Merge pull request #1376 from merlokk/desf_setconfig

Desfire set configuration
2024-09-22 08:16:16 +08:00 · 2021-07-20 23:30:29 +03:00 · 2021-07-20 23:30:29 +03:00 · 0ce5531f76
parent a395873094 10362d68cf
commit 0ce5531f76
4 changed files with 145 additions and 7 deletions
--- a/client/src/cmdhfmfdes.c
+++ b/client/src/cmdhfmfdes.c
@ -4885,6 +4885,93 @@ static int CmdHF14ADesDefault(const char *Cmd) {
    return PM3_SUCCESS;
 }

+static int CmdHF14ADesSetConfiguration(const char *Cmd) {
+    CLIParserContext *ctx;
+    CLIParserInit(&ctx, "hf mfdes setconfig",
+                  "Set card configuration. WARNING! Danger zone! Needs to provide card's master key and works if not blocked by config.",
+                  "hf mfdes setconfig --param 03 --data 0428 -> set parameter 03\n"
+                  "hf mfdes setconfig --param 02 --data 0875778102637264 -> set parameter 02");
+
+    void *argtable[] = {
+        arg_param_begin,
+        arg_lit0("a",  "apdu",    "show APDU requests and responses"),
+        arg_lit0("v",  "verbose", "show technical data"),
+        arg_int0("n",  "keyno",   "<keyno>", "Key number"),
+        arg_str0("t",  "algo",    "<DES/2TDEA/3TDEA/AES>",  "Crypt algo: DES, 2TDEA, 3TDEA, AES"),
+        arg_str0("k",  "key",     "<Key>",   "Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)"),
+        arg_str0("f",  "kdf",     "<none/AN10922/gallagher>",   "Key Derivation Function (KDF): None, AN10922, Gallagher"),
+        arg_str0("i",  "kdfi",    "<kdfi>",  "KDF input (HEX 1-31 bytes)"),
+        arg_str0("m",  "cmode",   "<plain/mac/encrypt>", "Communicaton mode: plain/mac/encrypt"),
+        arg_str0("c",  "ccset",   "<native/niso/iso>", "Communicaton command set: native/niso/iso"),
+        arg_str0("s",  "schann",  "<d40/ev1/ev2>", "Secure channel: d40/ev1/ev2"),
+        arg_str0(NULL, "aid",     "<app id hex>", "Application ID of application for some parameters (3 hex bytes, big endian)"),
+        arg_str0("p",  "param",   "<HEX 1 byte>", "Parameter id (HEX 1 byte)"),
+        arg_str0("d",  "data",    "<data HEX>", "Data for parameter (HEX 1..30 bytes)"),
+        arg_param_end
+    };
+    CLIExecWithReturn(ctx, Cmd, argtable, false);
+
+    bool APDULogging = arg_get_lit(ctx, 1);
+    bool verbose = arg_get_lit(ctx, 2);
+
+    DesfireContext dctx;
+    int securechann = defaultSecureChannel;
+    uint32_t appid = 0x000000;
+    int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, DCMEncrypted, &appid);
+    if (res) {
+        CLIParserFree(ctx);
+        return res;
+    }
+
+    uint32_t paramid = 0;
+    res = arg_get_u32_hexstr_def_nlen(ctx, 12, 0, &paramid, 1, true);
+    if (res == 2) {
+        PrintAndLogEx(ERR, "Parameter ID must have 1 bytes length");
+        CLIParserFree(ctx);
+        return PM3_EINVARG;
+    }
+
+    uint8_t param[250] = {0};
+    int paramlen = sizeof(param);
+    CLIGetHexWithReturn(ctx, 13, param, &paramlen);
+    if (paramlen == 0) {
+        PrintAndLogEx(ERR, "Parameter must have a data.");
+        return PM3_EINVARG;
+    }
+    if (paramlen > 50) {
+        PrintAndLogEx(ERR, "Parameter data length must be less than 50 instead of %d.", paramlen);
+        return PM3_EINVARG;
+    }
+
+    SetAPDULogging(APDULogging);
+    CLIParserFree(ctx);
+
+    if (verbose) {
+        if (appid == 0x000000)
+            PrintAndLogEx(INFO, _CYAN_("PICC") " param ID: 0x%02x param[%d]: %s", paramid, paramlen, sprint_hex(param, paramlen));
+        else
+            PrintAndLogEx(INFO, _CYAN_("Application %06x") " param ID: 0x%02x param[%d]: %s", appid, paramid, paramlen, sprint_hex(param, paramlen));
+    }
+
+    res = DesfireSelectAndAuthenticate(&dctx, securechann, appid, verbose);
+    if (res != PM3_SUCCESS) {
+        DropField();
+        return res;
+    }
+
+    DesfireSetCommMode(&dctx, DCMEncryptedPlain);
+    res = DesfireSetConfiguration(&dctx, paramid, param, paramlen);
+    if (res == PM3_SUCCESS) {
+        PrintAndLogEx(SUCCESS, "Set configuration 0x%02x " _GREEN_("ok") " ", paramid);
+    } else {
+        PrintAndLogEx(FAILED, "Set configuration 0x%02x " _RED_("failed") " ", paramid);
+    }
+    DesfireSetCommMode(&dctx, DCMEncrypted);
+
+    DropField();
+    return res;
+}
+
 static int CmdHF14ADesChangeKey(const char *Cmd) {
    CLIParserContext *ctx;
    CLIParserInit(&ctx, "hf mfdes changekey",
@ -5003,6 +5090,7 @@ static int CmdHF14ADesChangeKey(const char *Cmd) {
    } else {
        PrintAndLogEx(FAILED, "Change key " _RED_("failed") " ");
    }
+    DesfireSetCommMode(&dctx, DCMEncrypted);

    DropField();
    return res;
@ -5885,6 +5973,7 @@ static command_t CommandTable[] = {
    {"formatpicc",       CmdHF14ADesFormatPICC,       IfPm3Iso14443a,  "[new]Format PICC"},
    {"freemem",          CmdHF14ADesGetFreeMem,       IfPm3Iso14443a,  "[new]Get free memory size"},
    {"getuid",           CmdHF14ADesGetUID,           IfPm3Iso14443a,  "[new]Get uid from card"},
+    {"setconfig",        CmdHF14ADesSetConfiguration, IfPm3Iso14443a,  "[new]Set card configuration"},
    {"info",             CmdHF14ADesInfo,             IfPm3Iso14443a,  "Tag information"},
    {"list",             CmdHF14ADesList,             AlwaysAvailable, "List DESFire (ISO 14443A) history"},
 //    {"ndefread",             CmdHF14aDesNDEFRead,             IfPm3Iso14443a,  "Prints NDEF records from card"},
@ -5933,7 +6022,6 @@ int CmdHFMFDes(const char *Cmd) {

    Native Cmds
    -----------
-    SetConfiguration
    ChangeFileSettings

    ISO/IEC 7816 Cmds
--- a/client/src/mifare/desfirecore.c
+++ b/client/src/mifare/desfirecore.c
@ -611,8 +611,10 @@ int DesfireSelectAndAuthenticate(DesfireContext *dctx, DesfireSecureChannel secu
        PrintAndLogEx(ERR, "Desfire select " _RED_("error") ".");
        return PM3_ESOFT;
    }
+    if (verbose)
+        PrintAndLogEx(INFO, "App %06x " _GREEN_("selected"), aid);

-    res = DesfireAuthenticate(dctx, secureChannel);
+    res = DesfireAuthenticate(dctx, secureChannel, verbose);
    if (res != PM3_SUCCESS) {
        PrintAndLogEx(ERR, "Desfire authenticate " _RED_("error") ". Result: %d", res);
        return PM3_ESOFT;
@ -628,7 +630,7 @@ int DesfireSelectAndAuthenticate(DesfireContext *dctx, DesfireSecureChannel secu
    return PM3_SUCCESS;
 }

-int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel) {
+int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel, bool verbose) {
    // 3 different way to authenticate   AUTH (CRC16) , AUTH_ISO (CRC32) , AUTH_AES (CRC32)
    // 4 different crypto arg1   DES, 3DES, 3K3DES, AES
    // 3 different communication modes,  PLAIN,MAC,CRYPTO
@ -695,6 +697,9 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel
    uint8_t respcode = 0;
    uint8_t recv_data[256] = {0};

+    if (verbose)
+        PrintAndLogEx(INFO, _CYAN_("Auth:") " cmd: 0x%02x keynum: 0x%02x", subcommand, dctx->keyNum);
+
    // Let's send our auth command
    int res = DesfireExchangeEx(false, dctx, subcommand, &dctx->keyNum, 1, &respcode, recv_data, &recv_len, false, 0);
    if (res != PM3_SUCCESS) {
@ -907,7 +912,8 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel
    memset(dctx->IV, 0, DESFIRE_MAX_KEY_SIZE);
    dctx->secureChannel = secureChannel;
    memcpy(dctx->sessionKeyMAC, dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType));
-    PrintAndLogEx(INFO, "Session key : %s", sprint_hex(dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType)));
+    if (verbose)
+        PrintAndLogEx(INFO, _GREEN_("Session key") " : %s", sprint_hex(dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType)));

    return PM3_SUCCESS;
 }
@ -1003,6 +1009,10 @@ int DesfireChangeKeyCmd(DesfireContext *dctx, uint8_t *data, size_t len, uint8_t
    return DesfireCommand(dctx, MFDES_CHANGE_KEY, data, len, resp, resplen, -1);
 }

+int DesfireSetConfigurationCmd(DesfireContext *dctx, uint8_t *data, size_t len, uint8_t *resp, size_t *resplen) {
+    return DesfireCommand(dctx, MFDES_CHANGE_CONFIGURATION, data, len, resp, resplen, -1);
+}
+
 uint8_t DesfireKeyAlgoToType(DesfireCryptoAlgorythm keyType) {
    switch (keyType) {
        case T_DES:
@ -1098,7 +1108,7 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke
    uint8_t pckcdata[DESFIRE_MAX_KEY_SIZE + 10] = {0};
    uint8_t *cdata = &pckcdata[2];
    uint8_t keynodata = newkeynum & 0x3f;
-    
+
    /*
     * Because new crypto methods can be setup only at application creation,
     * changing the card master key to one of them require a key_no tweak.
@ -1106,7 +1116,7 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke
    if (change_master_key) {
        keynodata |= (DesfireKeyAlgoToType(newkeytype) & 0x03) << 6;
    }
-    
+
    pckcdata[0] = MFDES_CHANGE_KEY; // TODO
    pckcdata[1] = keynodata;

@ -1179,3 +1189,38 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke
    return res;
 }

+int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *param, size_t paramlen) {
+    uint8_t cdata[200] = {0};
+    cdata[0] = MFDES_CHANGE_CONFIGURATION;
+    uint8_t *data = &cdata[1];
+    data[0] = paramid;
+    memcpy(&data[1], param, paramlen);
+    size_t datalen = 1 + paramlen;
+
+
+    // add crc
+    if (dctx->secureChannel == DACd40) {
+        iso14443a_crc_append(&data[1], datalen - 1);
+        datalen += 2;
+    } else {
+        desfire_crc32_append(cdata, datalen + 1);
+        datalen += 4;
+    }
+
+    // dynamic length
+    if (paramid == 0x02) {
+        data[datalen] = 0x80;
+        datalen++;
+    }
+
+    // send command
+    uint8_t resp[257] = {0};
+    size_t resplen = 0;
+    int res = DesfireSetConfigurationCmd(dctx, data, datalen, resp, &resplen);
+
+    // check response
+    if (res == 0 && resplen > 0)
+        res = -20;
+
+    return res;
+}
--- a/client/src/mifare/desfirecore.h
+++ b/client/src/mifare/desfirecore.h
@ -38,7 +38,7 @@ int DesfireSelectAID(DesfireContext *ctx, uint8_t *aid1, uint8_t *aid2);
 int DesfireSelectAIDHex(DesfireContext *ctx, uint32_t aid1, bool select_two, uint32_t aid2);

 int DesfireSelectAndAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel, uint32_t aid, bool verbose);
-int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel);
+int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel, bool verbose);

 int DesfireFormatPICC(DesfireContext *dctx);
 int DesfireGetFreeMem(DesfireContext *dctx, uint32_t *freemem);
@ -58,4 +58,7 @@ uint8_t DesfireKeyAlgoToType(DesfireCryptoAlgorythm keyType);
 int DesfireChangeKeyCmd(DesfireContext *dctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen);
 int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newkeynum, DesfireCryptoAlgorythm newkeytype, uint32_t newkeyver, uint8_t *newkey, DesfireCryptoAlgorythm oldkeytype, uint8_t *oldkey, bool verbose);

+int DesfireSetConfigurationCmd(DesfireContext *dctx, uint8_t *data, size_t len, uint8_t *resp, size_t *resplen);
+int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *param, size_t paramlen);
+
 #endif // __DESFIRECORE_H
--- a/client/src/mifare/desfiresecurechan.c
+++ b/client/src/mifare/desfiresecurechan.c
@ -126,6 +126,7 @@ static void DesfireSecureChannelEncodeD40(DesfireContext *ctx, uint8_t cmd, uint
            memcpy(dstdata, srcdata, hdrlen);
            DesfireCryptoEncDec(ctx, true, &data[hdrlen], rlen - hdrlen, &dstdata[hdrlen], true);
            *dstdatalen = rlen;
+            ctx->commMode = DCMEncrypted;
            break;
        case DCMNone:
            ;
@ -172,6 +173,7 @@ static void DesfireSecureChannelEncodeEV1(DesfireContext *ctx, uint8_t cmd, uint
        rlen = padded_data_length(srcdatalen - hdrlen, desfire_get_key_block_length(ctx->keyType));
        DesfireCryptoEncDec(ctx, true, data, rlen, &dstdata[hdrlen], true);
        *dstdatalen = hdrlen + rlen;
+        ctx->commMode = DCMEncrypted;
    }
 }