tmp, maxdataoutlen, dataoutlen); - if (res != 0) { - DropField(); - *dataoutlen = 0; - return res; - } - - memcpy(dataout, tmp + 1, (*dataoutlen - 3)); - - *dataoutlen = 0; - // MFDES_ADDITIONAL_FRAME - if (tmp[0] == 0xAF) { - c[0] = 0xAF; - res = intExchangeRAW14aPlus(c, sizeof(c), false, true, tmp, maxdataoutlen, dataoutlen); - if (res == 0) { - - memcpy(dataout + 7, tmp + 1, (*dataoutlen - 3)); - - // MFDES_ADDITIONAL_FRAME - res = intExchangeRAW14aPlus(c, sizeof(c), false, false, tmp, maxdataoutlen, dataoutlen); - if (res == 0) { - if (tmp[0] == 0x90) { - memcpy(dataout + 7 + 7, tmp + 1, (*dataoutlen - 3)); - *dataoutlen = 28; - } - } - } - } - DropField(); - return res; -} - // Mifare Memory Structure: up to 32 Sectors with 4 blocks each (1k and 2k cards), // plus evtl. 8 sectors with 16 blocks each (4k cards) uint8_t mfNumBlocksPerSector(uint8_t sectorNo) { diff --git a/client/mifare/mifare4.h b/client/mifare/mifare4.h index 0c3e08458..cb2c8d652 100644 --- a/client/mifare/mifare4.h +++ b/client/mifare/mifare4.h @@ -59,9 +59,6 @@ int MFPReadBlock(mf4Session_t *session, bool plain, uint8_t blockNum, uint8_t bl int MFPWriteBlock(mf4Session_t *session, uint8_t blockNum, uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac); int mfpReadSector(uint8_t sectorNo, uint8_t keyType, uint8_t *key, uint8_t *dataout, bool verbose); -int MFPGetSignature(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen); -int MFPGetVersion(bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen); - const char *mfGetAccessConditionsDesc(uint8_t blockn, uint8_t *data); uint8_t mfNumBlocksPerSector(uint8_t sectorNo); diff --git a/client/settings.c b/client/settings.c index 79fa00fd1..976121eed 100644 --- a/client/settings.c +++ b/client/settings.c @@ -44,7 +44,8 @@ #include "emv/emvjson.h" // Load all settings into memory (struct) -int settings_load (void) { +int settings_load (void) +{ // loadFileJson wants these, so pass in place holder values, though not used // in settings load; uint8_t dummyData = 0x00; @@ -67,27 +68,25 @@ int settings_load (void) { int window_ypos; int window_hsize; int window_wsize; - bool use_emojis - bool use_hints */ - printf (" Settings Version : [%s]\n", mySettings.version); - printf (" os_windows_usecolor (bool) : [%d]\n", mySettings.os_windows_usecolor); - printf (" os_windows_useAnsicolor (bool) : [%d]\n", mySettings.os_windows_useansicolor); - printf (" window_xpos (int) : [%d]\n", mySettings.window_xpos); - printf (" window_ypos (int) : [%d]\n", mySettings.window_ypos); - printf (" window_hsize (int) : [%d]\n", mySettings.window_hsize); - printf (" window_wsize (int) : [%d]\n", mySettings.window_wsize); - printf (" use emoji (bool) : [%d]\n", mySettings.use_emojis); - printf (" use hints (bool) : [%d]\n", mySettings.use_hints); + printf (" Settings Version : [%s]\n",mySettings.version); + printf (" os_windows_usecolor (bool) : [%d]\n",mySettings.os_windows_usecolor); + printf (" os_windows_useAnsicolor (bool) : [%d]\n",mySettings.os_windows_useansicolor); + printf (" window_xpos (int) : [%d]\n",mySettings.window_xpos); + printf (" window_ypos (int) : [%d]\n",mySettings.window_ypos); + printf (" window_hsize (int) : [%d]\n",mySettings.window_hsize); + printf (" window_wsize (int) : [%d]\n",mySettings.window_wsize); + return PM3_SUCCESS; } // Save all settings from memory (struct) to file -int settings_save(void) { +int settings_save (void) +{ // Note sure if backup has value ? char backupFilename[500]; - snprintf(backupFilename, sizeof(backupFilename),"%s.bak",settingsFilename); + snprintf (backupFilename,sizeof(backupFilename),"%s.bak",settingsFilename); if (fileExists (backupFilename)) { if (remove (backupFilename) != 0) { @@ -106,14 +105,18 @@ int settings_save(void) { uint8_t dummyData = 0x00; size_t dummyDL = 0x00; + // int saveFileJSON(const char *preferredName, JSONFileType ftype, uint8_t *data, size_t datalen); + if (saveFileJSON(settingsFilename, jsfSettings, &dummyData, dummyDL) == PM3_SUCCESS) PrintAndLogEx (NORMAL, "settings have been saved to \"%s\"",settingsFilename); return PM3_SUCCESS; } -void settings_save_callback(json_t *root) { - +void settings_save_callback (json_t *root) +{ + // extern settings_t mySettings; + printf ("==> Save Settings\n"); //JsonSaveStr(root, "FileType", "settings"); //JsonSaveStr (root,"Test1.Test2","test settings"); @@ -128,24 +131,23 @@ void settings_save_callback(json_t *root) { */ JsonSaveStr (root,"FileType","settings"); JsonSaveStr (root,"version","1.0 Nov 2019");//mySettings.version); - JsonSaveBoolean (root,"os.windows.useColor", mySettings.os_windows_usecolor); - JsonSaveBoolean (root,"os.windows.useAnsiColor", mySettings.os_windows_useansicolor); - JsonSaveInt (root,"window.xpos", mySettings.window_xpos); - JsonSaveInt (root,"window.ypos", mySettings.window_ypos); - JsonSaveInt (root,"window.hsize", mySettings.window_hsize); - JsonSaveInt (root,"window.wsize", mySettings.window_wsize); - JsonSaveBoolean (root,"client.useEmojis", mySettings.use_emojis); - JsonSaveBoolean (root,"client.useHints", mySettings.use_hints); + JsonSaveBoolean (root,"os.windows.useColor",mySettings.os_windows_usecolor); + JsonSaveBoolean (root,"os.windows.useAnsiColor",mySettings.os_windows_useansicolor); + JsonSaveInt (root,"window.xpos",mySettings.window_xpos); + JsonSaveInt (root,"window.ypos",mySettings.window_ypos); + JsonSaveInt (root,"window.hsize",mySettings.window_hsize); + JsonSaveInt (root,"window.wsize",mySettings.window_wsize); } -void settings_load_callback(json_t *root) { - +void settings_load_callback (json_t *root) +{ +// extern settings_t mySettings; json_error_t up_error = {0}; int b1; int i1; const char *s1; - if (json_unpack_ex(root, &up_error , 0, "{s:s}","version", &s1) == 0) + if (json_unpack_ex(root, &up_error , 0, "{s:s}","version",&s1) == 0) strncpy (mySettings.version,s1,sizeof (mySettings.version) - 1); else strncpy (mySettings.version,"unknown",sizeof (mySettings.version) - 1); @@ -178,17 +180,5 @@ void settings_load_callback(json_t *root) { mySettings.window_wsize = i1; else // default mySettings.window_wsize = 0; - - // Use EMOJIS - if (json_unpack_ex(root,&up_error, 0, "{s:b}","client.useEmojis",&b1) == 0) - mySettings.use_emojis = b1; - else // default - mySettings.use_emojis = false; - - // Use Hints - if (json_unpack_ex(root,&up_error, 0, "{s:b}","client.useHints",&b1) == 0) - mySettings.use_hints = b1; - else // default - mySettings.use_hints = false; } diff --git a/client/settings.h b/client/settings.h index 4bf8b2a5e..799af7caa 100644 --- a/client/settings.h +++ b/client/settings.h @@ -24,8 +24,6 @@ typedef struct { int window_ypos; int window_hsize; int window_wsize; - bool use_emojis; - bool use_hints; } settings_t; // Settings struct so as to be available to other modules by including settings.h diff --git a/doc/md/Installation_Instructions/Troubleshooting.md b/doc/md/Installation_Instructions/Troubleshooting.md index 3fba71e1c..e727180bf 100644 --- a/doc/md/Installation_Instructions/Troubleshooting.md +++ b/doc/md/Installation_Instructions/Troubleshooting.md @@ -18,7 +18,7 @@ Always use the latest repository commits from *master* branch. There are always * [File not found](#file-not-found) * [Pixmap / pixbuf warnings](#pixmap--pixbuf-warnings) * [Usb cable](#usb-cable) - * [WSL 2 explorer.exe . doesnt work](#WSL-2) + * [WSL 2 explorer.exe . doesnt work](WSL-2) ## `pm3` or `pm3-flash*` doesn't see my Proxmark diff --git a/include/pm3_cmd.h b/include/pm3_cmd.h index 6ce271aab..d97fae6ed 100644 --- a/include/pm3_cmd.h +++ b/include/pm3_cmd.h @@ -618,11 +618,6 @@ typedef struct { #define PM3_EOUTOFBOUND -17 // exchange with card error client/pm3: error when cant get answer from card or got an incorrect answer #define PM3_ECARDEXCHANGE -18 - -// Failed to create APDU, -#define PM3_EAPDU_ENCODEFAIL -19 -// APDU responded with a failure code -#define PM3_EAPDU_FAIL -20 // No data pm3: no data available, no host frame available (not really an error) #define PM3_ENODATA -98 // Quit program client: reserved, order to quit the program diff --git a/include/protocols.h b/include/protocols.h index 03953fcc6..89038a789 100644 --- a/include/protocols.h +++ b/include/protocols.h @@ -349,62 +349,44 @@ ISO 7816-4 Basic interindustry commands. For command APDU's. // 6x xx = ERROR // MIFARE DESFire command set: - - +#define MFDES_CREATE_APPLICATION 0xca +#define MFDES_DELETE_APPLICATION 0xda +#define MFDES_GET_APPLICATION_IDS 0x6a +#define MFDES_SELECT_APPLICATION 0x5a +#define MFDES_FORMAT_PICC 0xfc #define MFDES_GET_VERSION 0x60 - -#define MFDES_AUTHENTICATE 0x0A // AUTHENTICATE_NATIVE -#define MFDES_AUTHENTICATE_ISO 0x1A // AUTHENTICATE_STANDARD -#define MFDES_AUTHENTICATE_AES 0xAA - -#define MFDES_CREDIT 0x0C -#define MFDES_LIMITED_CREDIT 0x1C -#define MFDES_DEBIT 0xDC - -#define MFDES_WRITE_RECORD 0x3B -#define MFDES_READSIG 0x3C -#define MFDES_WRITE_DATA 0x3D - -#define MFDES_GET_KEY_SETTINGS 0x45 -#define MFDES_CHANGE_KEY_SETTINGS 0x54 -#define MFDES_SELECT_APPLICATION 0x5A -#define MFDES_CHANGE_FILE_SETTINGS 0x5F +#define MFDES_READ_DATA 0xbd +#define MFDES_WRITE_DATA 0x3d +#define MFDES_GET_VALUE 0x6c +#define MFDES_CREDIT 0x0c +#define MFDES_DEBIT 0xdc +#define MFDES_LIMITED_CREDIT 0x1c +#define MFDES_WRITE_RECORD 0x3b +#define MFDES_READ_RECORDS 0xbb +#define MFDES_CLEAR_RECORD_FILE 0xeb +#define MFDES_COMMIT_TRANSACTION 0xc7 +#define MFDES_ABORT_TRANSACTION 0xa7 +#define MFDES_GET_FREE_MEMORY 0x6e +#define MFDES_GET_FILE_IDS 0x6f #define MFDES_GET_ISOFILE_IDS 0x61 +#define MFDES_GET_FILE_SETTINGS 0xf5 +#define MFDES_CHANGE_FILE_SETTINGS 0x5f +#define MFDES_CREATE_STD_DATA_FILE 0xcd +#define MFDES_CREATE_BACKUP_DATA_FILE 0xcb +#define MFDES_CREATE_VALUE_FILE 0xcc +#define MFDES_CREATE_LINEAR_RECORD_FILE 0xc1 +#define MFDES_CREATE_CYCLIC_RECORD_FILE 0xc0 +#define MFDES_DELETE_FILE 0xdf +#define MFDES_AUTHENTICATE 0x0a // AUTHENTICATE_NATIVE +#define MFDES_AUTHENTICATE_ISO 0x1a // AUTHENTICATE_STANDARD +#define MFDES_AUTHENTICATE_AES 0xaa +#define MFDES_CHANGE_KEY_SETTINGS 0x54 +#define MFDES_GET_KEY_SETTINGS 0x45 +#define MFDES_CHANGE_KEY 0xc4 #define MFDES_GET_KEY_VERSION 0x64 -#define MFDES_GET_APPLICATION_IDS 0x6A -#define MFDES_GET_VALUE 0x6C -#define MFDES_GET_FREE_MEMORY 0x6E -#define MFDES_GET_DF_NAMES 0x6D -#define MFDES_GET_FILE_IDS 0x6F - - -#define MFDES_ABORT_TRANSACTION 0xA7 #define MFDES_AUTHENTICATION_FRAME 0xAF #define MFDES_ADDITIONAL_FRAME 0xAF -#define MFDES_ADDITIONAL_FRAME_RESP 0x91AF -#define MFDES_SUCCESS_FRAME_RESP 0x9100 -#define MFDES_EAUTH_RESP 0x91AE -#define MFDES_ENO_SUCH_KEY_RESP 0x9140 - -#define MFDES_READ_RECORDS 0xBB -#define MFDES_READ_DATA 0xBD - -#define MFDES_CREATE_CYCLIC_RECORD_FILE 0xC0 -#define MFDES_CREATE_LINEAR_RECORD_FILE 0xC1 -#define MFDES_CHANGE_KEY 0xC4 -#define MFDES_COMMIT_TRANSACTION 0xC7 -#define MFDES_CREATE_APPLICATION 0xCA -#define MFDES_CREATE_BACKUP_DATA_FILE 0xCB -#define MFDES_CREATE_VALUE_FILE 0xCC -#define MFDES_CREATE_STD_DATA_FILE 0xCD - -#define MFDES_CLEAR_RECORD_FILE 0xEB - -#define MFDES_DELETE_APPLICATION 0xDA -#define MFDES_DELETE_FILE 0xDF - -#define MFDES_GET_FILE_SETTINGS 0xF5 -#define MFDES_FORMAT_PICC 0xFC +#define MFDES_READSIG 0x3C // LEGIC Commands #define LEGIC_MIM_22 0x0D