diff --git a/client/cmdhfmfp.c b/client/cmdhfmfp.c index cc64297e8..78cec3e2c 100644 --- a/client/cmdhfmfp.c +++ b/client/cmdhfmfp.c @@ -1,5 +1,6 @@ //----------------------------------------------------------------------------- // Copyright (C) 2018 Merlok +// Copyright (C) 2018 drHatson // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -34,13 +35,15 @@ typedef struct { static const PlusErrorsElm PlusErrors[] = { {0xFF, ""}, - {0x00, "Unknown error"}, - {0x06, "Block use error"}, - {0x07, "Command use error"}, - {0x08, "Invalid write command"}, - {0x09, "Invalid block number"}, - {0x0b, "Command code error"}, + {0x00, "Transfer cannot be granted within the current authentication."}, + {0x06, "Access Conditions not fulfilled. Block does not exist, block is not a value block."}, + {0x07, "Too many read or write commands in the session or in the transaction."}, + {0x08, "Invalid MAC in command or response"}, + {0x09, "Block Number is not valid"}, + {0x0a, "Invalid block number, not existing block number"}, + {0x0b, "The current command code not available at the current card state."}, {0x0c, "Length error"}, + {0x0f, "General Manipulation Error. Failure in the operation of the PICC (cannot write to the data block), etc."}, {0x90, "OK"}, }; int PlusErrorsLen = sizeof(PlusErrors) / sizeof(PlusErrorsElm); @@ -85,17 +88,41 @@ int MFPCommitPerso(bool activateField, bool leaveSignalON, uint8_t *dataout, int return intExchangeRAW14aPlus(rcmd, sizeof(rcmd), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen); } -int MFPReadBlock(mf4Session *session, bool plain, uint8_t blockNum, uint8_t blockCount, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) { +int MFPReadBlock(mf4Session *session, bool plain, uint8_t blockNum, uint8_t blockCount, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac) { uint8_t rcmd[4 + 8] = {(plain?(0x37):(0x33)), blockNum, 0x00, blockCount}; + if (!plain && session) + CalculateMAC(session, mtypReadCmd, blockNum, blockCount, rcmd, 4, &rcmd[4], VerboseMode); - return intExchangeRAW14aPlus(rcmd, plain?4:sizeof(rcmd), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen); + int res = intExchangeRAW14aPlus(rcmd, plain?4:sizeof(rcmd), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen); + if(res) + return res; + + if (session) + session->R_Ctr++; + + if(session && mac && *dataoutlen > 11) + CalculateMAC(session, mtypReadResp, blockNum, blockCount, dataout, *dataoutlen - 8 - 2, mac, VerboseMode); + + return 0; } -int MFPWriteBlock(mf4Session *session, uint8_t blockNum, uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) { +int MFPWriteBlock(mf4Session *session, uint8_t blockNum, uint8_t *data, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen, uint8_t *mac) { uint8_t rcmd[1 + 2 + 16 + 8] = {0xA3, blockNum, 0x00}; memmove(&rcmd[3], data, 16); + if (session) + CalculateMAC(session, mtypWriteCmd, blockNum, 1, rcmd, 19, &rcmd[19], VerboseMode); - return intExchangeRAW14aPlus(rcmd, sizeof(rcmd), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen); + int res = intExchangeRAW14aPlus(rcmd, sizeof(rcmd), activateField, leaveSignalON, dataout, maxdataoutlen, dataoutlen); + if(res) + return res; + + if (session) + session->W_Ctr++; + + if(session && mac && *dataoutlen > 3) + CalculateMAC(session, mtypWriteResp, blockNum, 1, dataout, *dataoutlen, mac, VerboseMode); + + return 0; } int CmdHFMFPInfo(const char *cmd) { @@ -402,7 +429,7 @@ int CmdHFMFPRdbl(const char *cmd) { int keylen = 0; CLIParserInit("hf mfp rdbl", - "Reads several blocks from Mifare Plus card in plain mode.", + "Reads several blocks from Mifare Plus card.", "Usage:\n\thf mfp rdbl 0 000102030405060708090a0b0c0d0e0f -> executes authentication and read block 0 data\n" "\thf mfp rdbl 1 -v -> executes authentication and shows sector 1 data with default key 0xFF..0xFF and some additional data\n"); @@ -411,7 +438,7 @@ int CmdHFMFPRdbl(const char *cmd) { arg_lit0("vV", "verbose", "show internal data."), arg_int0("nN", "count", "blocks count (by default 1).", NULL), arg_lit0("bB", "keyb", "use key B (by default keyA)."), - arg_lit0("pP", "plain", "plain communication between reader and card."), + arg_lit0("pP", "plain", "plain communication mode between reader and card."), arg_int1(NULL, NULL, "", NULL), arg_str0(NULL, NULL, "", NULL), arg_param_end @@ -421,7 +448,7 @@ int CmdHFMFPRdbl(const char *cmd) { bool verbose = arg_get_lit(1); int blocksCount = arg_get_int_def(2, 1); bool keyB = arg_get_lit(3); - int plain = arg_get_lit(4) | true; + int plain = arg_get_lit(4); uint32_t blockn = arg_get_int(5); CLIGetHexWithReturn(6, key, &keylen); CLIParserFree(); @@ -449,6 +476,10 @@ int CmdHFMFPRdbl(const char *cmd) { return 1; } + if (blocksCount > 1 && mfIsSectorTrailer(blockn)) { + PrintAndLog("WARNING: trailer!"); + } + uint8_t sectorNum = mfSectorNum(blockn & 0xff); uint16_t uKeyNum = 0x4000 + sectorNum * 2 + (keyB ? 1 : 0); keyn[0] = uKeyNum >> 8; @@ -465,7 +496,8 @@ int CmdHFMFPRdbl(const char *cmd) { uint8_t data[250] = {0}; int datalen = 0; - res = MFPReadBlock(&session, plain, blockn & 0xff, blocksCount, false, false, data, sizeof(data), &datalen); + uint8_t mac[8] = {0}; + res = MFPReadBlock(&session, plain, blockn & 0xff, blocksCount, false, false, data, sizeof(data), &datalen, mac); if (res) { PrintAndLogEx(ERR, "Read error: %d", res); return res; @@ -485,14 +517,20 @@ int CmdHFMFPRdbl(const char *cmd) { for(int i = 0; i < blocksCount; i++) { PrintAndLogEx(INFO, "data[%03d]: %s", indx, sprint_hex(&data[1 + i * 16], 16)); indx++; - if (mfIsSectorTrailer(indx)){ + if (mfIsSectorTrailer(indx) && i != blocksCount - 1){ PrintAndLogEx(INFO, "data[%03d]: ------------------- trailer -------------------", indx); indx++; } } + if (memcmp(&data[blocksCount * 16 + 1], mac, 8)) { + PrintAndLogEx(WARNING, "WARNING: mac not equal..."); + PrintAndLogEx(WARNING, "MAC card: %s", sprint_hex(&data[blocksCount * 16 + 1], 8)); + PrintAndLogEx(WARNING, "MAC reader: %s", sprint_hex(mac, 8)); + } else { if(verbose) - PrintAndLogEx(INFO, "MAC: %s", sprint_hex(&data[blocksCount * 16 + 1], 8)); + PrintAndLogEx(INFO, "MAC: %s", sprint_hex(&data[blocksCount * 16 + 1], 8)); + } return 0; } @@ -503,7 +541,7 @@ int CmdHFMFPRdsc(const char *cmd) { int keylen = 0; CLIParserInit("hf mfp rdsc", - "Reads one sector from Mifare Plus card in plain mode.", + "Reads one sector from Mifare Plus card.", "Usage:\n\thf mfp rdsc 0 000102030405060708090a0b0c0d0e0f -> executes authentication and read sector 0 data\n" "\thf mfp rdsc 1 -v -> executes authentication and shows sector 1 data with default key 0xFF..0xFF and some additional data\n"); @@ -511,7 +549,7 @@ int CmdHFMFPRdsc(const char *cmd) { arg_param_begin, arg_lit0("vV", "verbose", "show internal data."), arg_lit0("bB", "keyb", "use key B (by default keyA)."), - arg_lit0("pP", "plain", "plain communication between reader and card."), + arg_lit0("pP", "plain", "plain communication mode between reader and card."), arg_int1(NULL, NULL, "", NULL), arg_str0(NULL, NULL, "", NULL), arg_param_end @@ -520,7 +558,7 @@ int CmdHFMFPRdsc(const char *cmd) { bool verbose = arg_get_lit(1); bool keyB = arg_get_lit(2); - bool plain = arg_get_lit(3) | true; + bool plain = arg_get_lit(3); uint32_t sectorNum = arg_get_int(4); CLIGetHexWithReturn(5, key, &keylen); CLIParserFree(); @@ -557,8 +595,9 @@ int CmdHFMFPRdsc(const char *cmd) { uint8_t data[250] = {0}; int datalen = 0; + uint8_t mac[8] = {0}; for(int n = mfFirstBlockOfSector(sectorNum); n < mfFirstBlockOfSector(sectorNum) + mfNumBlocksPerSector(sectorNum); n++) { - res = MFPReadBlock(&session, plain, n & 0xff, 1, false, true, data, sizeof(data), &datalen); + res = MFPReadBlock(&session, plain, n & 0xff, 1, false, true, data, sizeof(data), &datalen, mac); if (res) { PrintAndLogEx(ERR, "Read error: %d", res); DropField(); @@ -578,8 +617,14 @@ int CmdHFMFPRdsc(const char *cmd) { PrintAndLogEx(INFO, "data[%03d]: %s", n, sprint_hex(&data[1], 16)); - if(verbose) - PrintAndLogEx(INFO, "MAC: %s", sprint_hex(&data[1 + 16], 8)); + if (memcmp(&data[1 + 16], mac, 8)) { + PrintAndLogEx(WARNING, "WARNING: mac on block %d not equal...", n); + PrintAndLogEx(WARNING, "MAC card: %s", sprint_hex(&data[1 + 16], 8)); + PrintAndLogEx(WARNING, "MAC reader: %s", sprint_hex(mac, 8)); + } else { + if(verbose) + PrintAndLogEx(INFO, "MAC: %s", sprint_hex(&data[1 + 16], 8)); + } } DropField(); @@ -654,25 +699,37 @@ int CmdHFMFPWrbl(const char *cmd) { uint8_t data[250] = {0}; int datalen = 0; - res = MFPWriteBlock(&session, blockNum & 0xff, datain, false, false, data, sizeof(data), &datalen); + uint8_t mac[8] = {0}; + res = MFPWriteBlock(&session, blockNum & 0xff, datain, false, false, data, sizeof(data), &datalen, mac); if (res) { PrintAndLogEx(ERR, "Write error: %d", res); + DropField(); return res; } if (datalen != 3 && (datalen != 3 + 8)) { PrintAndLogEx(ERR, "Error return length:%d", datalen); + DropField(); return 5; } if (datalen && data[0] != 0x90) { PrintAndLogEx(ERR, "Card write error: %02x %s", data[0], GetErrorDescription(data[0])); + DropField(); return 6; } - if(verbose) - PrintAndLogEx(INFO, "MAC: %s", sprint_hex(&data[1], 8)); + if (memcmp(&data[1], mac, 8)) { + PrintAndLogEx(WARNING, "WARNING: mac not equal..."); + PrintAndLogEx(WARNING, "MAC card: %s", sprint_hex(&data[1], 8)); + PrintAndLogEx(WARNING, "MAC reader: %s", sprint_hex(mac, 8)); + } else { + if(verbose) + PrintAndLogEx(INFO, "MAC: %s", sprint_hex(&data[1], 8)); + } + DropField(); + PrintAndLogEx(INFO, "Write OK."); return 0; } @@ -686,7 +743,7 @@ static command_t CommandTable[] = {"auth", CmdHFMFPAuth, 0, "Authentication"}, {"rdbl", CmdHFMFPRdbl, 0, "Read blocks"}, {"rdsc", CmdHFMFPRdsc, 0, "Read sectors"}, -// {"wrbl", CmdHFMFPWrbl, 0, "Write blocks"}, + {"wrbl", CmdHFMFPWrbl, 0, "Write blocks"}, {NULL, NULL, 0, NULL} }; diff --git a/client/mifare4.c b/client/mifare4.c index 2ca28cb3f..8f9bd9e67 100644 --- a/client/mifare4.c +++ b/client/mifare4.c @@ -1,5 +1,6 @@ //----------------------------------------------------------------------------- // Copyright (C) 2018 Merlok +// Copyright (C) 2018 drHatson // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -16,24 +17,85 @@ #include "ui.h" #include "polarssl/libpcrypto.h" -int CalulateMAC(mf4Session *session, uint8_t *data, int datalen, uint8_t *mac, bool verbose) { - if (!session || !session->Authenticated || !mac || !data || !datalen) +int CalculateEncIVCommand(mf4Session *session, uint8_t *iv, bool verbose) { + memcpy(&iv[0], session->TI, 4); + memcpy(&iv[4], &session->R_Ctr, 2); + memcpy(&iv[6], &session->W_Ctr, 2); + memcpy(&iv[8], &session->R_Ctr, 2); + memcpy(&iv[10], &session->W_Ctr, 2); + memcpy(&iv[12], &session->R_Ctr, 2); + memcpy(&iv[14], &session->W_Ctr, 2); + + return 0; +} + +int CalculateEncIVResponse(mf4Session *session, uint8_t *iv, bool verbose) { + memcpy(&iv[0], &session->R_Ctr, 2); + memcpy(&iv[2], &session->W_Ctr, 2); + memcpy(&iv[4], &session->R_Ctr, 2); + memcpy(&iv[6], &session->W_Ctr, 2); + memcpy(&iv[8], &session->R_Ctr, 2); + memcpy(&iv[10], &session->W_Ctr, 2); + memcpy(&iv[12], session->TI, 4); + + return 0; +} + + +int CalculateMAC(mf4Session *session, MACType_t mtype, uint8_t blockNum, uint8_t blockCount, uint8_t *data, int datalen, uint8_t *mac, bool verbose) { + if (!session || !session->Authenticated || !mac || !data || !datalen || datalen < 1) return 1; memset(mac, 0x00, 8); - if (verbose) - PrintAndLog("MAC data[%d]: %s", datalen, sprint_hex(data, datalen)); + uint16_t ctr = session->R_Ctr; + switch(mtype) { + case mtypWriteCmd: + case mtypWriteResp: + ctr = session->W_Ctr; + break; + case mtypReadCmd: + case mtypReadResp: + break; + } + + uint8_t macdata[2049] = {data[0], (ctr & 0xFF), (ctr >> 8), 0}; + int macdatalen = datalen; + memcpy(&macdata[3], session->TI, 4); + + switch(mtype) { + case mtypReadCmd: + memcpy(&macdata[7], &data[1], datalen - 1); + macdatalen = datalen + 6; + break; + case mtypReadResp: + macdata[7] = blockNum; + macdata[8] = 0; + macdata[9] = blockCount; + memcpy(&macdata[10], &data[1], datalen - 1); + macdatalen = datalen + 9; + break; + case mtypWriteCmd: + memcpy(&macdata[7], &data[1], datalen - 1); + macdatalen = datalen + 6; + break; + case mtypWriteResp: + macdatalen = 1 + 6; + break; + } - return aes_cmac8(NULL, session->Key, data, mac, datalen); + if (verbose) + PrintAndLog("MAC data[%d]: %s", macdatalen, sprint_hex(macdata, macdatalen)); + + return aes_cmac8(NULL, session->Kmac, macdata, mac, macdatalen); } int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateField, bool leaveSignalON, bool verbose) { uint8_t data[257] = {0}; int datalen = 0; - uint8_t Rnd1[17] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00}; - uint8_t Rnd2[17] = {0}; + uint8_t RndA[17] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00}; + uint8_t RndB[17] = {0}; if (session) session->Authenticated = false; @@ -67,17 +129,17 @@ int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateF return 3; } - aes_decode(NULL, key, &data[1], Rnd2, 16); - Rnd2[16] = Rnd2[0]; + aes_decode(NULL, key, &data[1], RndB, 16); + RndB[16] = RndB[0]; if (verbose) - PrintAndLogEx(INFO, "Rnd2: %s", sprint_hex(Rnd2, 16)); + PrintAndLogEx(INFO, "RndB: %s", sprint_hex(RndB, 16)); uint8_t cmd2[33] = {0}; cmd2[0] = 0x72; uint8_t raw[32] = {0}; - memmove(raw, Rnd1, 16); - memmove(&raw[16], &Rnd2[1], 16); + memmove(raw, RndA, 16); + memmove(&raw[16], &RndB[1], 16); aes_encode(NULL, key, raw, &cmd2[1], 32); if (verbose) @@ -97,19 +159,49 @@ int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateF if (verbose) { PrintAndLogEx(INFO, "res: %s", sprint_hex(raw, 32)); - PrintAndLogEx(INFO, "Rnd1`: %s", sprint_hex(&raw[4], 16)); + PrintAndLogEx(INFO, "RndA`: %s", sprint_hex(&raw[4], 16)); } - if (memcmp(&raw[4], &Rnd1[1], 16)) { + if (memcmp(&raw[4], &RndA[1], 16)) { PrintAndLogEx(ERR, "\nAuthentication FAILED. rnd not equal"); if (verbose) { - PrintAndLogEx(ERR, "rnd1 reader: %s", sprint_hex(&Rnd1[1], 16)); - PrintAndLogEx(ERR, "rnd1 card: %s", sprint_hex(&raw[4], 16)); + PrintAndLogEx(ERR, "RndA reader: %s", sprint_hex(&RndA[1], 16)); + PrintAndLogEx(ERR, "RndA card: %s", sprint_hex(&raw[4], 16)); } DropField(); return 5; } + if (verbose) { + PrintAndLogEx(INFO, " TI: %s", sprint_hex(raw, 4)); + PrintAndLogEx(INFO, "pic: %s", sprint_hex(&raw[20], 6)); + PrintAndLogEx(INFO, "pcd: %s", sprint_hex(&raw[26], 6)); + } + + uint8_t kenc[16] = {0}; + memcpy(&kenc[0], &RndA[11], 5); + memcpy(&kenc[5], &RndB[11], 5); + for(int i = 0; i < 5; i++) + kenc[10 + i] = RndA[4 + i] ^ RndB[4 + i]; + kenc[15] = 0x11; + + aes_encode(NULL, key, kenc, kenc, 16); + if (verbose) { + PrintAndLogEx(INFO, "kenc: %s", sprint_hex(kenc, 16)); + } + + uint8_t kmac[16] = {0}; + memcpy(&kmac[0], &RndA[7], 5); + memcpy(&kmac[5], &RndB[7], 5); + for(int i = 0; i < 5; i++) + kmac[10 + i] = RndA[0 + i] ^ RndB[0 + i]; + kmac[15] = 0x22; + + aes_encode(NULL, key, kmac, kmac, 16); + if (verbose) { + PrintAndLogEx(INFO, "kmac: %s", sprint_hex(kmac, 16)); + } + if (!leaveSignalON) DropField(); @@ -118,9 +210,17 @@ int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateF if (session) { session->Authenticated = true; + session->R_Ctr = 0; + session->W_Ctr = 0; session->KeyNum = keyn[1] + (keyn[0] << 8); - memmove(session->Rnd1, Rnd1, 16); - memmove(session->Rnd2, Rnd2, 16); + memmove(session->RndA, RndA, 16); + memmove(session->RndB, RndB, 16); + memmove(session->Key, key, 16); + memmove(session->TI, raw, 4); + memmove(session->PICCap2, &raw[20], 6); + memmove(session->PCDCap2, &raw[26], 6); + memmove(session->Kenc, kenc, 16); + memmove(session->Kmac, kmac, 16); } PrintAndLogEx(INFO, "Authentication OK"); diff --git a/client/mifare4.h b/client/mifare4.h index 7867add5d..b85d512f1 100644 --- a/client/mifare4.h +++ b/client/mifare4.h @@ -1,5 +1,6 @@ //----------------------------------------------------------------------------- // Copyright (C) 2018 Merlok +// Copyright (C) 2018 drHatson // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -19,12 +20,25 @@ typedef struct { bool Authenticated; uint8_t Key[16]; uint16_t KeyNum; - uint8_t Rnd1[16]; - uint8_t Rnd2[16]; - + uint8_t RndA[16]; + uint8_t RndB[16]; + uint8_t TI[4]; + uint8_t PICCap2[6]; + uint8_t PCDCap2[6]; + uint8_t Kenc[16]; + uint8_t Kmac[16]; + uint16_t R_Ctr; + uint16_t W_Ctr; }mf4Session; + +typedef enum { + mtypReadCmd, + mtypReadResp, + mtypWriteCmd, + mtypWriteResp, +} MACType_t; -extern int CalulateMAC(mf4Session *session, uint8_t *data, int datalen, uint8_t *mac, bool verbose); +extern int CalculateMAC(mf4Session *session, MACType_t mtype, uint8_t blockNum, uint8_t blockCount, uint8_t *data, int datalen, uint8_t *mac, bool verbose); extern int MifareAuth4(mf4Session *session, uint8_t *keyn, uint8_t *key, bool activateField, bool leaveSignalON, bool verbose); extern uint8_t mfNumBlocksPerSector(uint8_t sectorNo); diff --git a/common/polarssl/libpcrypto.c b/common/polarssl/libpcrypto.c index d86c97568..0dea75fac 100644 --- a/common/polarssl/libpcrypto.c +++ b/common/polarssl/libpcrypto.c @@ -1,5 +1,6 @@ //----------------------------------------------------------------------------- // Copyright (C) 2018 Merlok +// Copyright (C) 2018 drHatson // // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of @@ -12,6 +13,7 @@ #include #include +// NIST Special Publication 800-38A — Recommendation for block cipher modes of operation: methods and techniques, 2001. int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){ uint8_t iiv[16] = {0}; if (iv) @@ -52,16 +54,10 @@ int aes_cmac(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *mac, int length if (iv) memcpy(iiv, iv, 16); - // padding: ISO/IEC 9797-1 Message Authentication Codes (MACs) - Part 1: Mechanisms using a block cipher - uint8_t data[2049] = {0}; // length + 16 - memcpy(data, input, length); - data[length] = 0x80; - int datalen = (length & 0xfffffff0) + 0x10; - // NIST 800-38B aes_cmac128_context ctx; aes_cmac128_starts(&ctx, key); - aes_cmac128_update(&ctx, data, datalen); + aes_cmac128_update(&ctx, input, length); aes_cmac128_final(&ctx, mac); return 0;