Merge pull request #654 from bkerler/mfdes_auth

Fix mifare desfire aes authentification
2025-02-25 08:35:56 +08:00 · 2020-04-07 09:22:32 +02:00 · 2020-04-07 09:22:32 +02:00 · 05d50bd5c6
commit 05d50bd5c6
parent ab8b9884a6 f01c37aff4
2 changed files with 37 additions and 12 deletions
--- a/armsrc/mifaredesfire.c
+++ b/armsrc/mifaredesfire.c
@ -204,7 +204,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
    uint8_t decRndB[16] = {0x00};
    uint8_t both[32] = {0x00};

-    InitDesfireCard();
+    //InitDesfireCard();

    LED_A_ON();
    LED_B_OFF();
@ -455,8 +455,12 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
            mbedtls_aes_init(&ctx);

            cmd[0] = AUTHENTICATE_AES;
-            cmd[1] = 0x00;  //keynumber
-            len = DesfireAPDU(cmd, 2, resp);
+            cmd[1] = 0x0;
+            cmd[2] = 0x0;
+            cmd[3] = 0x1;
+            cmd[4] = arg2;  //keynumber
+            cmd[5] = 0x0;
+            len = DesfireAPDU(cmd, 6, resp);
            if (!len) {
                if (DBGLEVEL >= DBG_ERROR) {
                    DbpString("Authentication failed. Card timeout.");
@ -465,7 +469,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
                return;
            }

-            memcpy(encRndB, resp + 3, 16);
+            memcpy(encRndB, resp + 1, 16);

            // dekryptera tagnonce.
            if (mbedtls_aes_setkey_dec(&ctx, key->data, 128) != 0) {
@ -491,9 +495,13 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
            mbedtls_aes_crypt_cbc(&ctx, MBEDTLS_AES_ENCRYPT, 32, IV, both, encBoth);

            cmd[0] = ADDITIONAL_FRAME;
-            memcpy(cmd + 1, encBoth, 32);
+            cmd[1] = 0x00;
+            cmd[2] = 0x00;
+            cmd[3] = 0x20;
+            memcpy(cmd + 4, encBoth, 32);
+            cmd[36]=0x0;

-            len = DesfireAPDU(cmd, 33, resp);  // 1 + 32 == 33
+            len = DesfireAPDU(cmd, 37, resp);  // 4 + 32 + 1 == 37
            if (!len) {
                if (DBGLEVEL >= DBG_ERROR) {
                    DbpString("Authentication failed. Card timeout.");
@ -502,7 +510,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2,  uint8_t *datain)
                return;
            }

-            if (resp[2] == 0x00) {
+            if ((resp[1+16] == 0x91)&&(resp[1+16+1] == 0x00)) {
                // Create AES Session key
                struct desfire_key sessionKey = {0};
                desfirekey_t skey = &sessionKey;
--- a/client/cmdhfmfdes.c
+++ b/client/cmdhfmfdes.c
@ -779,22 +779,29 @@ static int CmdHF14ADesAuth(const char *Cmd) {

    uint8_t keylength = 8;
    unsigned char key[24];
+    uint8_t aidlength = 3;
+    unsigned char aid[3];

    if (strlen(Cmd) < 3) {
-        PrintAndLogEx(NORMAL, "Usage:  hf mfdes auth <1|2|3> <1|2|3|4> <keyno> <key> ");
+        PrintAndLogEx(NORMAL, "Usage:  hf mfdes auth <1|2|3> <1|2|3|4> <appid> <keyno> <key> ");
        PrintAndLogEx(NORMAL, "            Auth modes");
        PrintAndLogEx(NORMAL, "                 1 = normal, 2 = iso, 3 = aes");
        PrintAndLogEx(NORMAL, "            Crypto");
        PrintAndLogEx(NORMAL, "                 1 = DES 2 = 3DES 3 = 3K3DES 4 = AES");
        PrintAndLogEx(NORMAL, "");
        PrintAndLogEx(NORMAL, "Examples:");
-        PrintAndLogEx(NORMAL, _YELLOW_("         hf mfdes auth 1 1 0 11223344"));
-        PrintAndLogEx(NORMAL, _YELLOW_("         hf mfdes auth 3 4 0 404142434445464748494a4b4c4d4e4f"));
+        PrintAndLogEx(NORMAL, _YELLOW_("         hf mfdes auth 1 1 0 0 11223344"));
+        PrintAndLogEx(NORMAL, _YELLOW_("         hf mfdes auth 3 4 018380 0 404142434445464748494a4b4c4d4e4f"));
        return PM3_SUCCESS;
    }
    uint8_t cmdAuthMode = param_get8(Cmd, 0);
    uint8_t cmdAuthAlgo = param_get8(Cmd, 1);
-    uint8_t cmdKeyNo    = param_get8(Cmd, 2);
+    // AID
+    if (param_gethex(Cmd, 2, aid, aidlength*2)) {
+        PrintAndLogEx(WARNING, "aid must include %d HEX symbols", 3);
+        return PM3_EINVARG;
+    }
+    uint8_t cmdKeyNo    = param_get8(Cmd, 3);

    switch (cmdAuthMode) {
        case 1:
@ -841,11 +848,21 @@ static int CmdHF14ADesAuth(const char *Cmd) {
    }

    // key
-    if (param_gethex(Cmd, 3, key, keylength * 2)) {
+    if (param_gethex(Cmd, 4, key, keylength * 2)) {
        PrintAndLogEx(WARNING, "Key must include %d HEX symbols", keylength);
        return PM3_EINVARG;
    }

+    if (get_desfire_select_application(aid) != PM3_SUCCESS) {
+        PrintAndLogEx(WARNING, _RED_("   Can't select AID"));
+        DropField();
+        return PM3_ESOFT;
+    }
+
+    uint8_t file_ids[33] = {0};
+    uint8_t file_ids_len = 0;
+    get_desfire_fileids(file_ids, &file_ids_len);
+
    // algo, keylength,
    uint8_t data[25] = {keylength}; // max length: 1 + 24 (3k3DES)
    memcpy(data + 1, key, keylength);