plain update key works

2025-08-21 13:53:55 -07:00 · 2022-02-08 00:25:52 +02:00 · 2022-02-08 00:25:52 +02:00 · bc88040967
commit bc88040967
parent 01761cc273
2 changed files with 180 additions and 6 deletions
--- a/client/src/cipurse/cipursecore.c
+++ b/client/src/cipurse/cipursecore.c
@ -217,7 +217,7 @@ int CIPURSEUpdateKeyAttrib(uint8_t key_num, uint8_t key_attrib, uint8_t *result,
 }

 int CIPURSEUpdateKey(uint8_t encrypt_key_num, uint8_t key_num, uint8_t *key, uint16_t key_len, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw) {
-    return CIPURSEExchangeEx(false, true, (sAPDU_t) {0x80, 0xd6, encrypt_key_num, key_num, key_len, key}, false, 0, result, max_result_len, result_len, sw);
+    return CIPURSEExchangeEx(false, true, (sAPDU_t) {0x80, 0x52, encrypt_key_num, key_num, key_len, key}, false, 0, result, max_result_len, result_len, sw);
 }

 int CIPURSECommitTransaction(uint16_t *sw) {
--- a/client/src/cmdhfcipurse.c
+++ b/client/src/cmdhfcipurse.c
@ -80,6 +80,14 @@ static const APDUSpcCodeDescription_t UAPDpdateKeyAttrCodeDescriptions[] = {
    {0x6A88, "Invalid key number (outside the range supported by the current DF)" }
 };

+static const APDUSpcCodeDescription_t UAPDpdateKeyCodeDescriptions[] = {
+    {0x6982, "Key is frozen or only the key itself has the rights to update" },
+    {0x6984, "key enc key is blocked or invalid" },
+    {0x6985, "Deactivated file" },
+    {0x6A80, "invalid algo, key length or kvv" },
+    {0x6A88, "Invalid key number (outside the range supported by the current DF)" }
+};
+
 static uint8_t defaultKeyId = 1;
 static uint8_t defaultKey[CIPURSE_AES_KEY_LENGTH] = CIPURSE_DEFAULT_KEY;
 #define CIPURSE_MAX_AID_LENGTH 16
@ -1436,8 +1444,169 @@ static int CmdHFCipurseDeleteFile(const char *Cmd) {
    return PM3_SUCCESS;
 }

-//    {"updkey",    CmdHFCipurseUpdateKey,     IfPm3Iso14443a,  "Update key"},
 static int CmdHFCipurseUpdateKey(const char *Cmd) {
+    CLIParserContext *ctx;
+    CLIParserInit(&ctx, "hf cipurse updakey",
+                  "Update key. ",
+                  "hf cipurse updkey --aid 4144204631 --newkeyn 2 --newkeya 00 --newkey 73737373737373737373737373737373 -> update default application key 2 with default value 73..73\n"
+                  "hf cipurse updkey --newkeyn 1 --newkeya 00 --newkey 0102030405060708090a0b0c0d0e0f10 --commit ->  for key 1");
+
+    void *argtable[] = {
+        arg_param_begin,
+        arg_lit0("a",  "apdu",    "show APDU requests and responses"),
+        arg_lit0("v",  "verbose", "show technical data"),
+        arg_int0("n",  NULL,      "<dec>", "key ID for authentication"),
+        arg_str0("k",  "key",     "<hex>", "Auth key"),
+
+        arg_str0(NULL, "aid",     "<hex 1..16 bytes>", "application ID (AID)"),
+        arg_str0(NULL, "fid",     "<hex 2 bytes>", "file ID (FID)"),
+        arg_lit0(NULL, "mfd",     "select masterfile by empty id"),
+
+        arg_int0(NULL, "newkeyn", "<dec>", "target key ID"),
+        arg_str0(NULL, "newkey",  "<hex 16 byte>", "new key"),
+        arg_str0(NULL, "newkeya", "<hex 1 byte>", "new key additional info. 0x00 by default"),
+        
+        arg_str0(NULL, "sreq",    "<plain|mac(default)|encode>", "communication reader-PICC security level"),
+        arg_str0(NULL, "sresp",   "<plain|mac(default)|encode>", "communication PICC-reader security level"),
+        arg_lit0(NULL, "no-auth", "execute without authentication"),
+        arg_lit0(NULL, "commit",  "commit "),
+        arg_param_end
+    };
+    CLIExecWithReturn(ctx, Cmd, argtable, false);
+
+    bool APDULogging = arg_get_lit(ctx, 1);
+    bool verbose = arg_get_lit(ctx, 2);
+    uint8_t keyId = arg_get_int_def(ctx, 3, defaultKeyId);
+
+    CipurseChannelSecurityLevel sreq = CPSMACed;
+    CipurseChannelSecurityLevel sresp = CPSMACed;
+    uint8_t key[CIPURSE_AES_KEY_LENGTH] = {0};
+
+    uint8_t aid[16] = {0};
+    size_t aidLen = 0;
+    bool useAID = false;
+    uint16_t fileId = defaultFileId;
+    bool useFID = false;
+    int res = CLIParseCommandParameters(ctx, 4, 5, 6, 11, 12, key, aid, &aidLen, &useAID, &fileId, &useFID, &sreq, &sresp);
+    if (res) {
+        CLIParserFree(ctx);
+        return PM3_EINVARG;
+    }
+
+    bool selmfd = arg_get_lit(ctx, 7);
+
+    uint8_t newKeyId = arg_get_int_def(ctx, 8, 0);
+    if (newKeyId == 0) {
+        PrintAndLogEx(ERR, _RED_("ERROR:") " new key id must be specified.");
+        CLIParserFree(ctx);
+        return PM3_EINVARG;
+    }
+
+    uint8_t hdata[250] = {0};
+    int hdatalen = sizeof(hdata);
+    CLIGetHexWithReturn(ctx, 9, hdata, &hdatalen);
+    if (hdatalen != 16) {
+        PrintAndLogEx(ERR, _RED_("ERROR:") " new key must be 16 bytes only and must be specified.");
+        CLIParserFree(ctx);
+        return PM3_EINVARG;
+    }
+
+    uint8_t newKey[16] = {0};
+    memcpy(newKey, hdata, 16);
+
+    hdatalen = sizeof(hdata);
+    CLIGetHexWithReturn(ctx, 10, hdata, &hdatalen);
+    if (hdatalen && hdatalen != 1) {
+        PrintAndLogEx(ERR, _RED_("ERROR:") " new key additional info must be 1 byte only.");
+        CLIParserFree(ctx);
+        return PM3_EINVARG;
+    }
+
+    uint8_t newKeyAInfo = (hdatalen) ? hdata[0] : 0x00;
+
+    bool noauth = arg_get_lit(ctx, 13);
+    bool needCommit = arg_get_lit(ctx, 14);
+
+    CLIParserFree(ctx);
+    SetAPDULogging(APDULogging);
+
+    uint8_t kvv[CIPURSE_KVV_LENGTH] = {0};
+    CipurseCGetKVV(newKey, kvv);
+
+    uint8_t keydata[3 + 16 + 3] = {newKeyAInfo, 0x10, 0x09, 0x00};
+    memcpy(&keydata[3], newKey, 16);
+    memcpy(&keydata[3 + 16], kvv, 3);
+
+    if (verbose) {
+        PrintAndLogEx(INFO, "New key number: %d", newKeyId);
+        PrintAndLogEx(INFO, "New key additional info: 0x%02x", newKeyAInfo);
+        PrintAndLogEx(INFO, "New key: %s", sprint_hex_inrow(key, 16));
+        PrintAndLogEx(INFO, "New key kvv: %s", sprint_hex_inrow(kvv, 3));
+        PrintAndLogEx(INFO, "New key data: %s", sprint_hex_inrow(keydata, sizeof(keydata)));
+        PrintAndLogEx(NORMAL, "");
+    }
+
+    uint8_t buf[APDU_RES_LEN] = {0};
+    size_t len = 0;
+    uint16_t sw = 0;
+
+    if (useAID || useFID || selmfd) {
+        res = SelectCommand(selmfd, useAID, aid, aidLen, useFID, fileId, verbose, buf, sizeof(buf), &len, &sw);
+        if (res != 0 || sw != 0x9000) {
+            PrintAndLogEx(ERR, "Select command ( " _RED_("error") " )");
+            DropField();
+            return PM3_ESOFT;
+        }
+    } else {
+        res = CIPURSESelectMFEx(true, true, buf, sizeof(buf), &len, &sw);
+        if (res != 0 || sw != 0x9000) {
+            PrintAndLogEx(ERR, "Cipurse masterfile select " _RED_("error") ". Card returns 0x%04x", sw);
+            DropField();
+            return PM3_ESOFT;
+        }
+        if (verbose)
+            PrintAndLogEx(INFO, "Cipurse masterfile " _GREEN_("selected"));
+    }
+
+    if (verbose) {
+        if (!noauth)
+            PrintAndLogEx(INFO, "key id " _YELLOW_("%d") " key " _YELLOW_("%s")
+                          , keyId
+                          , sprint_hex(key, CIPURSE_AES_KEY_LENGTH)
+                         );
+    }
+
+    if (!noauth) {
+        bool bres = CIPURSEChannelAuthenticate(keyId, key, verbose);
+        if (bres == false) {
+            if (verbose)
+                PrintAndLogEx(ERR, "Authentication ( " _RED_("fail") " )");
+            DropField();
+            return PM3_ESOFT;
+        }
+
+        // set channel security levels
+        CIPURSECSetActChannelSecurityLevels(sreq, sresp);
+    }
+
+    res = CIPURSEUpdateKey(0, newKeyId, keydata, sizeof(keydata), buf, sizeof(buf), &len, &sw);
+    if (res != 0 || sw != 0x9000) {
+        PrintAndLogEx(ERR, "Update key command " _RED_("ERROR") ". Card returns:\n  0x%04x - %s", sw,
+                      GetSpecificAPDUCodeDesc(UAPDpdateKeyCodeDescriptions, ARRAYLEN(UAPDpdateKeyCodeDescriptions), sw));
+        DropField();
+        return PM3_ESOFT;
+    }
+    PrintAndLogEx(INFO, "Key updated " _GREEN_("succesfully"));
+
+    if (needCommit) {
+        sw = 0;
+        res = CIPURSECommitTransaction(&sw);
+        if (res != 0 || sw != 0x9000)
+            PrintAndLogEx(WARNING, "Commit " _YELLOW_("ERROR") ". Card returns 0x%04x", sw);
+
+        if (verbose)
+            PrintAndLogEx(INFO, "Commit " _GREEN_("OK"));
+    }

    DropField();
    return PM3_SUCCESS;
@ -1451,8 +1620,8 @@ static int CmdHFCipurseUpdateKeyAttr(const char *Cmd) {
                  "b1 - Change key and rights - 0 frozen\n"
                  "b2 - Use as key encryption key - 1 blocked\n"
                  "b8 - Key validity - 0 valid",
-                  "hf cipurse updakey --trgkey 2 --attr 80 ->  block key 2 for lifetime (WARNING!)\n"
-                  "hf cipurse updakey --trgkey 1 --attr 02 --commit ->  for key 1");
+                  "hf cipurse updakey --trgkeyn 2 --attr 80 ->  block key 2 for lifetime (WARNING!)\n"
+                  "hf cipurse updakey --trgkeyn 1 --attr 02 --commit ->  for key 1");

    void *argtable[] = {
        arg_param_begin,
@ -1465,7 +1634,7 @@ static int CmdHFCipurseUpdateKeyAttr(const char *Cmd) {
        arg_str0(NULL, "fid",     "<hex 2 bytes>", "file ID (FID)"),
        arg_lit0(NULL, "mfd",     "select masterfile by empty id"),

-        arg_int0(NULL, "trgkey",  "<dec>", "target key ID"),
+        arg_int0(NULL, "trgkeyn", "<dec>", "target key ID"),
        arg_str0(NULL, "attr",    "<hex 1 byte>", "key attributes 1 byte"),
        arg_str0(NULL, "sreq",    "<plain|mac(default)|encode>", "communication reader-PICC security level"),
        arg_str0(NULL, "sresp",   "<plain|mac(default)|encode>", "communication PICC-reader security level"),
@ -1496,7 +1665,12 @@ static int CmdHFCipurseUpdateKeyAttr(const char *Cmd) {

    bool selmfd = arg_get_lit(ctx, 7);

-    uint8_t trgKeyId = arg_get_int_def(ctx, 8, defaultKeyId);
+    uint8_t trgKeyId = arg_get_int_def(ctx, 8, 0);
+    if (trgKeyId == 0) {
+        PrintAndLogEx(ERR, _RED_("ERROR:") " target key id must be specified.");
+        CLIParserFree(ctx);
+        return PM3_EINVARG;
+    }

    uint8_t hdata[250] = {0};
    int hdatalen = sizeof(hdata);