From 5763089f5a2a7f6c0fb53cb00ff06f286d2df68c Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 28 Jan 2022 16:02:00 +0200 Subject: [PATCH 1/8] delete by aid command --- client/src/cipurse/cipursecore.c | 4 ++++ client/src/cipurse/cipursecore.h | 1 + 2 files changed, 5 insertions(+) diff --git a/client/src/cipurse/cipursecore.c b/client/src/cipurse/cipursecore.c index 5733ffe5d..956b220f7 100644 --- a/client/src/cipurse/cipursecore.c +++ b/client/src/cipurse/cipursecore.c @@ -160,6 +160,10 @@ int CIPURSEDeleteFile(uint16_t fileid, uint8_t *result, size_t max_result_len, s return CIPURSEExchangeEx(false, true, (sAPDU_t) {0x00, 0xe4, 0x00, 0x00, 02, fileIdBin}, false, 0, result, max_result_len, result_len, sw); } +int CIPURSEDeleteFileAID(uint8_t *aid, size_t aidLen, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw) { + return CIPURSEExchangeEx(false, true, (sAPDU_t) {0x00, 0xe4, 0x04, 0x00, aidLen, aid}, false, 0, result, max_result_len, result_len, sw); +} + int CIPURSESelectMFEx(bool activate_field, bool leave_field_on, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw) { return CIPURSESelectFileEx(activate_field, leave_field_on, 0x3f00, result, max_result_len, result_len, sw); } diff --git a/client/src/cipurse/cipursecore.h b/client/src/cipurse/cipursecore.h index 01c30ff67..cd7096205 100644 --- a/client/src/cipurse/cipursecore.h +++ b/client/src/cipurse/cipursecore.h @@ -38,6 +38,7 @@ int CIPURSEMutualAuthenticate(uint8_t keyindex, uint8_t *params, uint8_t paramsl int CIPURSECreateFile(uint8_t *attr, uint16_t attrlen, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); int CIPURSEDeleteFile(uint16_t fileid, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); +int CIPURSEDeleteFileAID(uint8_t *aid, size_t aidLen, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); int CIPURSESelectFileEx(bool activate_field, bool leave_field_on, uint16_t fileid, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); int CIPURSESelectFile(uint16_t fileid, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); From 0f5c6005d1413b9a5dfcd2a03364f1df317787a6 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 28 Jan 2022 17:30:31 +0200 Subject: [PATCH 2/8] transactions --- client/src/cipurse/cipursecore.c | 13 +++++++++++++ client/src/cipurse/cipursecore.h | 3 +++ 2 files changed, 16 insertions(+) diff --git a/client/src/cipurse/cipursecore.c b/client/src/cipurse/cipursecore.c index 956b220f7..357cf9645 100644 --- a/client/src/cipurse/cipursecore.c +++ b/client/src/cipurse/cipursecore.c @@ -173,6 +173,7 @@ int CIPURSESelectMF(uint8_t *result, size_t max_result_len, size_t *result_len, } int CIPURSESelectFileEx(bool activate_field, bool leave_field_on, uint16_t fileid, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw) { + CipurseCClearContext(&cipurseContext); uint8_t fileIdBin[] = {fileid >> 8, fileid & 0xff}; return CIPURSEExchangeEx(activate_field, leave_field_on, (sAPDU_t) {0x00, 0xa4, 0x00, 0x00, 02, fileIdBin}, true, 0, result, max_result_len, result_len, sw); } @@ -200,6 +201,18 @@ int CIPURSEUpdateBinary(uint16_t offset, uint8_t *data, uint16_t datalen, uint8_ return CIPURSEExchange((sAPDU_t) {0x00, 0xd6, (offset >> 8) & 0x7f, offset & 0xff, datalen, data}, result, max_result_len, result_len, sw); } +int CIPURSECommitTransaction(uint16_t *sw) { + uint8_t result[APDU_RES_LEN] = {0}; + size_t result_len = 0; + return CIPURSEExchange((sAPDU_t) {0x80, 0x7e, 0x00, 0x00, 0, NULL}, result, sizeof(result), &result_len, sw); +} + +int CIPURSECancelTransaction(uint16_t *sw) { + uint8_t result[APDU_RES_LEN] = {0}; + size_t result_len = 0; + return CIPURSEExchange((sAPDU_t) {0x80, 0x7c, 0x00, 0x00, 0, NULL}, result, sizeof(result), &result_len, sw); +} + bool CIPURSEChannelAuthenticate(uint8_t keyindex, uint8_t *key, bool verbose) { uint8_t buf[APDU_RES_LEN] = {0}; size_t len = 0; diff --git a/client/src/cipurse/cipursecore.h b/client/src/cipurse/cipursecore.h index cd7096205..6be49e74c 100644 --- a/client/src/cipurse/cipursecore.h +++ b/client/src/cipurse/cipursecore.h @@ -51,6 +51,9 @@ int CIPURSEReadFileAttributes(uint8_t *result, size_t max_result_len, size_t *re int CIPURSEReadBinary(uint16_t offset, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); int CIPURSEUpdateBinary(uint16_t offset, uint8_t *data, uint16_t datalen, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); +int CIPURSECommitTransaction(uint16_t *sw); +int CIPURSECancelTransaction(uint16_t *sw); + bool CIPURSEChannelAuthenticate(uint8_t keyindex, uint8_t *key, bool verbose); void CIPURSECSetActChannelSecurityLevels(CipurseChannelSecurityLevel req, CipurseChannelSecurityLevel resp); From 9ef78cfbe7d06fcbb8ef73061ef8fe36a1070002 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 28 Jan 2022 17:31:14 +0200 Subject: [PATCH 3/8] delete aid/fid command --- client/src/cmdhfcipurse.c | 116 ++++++++++++++++++++++++++++---------- 1 file changed, 85 insertions(+), 31 deletions(-) diff --git a/client/src/cmdhfcipurse.c b/client/src/cmdhfcipurse.c index 0da29aa2c..bb4f70dc0 100644 --- a/client/src/cmdhfcipurse.c +++ b/client/src/cmdhfcipurse.c @@ -59,8 +59,8 @@ static const PxSE_AID_t PxSE_AID_LIST[] = { static uint8_t defaultKeyId = 1; static uint8_t defaultKey[CIPURSE_AES_KEY_LENGTH] = CIPURSE_DEFAULT_KEY; #define CIPURSE_MAX_AID_LENGTH 16 -//static uint8_t defaultAID[CIPURSE_MAX_AID_LENGTH] = {0x41, 0x44, 0x20, 0x46, 0x31, 0x00}; -//static size_t defaultAIDLength = 5; +static uint8_t defaultAID[CIPURSE_MAX_AID_LENGTH] = {0x41, 0x44, 0x20, 0x46, 0x31, 0x00}; +static size_t defaultAIDLength = 5; static uint16_t defaultFileId = 0x2ff7; static int CmdHelp(const char *Cmd); @@ -152,7 +152,6 @@ static int CmdHFCipurseInfo(const char *Cmd) { return PM3_SUCCESS; } -// {"select", CmdHFCipurseSelect, IfPm3Iso14443a, "Select CIPURSE application or file"}, static int CmdHFCipurseSelect(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf cipurse select", @@ -768,6 +767,13 @@ static int CmdHFCipurseReadFileAttr(const char *Cmd) { return PM3_SUCCESS; } +static int CmdHFCipurseCreateDGI(const char *Cmd) { + + + DropField(); + return PM3_SUCCESS; +} + static int CmdHFCipurseDeleteFile(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf cipurse delete", @@ -781,9 +787,12 @@ static int CmdHFCipurseDeleteFile(const char *Cmd) { arg_lit0("v", "verbose", "show technical data"), arg_int0("n", NULL, "", "key ID"), arg_str0("k", "key", "", "Auth key"), - arg_str0(NULL, "fid", "", "file ID"), + arg_str0(NULL, "fid", "", "file ID for delete"), + arg_str0(NULL, "aid", "", "application ID (AID) for delete"), arg_str0(NULL, "sreq", "", "communication reader-PICC security level"), arg_str0(NULL, "sresp", "", "communication PICC-reader security level"), + arg_lit0(NULL, "no-auth", "execute without authentication"), + arg_lit0(NULL, "commit", "commit "), arg_param_end }; CLIExecWithReturn(ctx, Cmd, argtable, true); @@ -795,7 +804,7 @@ static int CmdHFCipurseDeleteFile(const char *Cmd) { CipurseChannelSecurityLevel sreq = CPSMACed; CipurseChannelSecurityLevel sresp = CPSMACed; uint8_t key[CIPURSE_AES_KEY_LENGTH] = {0}; - int res = CLIParseKeyAndSecurityLevels(ctx, 4, 6, 7, key, &sreq, &sresp); + int res = CLIParseKeyAndSecurityLevels(ctx, 4, 7, 8, key, &sreq, &sresp); if (res) { CLIParserFree(ctx); return PM3_EINVARG; @@ -811,52 +820,97 @@ static int CmdHFCipurseDeleteFile(const char *Cmd) { } uint16_t fileId = defaultFileId; - if (hdatalen) + bool useFileID = false; + if (hdatalen) { fileId = (hdata[0] << 8) + hdata[1]; + useFileID = true; + } - SetAPDULogging(APDULogging); + hdatalen = sizeof(hdata); + CLIGetHexWithReturn(ctx, 6, hdata, &hdatalen); + if (hdatalen && (hdatalen < 1 || hdatalen > 16)) { + PrintAndLogEx(ERR, _RED_("ERROR:") " application id length must be 1-16 bytes only"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + + uint8_t aid[16] = {0}; + size_t aidLen = 0; + if (hdatalen) { + memcpy(aid, hdata, hdatalen); + aidLen = hdatalen; + } else { + memcpy(aid, defaultAID, defaultAIDLength); + aidLen = defaultAIDLength; + } + + bool noauth = arg_get_lit(ctx, 9); + bool needCommit = arg_get_lit(ctx, 10); CLIParserFree(ctx); + SetAPDULogging(APDULogging); uint8_t buf[APDU_RES_LEN] = {0}; size_t len = 0; uint16_t sw = 0; - res = CIPURSESelect(true, true, buf, sizeof(buf), &len, &sw); + res = CIPURSESelectMFEx(true, true, buf, sizeof(buf), &len, &sw); if (res != 0 || sw != 0x9000) { - PrintAndLogEx(ERR, "Cipurse select " _RED_("error") ". Card returns 0x%04x", sw); + PrintAndLogEx(ERR, "Cipurse masterfile select " _RED_("error") ". Card returns 0x%04x", sw); DropField(); return PM3_ESOFT; } if (verbose) { - PrintAndLogEx(INFO, "File id " _YELLOW_("%x") " key id " _YELLOW_("%d") " key " _YELLOW_("%s") - , fileId - , keyId - , sprint_hex(key, CIPURSE_AES_KEY_LENGTH) - ); + if (useFileID) + PrintAndLogEx(INFO, "File id " _CYAN_("%x"), fileId); + else + PrintAndLogEx(INFO, "Application ID " _CYAN_("%s"), sprint_hex_inrow(aid, aidLen)); + + if (!noauth) + PrintAndLogEx(INFO, "key id " _YELLOW_("%d") " key " _YELLOW_("%s") + , keyId + , sprint_hex(key, CIPURSE_AES_KEY_LENGTH) + ); } - bool bres = CIPURSEChannelAuthenticate(keyId, key, verbose); - if (bres == false) { - if (verbose == false) - PrintAndLogEx(ERR, "Authentication ( " _RED_("fail") " )"); - DropField(); - return PM3_ESOFT; + if (!noauth) { + bool bres = CIPURSEChannelAuthenticate(keyId, key, verbose); + if (bres == false) { + if (verbose) + PrintAndLogEx(ERR, "Authentication ( " _RED_("fail") " )"); + DropField(); + return PM3_ESOFT; + } + + // set channel security levels + CIPURSECSetActChannelSecurityLevels(sreq, sresp); } - // set channel security levels - CIPURSECSetActChannelSecurityLevels(sreq, sresp); - - res = CIPURSEDeleteFile(fileId, buf, sizeof(buf), &len, &sw); - if (res != 0 || sw != 0x9000) { - if (verbose == false) - PrintAndLogEx(ERR, "File select " _RED_("ERROR") ". Card returns 0x%04x", sw); - DropField(); - return PM3_ESOFT; + if (useFileID) { + res = CIPURSEDeleteFile(fileId, buf, sizeof(buf), &len, &sw); + if (res != 0 || sw != 0x9000) { + PrintAndLogEx(ERR, "Delete file " _CYAN_("%04x ") _RED_("ERROR") ". Card returns 0x%04x", fileId, sw); + DropField(); + return PM3_ESOFT; + } + PrintAndLogEx(INFO, "File id " _CYAN_("%04x") " deleted " _GREEN_("succesfully"), fileId); + } else { + res = CIPURSEDeleteFileAID(aid, aidLen, buf, sizeof(buf), &len, &sw); + if (res != 0 || sw != 0x9000) { + PrintAndLogEx(ERR, "Delete application " _CYAN_("%s ") _RED_("error") ". Card returns 0x%04x", sprint_hex_inrow(aid, aidLen), sw); + DropField(); + return PM3_ESOFT; + } + PrintAndLogEx(INFO, "Delete application " _CYAN_("%s ") _GREEN_("OK"), sprint_hex_inrow(aid, aidLen)); } - PrintAndLogEx(INFO, "File id " _YELLOW_("%04x") " deleted " _GREEN_("succesfully"), fileId); + if (needCommit) { + sw = 0; + res = CIPURSECommitTransaction(&sw); + if (res != 0 || sw != 0x9000) + PrintAndLogEx(WARNING, "Commit " _YELLOW_("ERROR") ". Card returns 0x%04x", sw); + } DropField(); return PM3_SUCCESS; @@ -946,7 +1000,7 @@ static command_t CommandTable[] = { {"read", CmdHFCipurseReadFile, IfPm3Iso14443a, "Read binary file"}, {"write", CmdHFCipurseWriteFile, IfPm3Iso14443a, "Write binary file"}, {"aread", CmdHFCipurseReadFileAttr, IfPm3Iso14443a, "Read file attributes"}, - //{"create", CmdHFCipurseCreateDGI, IfPm3Iso14443a, "Create file, application, key via DGI record"}, + {"create", CmdHFCipurseCreateDGI, IfPm3Iso14443a, "Create file, application, key via DGI record"}, {"delete", CmdHFCipurseDeleteFile, IfPm3Iso14443a, "Delete file"}, {"default", CmdHFCipurseDefault, IfPm3Iso14443a, "Set default key and file id for all the other commands"}, {"test", CmdHFCipurseTest, AlwaysAvailable, "Tests"}, From 1b15811c5f09602e5ddd0be835bb3d75ba5fcc66 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 28 Jan 2022 19:35:14 +0200 Subject: [PATCH 4/8] card format command and create file sketch --- client/src/cipurse/cipursecore.c | 6 + client/src/cipurse/cipursecore.h | 2 + client/src/cmdhfcipurse.c | 216 ++++++++++++++++++++++++++++++- 3 files changed, 221 insertions(+), 3 deletions(-) diff --git a/client/src/cipurse/cipursecore.c b/client/src/cipurse/cipursecore.c index 357cf9645..0ac11a4dc 100644 --- a/client/src/cipurse/cipursecore.c +++ b/client/src/cipurse/cipursecore.c @@ -172,6 +172,12 @@ int CIPURSESelectMF(uint8_t *result, size_t max_result_len, size_t *result_len, return CIPURSESelectMFEx(false, true, result, max_result_len, result_len, sw); } +int CIPURSEFormatAll(uint16_t *sw) { + uint8_t result[APDU_RES_LEN] = {0}; + size_t result_len = 0; + return CIPURSEExchange((sAPDU_t) {0x80, 0xfc, 0x00, 0x00, 7, (uint8_t *)"ConfirM"}, result, sizeof(result), &result_len, sw); +} + int CIPURSESelectFileEx(bool activate_field, bool leave_field_on, uint16_t fileid, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw) { CipurseCClearContext(&cipurseContext); uint8_t fileIdBin[] = {fileid >> 8, fileid & 0xff}; diff --git a/client/src/cipurse/cipursecore.h b/client/src/cipurse/cipursecore.h index 6be49e74c..608fb3952 100644 --- a/client/src/cipurse/cipursecore.h +++ b/client/src/cipurse/cipursecore.h @@ -40,6 +40,8 @@ int CIPURSECreateFile(uint8_t *attr, uint16_t attrlen, uint8_t *result, size_t m int CIPURSEDeleteFile(uint16_t fileid, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); int CIPURSEDeleteFileAID(uint8_t *aid, size_t aidLen, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); +int CIPURSEFormatAll(uint16_t *sw); + int CIPURSESelectFileEx(bool activate_field, bool leave_field_on, uint16_t fileid, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); int CIPURSESelectFile(uint16_t fileid, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); int CIPURSESelectMFDefaultFileEx(bool activate_field, bool leave_field_on, uint8_t *result, size_t max_result_len, size_t *result_len, uint16_t *sw); diff --git a/client/src/cmdhfcipurse.c b/client/src/cmdhfcipurse.c index bb4f70dc0..c18635c4b 100644 --- a/client/src/cmdhfcipurse.c +++ b/client/src/cmdhfcipurse.c @@ -767,8 +767,216 @@ static int CmdHFCipurseReadFileAttr(const char *Cmd) { return PM3_SUCCESS; } -static int CmdHFCipurseCreateDGI(const char *Cmd) { +static int CmdHFCipurseFormatAll(const char *Cmd) { + CLIParserContext *ctx; + CLIParserInit(&ctx, "hf cipurse formatall", + "Format card. Erases all the data at the card level!", + "hf cipurse formatall -> Format card with default key\n" + "hf cipurse formatall -n 2 -k 65656565656565656565656565656565 -> Format card with keyID 2\n" + "hf cipurse formatall --no-auth -> Format card without authentication. Works for card in perso state\n"); + void *argtable[] = { + arg_param_begin, + arg_lit0("a", "apdu", "show APDU requests and responses"), + arg_lit0("v", "verbose", "show technical data"), + arg_int0("n", NULL, "", "key ID"), + arg_str0("k", "key", "", "Auth key"), + arg_str0(NULL, "sreq", "", "communication reader-PICC security level"), + arg_str0(NULL, "sresp", "", "communication PICC-reader security level"), + arg_lit0(NULL, "no-auth", "execute without authentication"), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, true); + + bool APDULogging = arg_get_lit(ctx, 1); + bool verbose = arg_get_lit(ctx, 2); + uint8_t keyId = arg_get_int_def(ctx, 3, defaultKeyId); + + CipurseChannelSecurityLevel sreq = CPSMACed; + CipurseChannelSecurityLevel sresp = CPSMACed; + uint8_t key[CIPURSE_AES_KEY_LENGTH] = {0}; + int res = CLIParseKeyAndSecurityLevels(ctx, 4, 5, 6, key, &sreq, &sresp); + if (res) { + CLIParserFree(ctx); + return PM3_EINVARG; + } + + bool noauth = arg_get_lit(ctx, 7); + + CLIParserFree(ctx); + SetAPDULogging(APDULogging); + + uint8_t buf[APDU_RES_LEN] = {0}; + size_t len = 0; + uint16_t sw = 0; + + res = CIPURSESelectMFEx(true, true, buf, sizeof(buf), &len, &sw); + if (res != 0 || sw != 0x9000) { + PrintAndLogEx(ERR, "Cipurse masterfile select " _RED_("error") ". Card returns 0x%04x", sw); + DropField(); + return PM3_ESOFT; + } + + if (verbose) { + PrintAndLogEx(WARNING, _YELLOW_("FORMAT erases all the data at this card!!!")); + if (!noauth) + PrintAndLogEx(INFO, "key id " _YELLOW_("%d") " key " _YELLOW_("%s") + , keyId + , sprint_hex(key, CIPURSE_AES_KEY_LENGTH) + ); + } + + if (!noauth) { + bool bres = CIPURSEChannelAuthenticate(keyId, key, verbose); + if (bres == false) { + if (verbose) + PrintAndLogEx(ERR, "Authentication ( " _RED_("fail") " )"); + DropField(); + return PM3_ESOFT; + } + + // set channel security levels + CIPURSECSetActChannelSecurityLevels(sreq, sresp); + } + + res = CIPURSEFormatAll(&sw); + if (res != 0 || sw != 0x9000) { + PrintAndLogEx(ERR, "Format " _RED_("ERROR") ". Card returns 0x%04x", sw); + DropField(); + return PM3_ESOFT; + } + PrintAndLogEx(INFO, "Card formatted " _GREEN_("succesfully")); + + DropField(); + return PM3_SUCCESS; +} + +static int CmdHFCipurseCreateDGI(const char *Cmd) { + CLIParserContext *ctx; + CLIParserInit(&ctx, "hf cipurse create", + "Create application/file/key by provide appropriate DGI. If no key is supplied, default key of 737373...7373 will be used", + "hf cipurse create -d 9200123F00200008000062098407A0000005070100 -> create PTSE file with FID 0x2000 and space for 8 AIDs\n" + "hf cipurse create -d -> create default file with FID 5F00\n"); + + void *argtable[] = { + arg_param_begin, + arg_lit0("a", "apdu", "show APDU requests and responses"), + arg_lit0("v", "verbose", "show technical data"), + arg_int0("n", NULL, "", "key ID"), + arg_str0("k", "key", "", "Auth key"), + arg_str0("d", "data", "", "data with DGI for create"), + arg_str0(NULL, "sreq", "", "communication reader-PICC security level"), + arg_str0(NULL, "sresp", "", "communication PICC-reader security level"), + arg_lit0(NULL, "no-auth", "execute without authentication"), + arg_lit0(NULL, "commit", "commit "), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, true); + + bool APDULogging = arg_get_lit(ctx, 1); + bool verbose = arg_get_lit(ctx, 2); + uint8_t keyId = arg_get_int_def(ctx, 3, defaultKeyId); + + CipurseChannelSecurityLevel sreq = CPSMACed; + CipurseChannelSecurityLevel sresp = CPSMACed; + uint8_t key[CIPURSE_AES_KEY_LENGTH] = {0}; + int res = CLIParseKeyAndSecurityLevels(ctx, 4, 7, 8, key, &sreq, &sresp); + if (res) { + CLIParserFree(ctx); + return PM3_EINVARG; + } + + uint8_t hdata[250] = {0}; + int hdatalen = sizeof(hdata); + CLIGetHexWithReturn(ctx, 5, hdata, &hdatalen); + if (hdatalen && hdatalen != 2) { + PrintAndLogEx(ERR, _RED_("ERROR:") " file id length must be 2 bytes only"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + + uint16_t fileId = defaultFileId; + bool useFileID = false; + if (hdatalen) { + fileId = (hdata[0] << 8) + hdata[1]; + useFileID = true; + } + + hdatalen = sizeof(hdata); + CLIGetHexWithReturn(ctx, 6, hdata, &hdatalen); + if (hdatalen && (hdatalen < 1 || hdatalen > 16)) { + PrintAndLogEx(ERR, _RED_("ERROR:") " application id length must be 1-16 bytes only"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + + uint8_t aid[16] = {0}; + size_t aidLen = 0; + if (hdatalen) { + memcpy(aid, hdata, hdatalen); + aidLen = hdatalen; + } else { + memcpy(aid, defaultAID, defaultAIDLength); + aidLen = defaultAIDLength; + } + + bool noauth = arg_get_lit(ctx, 9); + bool needCommit = arg_get_lit(ctx, 10); + + CLIParserFree(ctx); + SetAPDULogging(APDULogging); + + uint8_t buf[APDU_RES_LEN] = {0}; + size_t len = 0; + uint16_t sw = 0; + + res = CIPURSESelectMFEx(true, true, buf, sizeof(buf), &len, &sw); + if (res != 0 || sw != 0x9000) { + PrintAndLogEx(ERR, "Cipurse masterfile select " _RED_("error") ". Card returns 0x%04x", sw); + DropField(); + return PM3_ESOFT; + } + + if (verbose) { + if (useFileID) + PrintAndLogEx(INFO, "File id " _CYAN_("%x"), fileId); + else + PrintAndLogEx(INFO, "Application ID " _CYAN_("%s"), sprint_hex_inrow(aid, aidLen)); + + if (!noauth) + PrintAndLogEx(INFO, "key id " _YELLOW_("%d") " key " _YELLOW_("%s") + , keyId + , sprint_hex(key, CIPURSE_AES_KEY_LENGTH) + ); + } + + if (!noauth) { + bool bres = CIPURSEChannelAuthenticate(keyId, key, verbose); + if (bres == false) { + if (verbose) + PrintAndLogEx(ERR, "Authentication ( " _RED_("fail") " )"); + DropField(); + return PM3_ESOFT; + } + + // set channel security levels + CIPURSECSetActChannelSecurityLevels(sreq, sresp); + } + + + + + + + + + + if (needCommit) { + sw = 0; + res = CIPURSECommitTransaction(&sw); + if (res != 0 || sw != 0x9000) + PrintAndLogEx(WARNING, "Commit " _YELLOW_("ERROR") ". Card returns 0x%04x", sw); + } DropField(); return PM3_SUCCESS; @@ -778,8 +986,9 @@ static int CmdHFCipurseDeleteFile(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf cipurse delete", "Delete file by file ID with key ID and key. If no key is supplied, default key of 737373...7373 will be used", - "hf cipurse delete --fid 2ff7 -> Authenticate with keyID 1, delete file with id 2ff7\n" - "hf cipurse delete -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -> Authenticate keyID 2 and delete file\n"); + "hf cipurse delete --fid 2ff7 -> Authenticate with keyID 1, delete file with id 2ff7\n" + "hf cipurse delete -n 2 -k 65656565656565656565656565656565 --fid 2ff7 -> Authenticate keyID 2 and delete file\n" + "hf cipurse delete --aid --no-auth -> delete PTSE file with AID A0000005070100 without authentication\n"); void *argtable[] = { arg_param_begin, @@ -1000,6 +1209,7 @@ static command_t CommandTable[] = { {"read", CmdHFCipurseReadFile, IfPm3Iso14443a, "Read binary file"}, {"write", CmdHFCipurseWriteFile, IfPm3Iso14443a, "Write binary file"}, {"aread", CmdHFCipurseReadFileAttr, IfPm3Iso14443a, "Read file attributes"}, + {"formatall", CmdHFCipurseFormatAll, IfPm3Iso14443a, "Erase all the data from chip"}, {"create", CmdHFCipurseCreateDGI, IfPm3Iso14443a, "Create file, application, key via DGI record"}, {"delete", CmdHFCipurseDeleteFile, IfPm3Iso14443a, "Delete file"}, {"default", CmdHFCipurseDefault, IfPm3Iso14443a, "Set default key and file id for all the other commands"}, From 788e712a6cafc09f384415193e70d7aeb3979ef6 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 28 Jan 2022 20:09:53 +0200 Subject: [PATCH 5/8] create file works --- client/src/cmdhfcipurse.c | 81 ++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 43 deletions(-) diff --git a/client/src/cmdhfcipurse.c b/client/src/cmdhfcipurse.c index c18635c4b..c1e55e942 100644 --- a/client/src/cmdhfcipurse.c +++ b/client/src/cmdhfcipurse.c @@ -56,6 +56,30 @@ static const PxSE_AID_t PxSE_AID_LIST[] = { {{0xA0, 0x00, 0x00, 0x05, 0x07, 0x06, 0x00}, "Proximity Micro-Payment System Environment (PMSE)" } }; +typedef struct { + const uint16_t Code; + const char *Description; +} APDUSpcCodeDescription_t; + +static const APDUSpcCodeDescription_t SelectAPDUCodeDescriptions[] = { + {0x6984, "Key is blocked for use as key encryption key" }, + {0x6985, "Command not allowed on deactivated ADF or maximum files count already reached" }, + {0x6A80, "Incorrect creation parameters in the command data field for the EF/ADF creation" }, + {0x6A81, "Command for creation of ADF is not permitted on ADF level" }, + {0x6A84, "Not enough memory space" }, + {0x6A88, "Invalid key number (outside the range supported by the currend DF)" }, + {0x6A89, "FileID / SFID already exists" }, + {0x6A89, "AID already exists" } +}; + +static const char *GetSpecificAPDUCodeDesc(const APDUSpcCodeDescription_t *desc, const size_t desclen, uint16_t code) { + for (int i = 0; i < desclen; i++) { + if (desc[i].Code == code) + return desc[i].Description; + } + return GetAPDUCodeDescription(code >> 8, code & 0xff); +} + static uint8_t defaultKeyId = 1; static uint8_t defaultKey[CIPURSE_AES_KEY_LENGTH] = CIPURSE_DEFAULT_KEY; #define CIPURSE_MAX_AID_LENGTH 16 @@ -871,7 +895,7 @@ static int CmdHFCipurseCreateDGI(const char *Cmd) { arg_lit0(NULL, "commit", "commit "), arg_param_end }; - CLIExecWithReturn(ctx, Cmd, argtable, true); + CLIExecWithReturn(ctx, Cmd, argtable, false); bool APDULogging = arg_get_lit(ctx, 1); bool verbose = arg_get_lit(ctx, 2); @@ -880,7 +904,7 @@ static int CmdHFCipurseCreateDGI(const char *Cmd) { CipurseChannelSecurityLevel sreq = CPSMACed; CipurseChannelSecurityLevel sresp = CPSMACed; uint8_t key[CIPURSE_AES_KEY_LENGTH] = {0}; - int res = CLIParseKeyAndSecurityLevels(ctx, 4, 7, 8, key, &sreq, &sresp); + int res = CLIParseKeyAndSecurityLevels(ctx, 4, 6, 7, key, &sreq, &sresp); if (res) { CLIParserFree(ctx); return PM3_EINVARG; @@ -889,39 +913,14 @@ static int CmdHFCipurseCreateDGI(const char *Cmd) { uint8_t hdata[250] = {0}; int hdatalen = sizeof(hdata); CLIGetHexWithReturn(ctx, 5, hdata, &hdatalen); - if (hdatalen && hdatalen != 2) { - PrintAndLogEx(ERR, _RED_("ERROR:") " file id length must be 2 bytes only"); + if (hdatalen < 4 || hdatalen > 200) { + PrintAndLogEx(ERR, _RED_("ERROR:") " data length must be 4-200 bytes only"); CLIParserFree(ctx); return PM3_EINVARG; } - uint16_t fileId = defaultFileId; - bool useFileID = false; - if (hdatalen) { - fileId = (hdata[0] << 8) + hdata[1]; - useFileID = true; - } - - hdatalen = sizeof(hdata); - CLIGetHexWithReturn(ctx, 6, hdata, &hdatalen); - if (hdatalen && (hdatalen < 1 || hdatalen > 16)) { - PrintAndLogEx(ERR, _RED_("ERROR:") " application id length must be 1-16 bytes only"); - CLIParserFree(ctx); - return PM3_EINVARG; - } - - uint8_t aid[16] = {0}; - size_t aidLen = 0; - if (hdatalen) { - memcpy(aid, hdata, hdatalen); - aidLen = hdatalen; - } else { - memcpy(aid, defaultAID, defaultAIDLength); - aidLen = defaultAIDLength; - } - - bool noauth = arg_get_lit(ctx, 9); - bool needCommit = arg_get_lit(ctx, 10); + bool noauth = arg_get_lit(ctx, 8); + bool needCommit = arg_get_lit(ctx, 9); CLIParserFree(ctx); SetAPDULogging(APDULogging); @@ -938,11 +937,6 @@ static int CmdHFCipurseCreateDGI(const char *Cmd) { } if (verbose) { - if (useFileID) - PrintAndLogEx(INFO, "File id " _CYAN_("%x"), fileId); - else - PrintAndLogEx(INFO, "Application ID " _CYAN_("%s"), sprint_hex_inrow(aid, aidLen)); - if (!noauth) PrintAndLogEx(INFO, "key id " _YELLOW_("%d") " key " _YELLOW_("%s") , keyId @@ -963,13 +957,14 @@ static int CmdHFCipurseCreateDGI(const char *Cmd) { CIPURSECSetActChannelSecurityLevels(sreq, sresp); } - - - - - - - + res = CIPURSECreateFile(hdata, hdatalen, buf, sizeof(buf), &len, &sw); + if (res != 0 || sw != 0x9000) { + PrintAndLogEx(ERR, "Create file command " _RED_("ERROR") ". Card returns:\n 0x%04x - %s", sw, + GetSpecificAPDUCodeDesc(SelectAPDUCodeDescriptions, ARRAYLEN(SelectAPDUCodeDescriptions), sw)); + DropField(); + return PM3_ESOFT; + } + PrintAndLogEx(INFO, "File created " _GREEN_("succesfully")); if (needCommit) { sw = 0; From 43577b3db41d17f28cc8fc1a1d1eaa5b7648e09a Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 28 Jan 2022 20:16:48 +0200 Subject: [PATCH 6/8] refactoring. add ability to produce command specific apdu codes --- client/src/cmdhfcipurse.c | 13 ------------- client/src/iso7816/apduinfo.c | 8 ++++++++ client/src/iso7816/apduinfo.h | 7 +++++++ 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/client/src/cmdhfcipurse.c b/client/src/cmdhfcipurse.c index c1e55e942..357db1341 100644 --- a/client/src/cmdhfcipurse.c +++ b/client/src/cmdhfcipurse.c @@ -56,11 +56,6 @@ static const PxSE_AID_t PxSE_AID_LIST[] = { {{0xA0, 0x00, 0x00, 0x05, 0x07, 0x06, 0x00}, "Proximity Micro-Payment System Environment (PMSE)" } }; -typedef struct { - const uint16_t Code; - const char *Description; -} APDUSpcCodeDescription_t; - static const APDUSpcCodeDescription_t SelectAPDUCodeDescriptions[] = { {0x6984, "Key is blocked for use as key encryption key" }, {0x6985, "Command not allowed on deactivated ADF or maximum files count already reached" }, @@ -72,14 +67,6 @@ static const APDUSpcCodeDescription_t SelectAPDUCodeDescriptions[] = { {0x6A89, "AID already exists" } }; -static const char *GetSpecificAPDUCodeDesc(const APDUSpcCodeDescription_t *desc, const size_t desclen, uint16_t code) { - for (int i = 0; i < desclen; i++) { - if (desc[i].Code == code) - return desc[i].Description; - } - return GetAPDUCodeDescription(code >> 8, code & 0xff); -} - static uint8_t defaultKeyId = 1; static uint8_t defaultKey[CIPURSE_AES_KEY_LENGTH] = CIPURSE_DEFAULT_KEY; #define CIPURSE_MAX_AID_LENGTH 16 diff --git a/client/src/iso7816/apduinfo.c b/client/src/iso7816/apduinfo.c index 5c9a36f76..7e8cc1d5b 100644 --- a/client/src/iso7816/apduinfo.c +++ b/client/src/iso7816/apduinfo.c @@ -329,6 +329,14 @@ const char *GetAPDUCodeDescription(uint8_t sw1, uint8_t sw2) { return APDUCodeTable[0].Description; //empty string } +const char *GetSpecificAPDUCodeDesc(const APDUSpcCodeDescription_t *desc, const size_t desclen, uint16_t code) { + for (int i = 0; i < desclen; i++) { + if (desc[i].Code == code) + return desc[i].Description; + } + return GetAPDUCodeDescription(code >> 8, code & 0xff); +} + int APDUDecode(uint8_t *data, int len, APDU_t *apdu) { ExtAPDUHeader_t *hapdu = (ExtAPDUHeader_t *)data; diff --git a/client/src/iso7816/apduinfo.h b/client/src/iso7816/apduinfo.h index d07d5f36e..abe6ad6d5 100644 --- a/client/src/iso7816/apduinfo.h +++ b/client/src/iso7816/apduinfo.h @@ -38,6 +38,13 @@ typedef struct { const APDUCode_t *GetAPDUCode(uint8_t sw1, uint8_t sw2); const char *GetAPDUCodeDescription(uint8_t sw1, uint8_t sw2); +typedef struct { + const uint16_t Code; + const char *Description; +} APDUSpcCodeDescription_t; + +const char *GetSpecificAPDUCodeDesc(const APDUSpcCodeDescription_t *desc, const size_t desclen, uint16_t code); + typedef struct { uint8_t CLA; uint8_t INS; From 3d6a33e21ef59ccf2c4a2f79027d21773ee53351 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Fri, 28 Jan 2022 20:57:31 +0200 Subject: [PATCH 7/8] add specific apdu codes for delete command and add sample create application --- client/src/cmdhfcipurse.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/client/src/cmdhfcipurse.c b/client/src/cmdhfcipurse.c index 357db1341..297b96258 100644 --- a/client/src/cmdhfcipurse.c +++ b/client/src/cmdhfcipurse.c @@ -67,6 +67,12 @@ static const APDUSpcCodeDescription_t SelectAPDUCodeDescriptions[] = { {0x6A89, "AID already exists" } }; +static const APDUSpcCodeDescription_t DeleteAPDUCodeDescriptions[] = { + {0x6985, "Referenced PxSE application cannot be deleted due to reference to CIPURSE application" }, + {0x6986, "Deletion of MF or predefined EFs is not allowed" }, + {0x6A82, "File not found" } +}; + static uint8_t defaultKeyId = 1; static uint8_t defaultKey[CIPURSE_AES_KEY_LENGTH] = CIPURSE_DEFAULT_KEY; #define CIPURSE_MAX_AID_LENGTH 16 @@ -867,7 +873,8 @@ static int CmdHFCipurseCreateDGI(const char *Cmd) { CLIParserInit(&ctx, "hf cipurse create", "Create application/file/key by provide appropriate DGI. If no key is supplied, default key of 737373...7373 will be used", "hf cipurse create -d 9200123F00200008000062098407A0000005070100 -> create PTSE file with FID 0x2000 and space for 8 AIDs\n" - "hf cipurse create -d -> create default file with FID 5F00\n"); + "hf cipurse create -d 92002438613F010A05020000FFFFFF021009021009621084054144204631D407A0000005070100A00F28" + "73737373737373737373737373737373015FD67B000102030405060708090A0B0C0D0E0F01C6A13B -> create default file with FID 3F01 and 2 keys\n"); void *argtable[] = { arg_param_begin, @@ -1081,7 +1088,8 @@ static int CmdHFCipurseDeleteFile(const char *Cmd) { if (useFileID) { res = CIPURSEDeleteFile(fileId, buf, sizeof(buf), &len, &sw); if (res != 0 || sw != 0x9000) { - PrintAndLogEx(ERR, "Delete file " _CYAN_("%04x ") _RED_("ERROR") ". Card returns 0x%04x", fileId, sw); + PrintAndLogEx(ERR, "Delete file " _CYAN_("%04x ") _RED_("ERROR") ". Card returns:\n 0x%04x - %s", fileId, sw, + GetSpecificAPDUCodeDesc(DeleteAPDUCodeDescriptions, ARRAYLEN(DeleteAPDUCodeDescriptions), sw)); DropField(); return PM3_ESOFT; } @@ -1089,7 +1097,10 @@ static int CmdHFCipurseDeleteFile(const char *Cmd) { } else { res = CIPURSEDeleteFileAID(aid, aidLen, buf, sizeof(buf), &len, &sw); if (res != 0 || sw != 0x9000) { - PrintAndLogEx(ERR, "Delete application " _CYAN_("%s ") _RED_("error") ". Card returns 0x%04x", sprint_hex_inrow(aid, aidLen), sw); + PrintAndLogEx(ERR, "Delete application " _CYAN_("%s ") _RED_("ERROR") ". Card returns:\n 0x%04x - %s", + sprint_hex_inrow(aid, aidLen), + sw, + GetSpecificAPDUCodeDesc(DeleteAPDUCodeDescriptions, ARRAYLEN(DeleteAPDUCodeDescriptions), sw)); DropField(); return PM3_ESOFT; } From 025a92f8febe802c2bc6780abe26e1da55b6edbe Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 29 Jan 2022 01:58:46 +0200 Subject: [PATCH 8/8] fix access rights --- client/src/cmdhfcipurse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdhfcipurse.c b/client/src/cmdhfcipurse.c index 297b96258..d099d3a1c 100644 --- a/client/src/cmdhfcipurse.c +++ b/client/src/cmdhfcipurse.c @@ -873,7 +873,7 @@ static int CmdHFCipurseCreateDGI(const char *Cmd) { CLIParserInit(&ctx, "hf cipurse create", "Create application/file/key by provide appropriate DGI. If no key is supplied, default key of 737373...7373 will be used", "hf cipurse create -d 9200123F00200008000062098407A0000005070100 -> create PTSE file with FID 0x2000 and space for 8 AIDs\n" - "hf cipurse create -d 92002438613F010A05020000FFFFFF021009021009621084054144204631D407A0000005070100A00F28" + "hf cipurse create -d 92002438613F010A050200004040FF021009021009621084054144204631D407A0000005070100A00F28" "73737373737373737373737373737373015FD67B000102030405060708090A0B0C0D0E0F01C6A13B -> create default file with FID 3F01 and 2 keys\n"); void *argtable[] = {