From 26975187eebcbdc72e3c80ade4900ca435be841f Mon Sep 17 00:00:00 2001
From: Bjoern Kerler <info@revskills.de>
Date: Tue, 7 Apr 2020 09:14:44 +0200
Subject: [PATCH] Fix desfire aes authentification

---
 armsrc/mifaredesfire.c | 22 +++++++++++++++-------
 client/cmdhfmfdes.c    | 27 ++++++++++++++++++++++-----
 2 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c
index 5b8ed289e..8ac788122 100644
--- a/armsrc/mifaredesfire.c
+++ b/armsrc/mifaredesfire.c
@@ -204,7 +204,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
     uint8_t decRndB[16] = {0x00};
     uint8_t both[32] = {0x00};
 
-    InitDesfireCard();
+    //InitDesfireCard();
 
     LED_A_ON();
     LED_B_OFF();
@@ -455,8 +455,12 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
             mbedtls_aes_init(&ctx);
 
             cmd[0] = AUTHENTICATE_AES;
-            cmd[1] = 0x00;  //keynumber
-            len = DesfireAPDU(cmd, 2, resp);
+            cmd[1] = 0x0;
+            cmd[2] = 0x0;
+            cmd[3] = 0x1;
+            cmd[4] = arg2;  //keynumber
+            cmd[5] = 0x0;
+            len = DesfireAPDU(cmd, 6, resp);
             if (!len) {
                 if (DBGLEVEL >= DBG_ERROR) {
                     DbpString("Authentication failed. Card timeout.");
@@ -465,7 +469,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
                 return;
             }
 
-            memcpy(encRndB, resp + 3, 16);
+            memcpy(encRndB, resp + 1, 16);
 
             // dekryptera tagnonce.
             if (mbedtls_aes_setkey_dec(&ctx, key->data, 128) != 0) {
@@ -491,9 +495,13 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
             mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_ENCRYPT, 32, IV, both, encBoth);
 
             cmd[0] = ADDITIONAL_FRAME;
-            memcpy(cmd + 1, encBoth, 32);
+            cmd[1] = 0x00;
+            cmd[2] = 0x00;
+            cmd[3] = 0x20;
+            memcpy(cmd + 4, encBoth, 32);
+            cmd[36]=0x0;
 
-            len = DesfireAPDU(cmd, 33, resp);  // 1 + 32 == 33
+            len = DesfireAPDU(cmd, 37, resp);  // 4 + 32 + 1 == 37
             if (!len) {
                 if (DBGLEVEL >= DBG_ERROR) {
                     DbpString("Authentication failed. Card timeout.");
@@ -502,7 +510,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
                 return;
             }
 
-            if (resp[2] == 0x00) {
+            if ((resp[1+16] == 0x91)&&(resp[1+16+1] == 0x00)) {
                 // Create AES Session key
                 struct desfire_key sessionKey = {0};
                 desfirekey_t skey = &sessionKey;
diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c
index a652d2490..24a48398e 100644
--- a/client/cmdhfmfdes.c
+++ b/client/cmdhfmfdes.c
@@ -779,22 +779,29 @@ static int CmdHF14ADesAuth(const char *Cmd) {
 
     uint8_t keylength = 8;
     unsigned char key[24];
+    uint8_t aidlength = 3;
+    unsigned char aid[3];
 
     if (strlen(Cmd) < 3) {
-        PrintAndLogEx(NORMAL, "Usage:  hf mfdes auth <1|2|3> <1|2|3|4> <keyno> <key> ");
+        PrintAndLogEx(NORMAL, "Usage:  hf mfdes auth <1|2|3> <1|2|3|4> <appid> <keyno> <key> ");
         PrintAndLogEx(NORMAL, "            Auth modes");
         PrintAndLogEx(NORMAL, "                 1 = normal, 2 = iso, 3 = aes");
         PrintAndLogEx(NORMAL, "            Crypto");
         PrintAndLogEx(NORMAL, "                 1 = DES 2 = 3DES 3 = 3K3DES 4 = AES");
         PrintAndLogEx(NORMAL, "");
         PrintAndLogEx(NORMAL, "Examples:");
-        PrintAndLogEx(NORMAL, _YELLOW_("         hf mfdes auth 1 1 0 11223344"));
-        PrintAndLogEx(NORMAL, _YELLOW_("         hf mfdes auth 3 4 0 404142434445464748494a4b4c4d4e4f"));
+        PrintAndLogEx(NORMAL, _YELLOW_("         hf mfdes auth 1 1 0 0 11223344"));
+        PrintAndLogEx(NORMAL, _YELLOW_("         hf mfdes auth 3 4 018380 0 404142434445464748494a4b4c4d4e4f"));
         return PM3_SUCCESS;
     }
     uint8_t cmdAuthMode = param_get8(Cmd, 0);
     uint8_t cmdAuthAlgo = param_get8(Cmd, 1);
-    uint8_t cmdKeyNo    = param_get8(Cmd, 2);
+    // AID
+    if (param_gethex(Cmd, 2, aid, aidlength*2)) {
+        PrintAndLogEx(WARNING, "aid must include %d HEX symbols", 3);
+        return PM3_EINVARG;
+    }
+    uint8_t cmdKeyNo    = param_get8(Cmd, 3);
 
     switch (cmdAuthMode) {
         case 1:
@@ -841,11 +848,21 @@ static int CmdHF14ADesAuth(const char *Cmd) {
     }
 
     // key
-    if (param_gethex(Cmd, 3, key, keylength * 2)) {
+    if (param_gethex(Cmd, 4, key, keylength * 2)) {
         PrintAndLogEx(WARNING, "Key must include %d HEX symbols", keylength);
         return PM3_EINVARG;
     }
 
+    if (get_desfire_select_application(aid) != PM3_SUCCESS) {
+        PrintAndLogEx(WARNING, _RED_("   Can't select AID"));
+        DropField();
+        return PM3_ESOFT;
+    }
+
+    uint8_t file_ids[33] = {0};
+    uint8_t file_ids_len = 0;
+    get_desfire_fileids(file_ids, &file_ids_len);
+
     // algo, keylength,
     uint8_t data[25] = {keylength}; // max length: 1 + 24 (3k3DES)
     memcpy(data + 1, key, keylength);