nested authentication works ok (tested)

and code cleaning
2025-08-19 04:49:38 -07:00 · 2011-05-26 15:20:03 +00:00 · 2011-05-26 15:20:03 +00:00 · 4abe4f5867
commit 4abe4f5867
parent 20f9a2a1d5
4 changed files with 212 additions and 95 deletions
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@ -1502,7 +1502,6 @@ int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, u
 	uint8_t rats[]       = { 0xE0,0x80,0x00,0x00 }; // FSD=256, FSDI=8, CID=0

 	uint8_t* resp = (((uint8_t *)BigBuf) + 3560);	// was 3560 - tied to other size changes
-	//uint8_t* uid  = resp + 7;

 	uint8_t sak = 0x04; // cascade uid
 	int cascade_level = 0;
@ -1520,9 +1519,6 @@ int iso14443a_select_card(uint8_t * uid_ptr, iso14a_card_select_t * resp_data, u
 	if(resp_data)
 		memcpy(resp_data->atqa, resp, 2);
 	
-	//ReaderTransmit(sel_all,sizeof(sel_all)); --- avoid duplicate SELECT request
-	//if(!ReaderReceive(uid)) return 0;
-
 	// OK we will select at least at cascade 1, lets see if first byte of UID was 0x88 in
 	// which case we need to make a cascade 2 request and select - this is a long UID
 	// While the UID is not complete, the 3nd bit (from the right) is set in the SAK.
@ -1802,7 +1798,7 @@ void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 			break;
 		};

-		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
+		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
 			Dbprintf("Auth error");
 			break;
 		};
@ -1885,7 +1881,7 @@ void MifareReadSector(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 			break;
 		};

-		if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, 0)) {
+		if(mifare_classic_auth(pcs, cuid, sectorNo * 4, keyType, ui64Key, AUTH_FIRST)) {
 			Dbprintf("Auth error");
 			break;
 		};
@ -1986,7 +1982,7 @@ void MifareWriteBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 			break;
 		};

-		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
+		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
 			Dbprintf("Auth error");
 			break;
 		};
@ -2069,13 +2065,13 @@ void MifareNested(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
 			break;
 		};
 		
-		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, 0)) {
+		if(mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {
 			Dbprintf("Auth error");
 			break;
 		};

 		// nested authenticate block = (blockNo + 1)
-		if(mifare_classic_auth(pcs, (uint32_t)bytes_to_num(uid, 4), blockNo + 1, keyType, ui64Key, 1)) {
+		if(mifare_classic_auth(pcs, (uint32_t)bytes_to_num(uid, 4), blockNo + 1, keyType, ui64Key, AUTH_NESTED)) {
 			Dbprintf("Auth error");
 			break;
 		};
--- a/armsrc/mifareutil.c
+++ b/armsrc/mifareutil.c
@ -50,7 +50,7 @@ int mifare_sendcmd_short(struct Crypto1State *pcs, uint8_t crypted, uint8_t cmd,

 	int len = ReaderReceive(answer);

-	if (crypted) {
+	if (crypted == CRYPT_ALL) {
 		if (len == 1) {
 			res = 0;
 			for (pos = 0; pos < 4; pos++)
@ -94,14 +94,24 @@ int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo,
 	
 	// Save the tag nonce (nt)
 	nt = bytes_to_num(receivedAnswer, 4);
-	Dbprintf("uid: %x nt: %x", uid, nt);  

 	//  ----------------------------- crypto1 create
+	if (isNested)
+		crypto1_destroy(pcs);
+
 	// Init cipher with key
 	crypto1_create(pcs, ui64Key);

+	if (isNested == AUTH_NESTED) {
+		// decrypt nt with help of new key 
+		nt = crypto1_word(pcs, nt ^ uid, 1) ^ nt;
+	} else {
 		// Load (plain) uid^nt into the cipher
 		crypto1_word(pcs, nt ^ uid, 0);
+	}
+
+	// some statistic
+	Dbprintf("auth uid: %08x nt: %08x", uid, nt);  

 	par = 0;
 	// Generate (encrypted) nr+parity by loading it into the cipher (Nr)
--- a/armsrc/mifareutil.h
+++ b/armsrc/mifareutil.h
@ -9,6 +9,12 @@
 // code for work with mifare cards.
 //-----------------------------------------------------------------------------

+#define CRYPT_NONE    0
+#define CRYPT_ALL     1
+#define CRYPT_REQUEST 2
+#define AUTH_FIRST    0
+#define AUTH_NESTED   2
+
 int mifare_classic_auth(struct Crypto1State *pcs, uint32_t uid, \
                        uint8_t blockNo, uint8_t keyType, uint64_t ui64Key, uint64_t isNested);
 int mifare_classic_readblock(struct Crypto1State *pcs, uint32_t uid, uint8_t blockNo, uint8_t *blockData); 
--- a/client/cmdhf14a.c
+++ b/client/cmdhf14a.c
@ -387,6 +387,109 @@ int CmdHF14AMfRdSc(const char *Cmd)
  return 0;
 }

+int CmdHF14AMfNested(const char *Cmd)
+{
+	int i, temp;
+	uint8_t sectorNo = 0;
+	uint8_t keyType = 0;
+	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
+	
+	const char *cmdp	= Cmd;
+
+
+	if (strlen(Cmd)<3) {
+		PrintAndLog("Usage:  hf 14a nested    <sector number> <key A/B> <key (12 hex symbols)>");
+		PrintAndLog("           sample: hf 14a nested 0 A FFFFFFFFFFFF ");
+		return 0;
+	}	
+	
+  // skip spaces
+	while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+	sectorNo = strtol(cmdp, NULL, 0) & 0xff;
+	
+	// next value
+	while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+	while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+	if (*cmdp != 'A' && *cmdp != 'a')  {
+		keyType = 1;
+	}
+
+	// next value
+	while (*cmdp!=' ' && *cmdp!='\t') cmdp++;
+	while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+	if (strlen(cmdp) != 12) {
+		PrintAndLog("Length of key must be 12 hex symbols");
+		return 0;
+	}
+	
+	for(i = 0; i < 6; i++) {
+		sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+		key[i] = temp & 0xff;
+		cmdp++;
+		cmdp++;
+	}	
+	PrintAndLog(" sector no:%02x key type:%02x key:%s ", sectorNo, keyType, sprint_hex(key, 6));
+	
+  UsbCommand c = {CMD_MIFARE_NESTED, {sectorNo, keyType, 0}};
+	memcpy(c.d.asBytes, key, 6);
+  SendCommand(&c);
+	UsbCommand * resp = WaitForResponseTimeout(CMD_ACK, 1500);
+	PrintAndLog(" ");
+
+	if (resp != NULL) {
+		uint8_t                isOK  = resp->arg[0] & 0xff;
+		uint8_t              * data  = resp->d.asBytes;
+
+		PrintAndLog("isOk:%02x", isOK);
+		for (i = 0; i < 2; i++) {
+			PrintAndLog("data:%s", sprint_hex(data + i * 16, 16));
+		}
+	} else {
+		PrintAndLog("Command execute timeout");
+	}
+
+  return 0;
+}
+
+int CmdHF14AMf1kSim(const char *Cmd)
+{
+	int i, temp;
+	uint8_t uid[4] = {0, 0, 0, 0};
+	
+	const char *cmdp	= Cmd;
+
+
+	if (strlen(Cmd)<3) {
+		PrintAndLog("Usage:  hf 14a mfsim  <uid (8 hex symbols)>");
+		PrintAndLog("           sample: hf 14a mfsim 0a0a0a0a ");
+		return 0;
+	}	
+	
+  // skip spaces
+	while (*cmdp==' ' || *cmdp=='\t') cmdp++;
+
+	if (strlen(cmdp) != 8) {
+		PrintAndLog("Length of UID must be 8 hex symbols");
+		return 0;
+	}
+	
+	for(i = 0; i < 4; i++) {
+		sscanf((char[]){cmdp[0],cmdp[1],0},"%X",&temp);
+		uid[i] = temp & 0xff;
+		cmdp++;
+		cmdp++;
+	}	
+	PrintAndLog(" uid:%s ", sprint_hex(uid, 4));
+	
+  UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {0, 0, 0}};
+	memcpy(c.d.asBytes, uid, 6);
+  SendCommand(&c);
+
+  return 0;
+}
+
+
 int CmdHF14AReader(const char *Cmd)
 {
 	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_CONNECT, 0, 0}};
@ -445,6 +548,8 @@ static command_t CommandTable[] =
  {"mfrdbl", CmdHF14AMfRdBl,   0, "Read MIFARE classic block"},
  {"mfrdsc", CmdHF14AMfRdSc,   0, "Read MIFARE classic sector"},
  {"mfwrbl", CmdHF14AMfWrBl,   0, "Write MIFARE classic block"},
+  {"nested", CmdHF14AMfNested, 0, "Test nested authentication"},
+  {"mfsim",  CmdHF14AMf1kSim,  0, "Simulate MIFARE 1k card - NOT WORKING!!!"},
  {"reader", CmdHF14AReader,   0, "Act like an ISO14443 Type A reader"},
  {"sim",    CmdHF14ASim,      0, "<UID> -- Fake ISO 14443a tag"},
  {"snoop",  CmdHF14ASnoop,    0, "Eavesdrop ISO 14443 Type A"},