diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index 8c59ff80f..6f8c09046 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -4885,6 +4885,93 @@ static int CmdHF14ADesDefault(const char *Cmd) { return PM3_SUCCESS; } +static int CmdHF14ADesSetConfiguration(const char *Cmd) { + CLIParserContext *ctx; + CLIParserInit(&ctx, "hf mfdes setconfig", + "Set card configuration. WARNING! Danger zone! Needs to provide card's master key and works if not blocked by config.", + "hf mfdes setconfig --param 03 --data 0428 -> set parameter 03\n" + "hf mfdes setconfig --param 02 --data 0875778102637264 -> set parameter 02"); + + void *argtable[] = { + arg_param_begin, + arg_lit0("a", "apdu", "show APDU requests and responses"), + arg_lit0("v", "verbose", "show technical data"), + arg_int0("n", "keyno", "", "Key number"), + arg_str0("t", "algo", "", "Crypt algo: DES, 2TDEA, 3TDEA, AES"), + arg_str0("k", "key", "", "Key for authenticate (HEX 8(DES), 16(2TDEA or AES) or 24(3TDEA) bytes)"), + arg_str0("f", "kdf", "", "Key Derivation Function (KDF): None, AN10922, Gallagher"), + arg_str0("i", "kdfi", "", "KDF input (HEX 1-31 bytes)"), + arg_str0("m", "cmode", "", "Communicaton mode: plain/mac/encrypt"), + arg_str0("c", "ccset", "", "Communicaton command set: native/niso/iso"), + arg_str0("s", "schann", "", "Secure channel: d40/ev1/ev2"), + arg_str0(NULL, "aid", "", "Application ID of application for some parameters (3 hex bytes, big endian)"), + arg_str0("p", "param", "", "Parameter id (HEX 1 byte)"), + arg_str0("d", "data", "", "Data for parameter (HEX 1..30 bytes)"), + arg_param_end + }; + CLIExecWithReturn(ctx, Cmd, argtable, false); + + bool APDULogging = arg_get_lit(ctx, 1); + bool verbose = arg_get_lit(ctx, 2); + + DesfireContext dctx; + int securechann = defaultSecureChannel; + uint32_t appid = 0x000000; + int res = CmdDesGetSessionParameters(ctx, &dctx, 3, 4, 5, 6, 7, 8, 9, 10, 11, &securechann, DCMEncrypted, &appid); + if (res) { + CLIParserFree(ctx); + return res; + } + + uint32_t paramid = 0; + res = arg_get_u32_hexstr_def_nlen(ctx, 12, 0, ¶mid, 1, true); + if (res == 2) { + PrintAndLogEx(ERR, "Parameter ID must have 1 bytes length"); + CLIParserFree(ctx); + return PM3_EINVARG; + } + + uint8_t param[250] = {0}; + int paramlen = sizeof(param); + CLIGetHexWithReturn(ctx, 13, param, ¶mlen); + if (paramlen == 0) { + PrintAndLogEx(ERR, "Parameter must have a data."); + return PM3_EINVARG; + } + if (paramlen > 50) { + PrintAndLogEx(ERR, "Parameter data length must be less than 50 instead of %d.", paramlen); + return PM3_EINVARG; + } + + SetAPDULogging(APDULogging); + CLIParserFree(ctx); + + if (verbose) { + if (appid == 0x000000) + PrintAndLogEx(INFO, _CYAN_("PICC") " param ID: 0x%02x param[%d]: %s", paramid, paramlen, sprint_hex(param, paramlen)); + else + PrintAndLogEx(INFO, _CYAN_("Application %06x") " param ID: 0x%02x param[%d]: %s", appid, paramid, paramlen, sprint_hex(param, paramlen)); + } + + res = DesfireSelectAndAuthenticate(&dctx, securechann, appid, verbose); + if (res != PM3_SUCCESS) { + DropField(); + return res; + } + + DesfireSetCommMode(&dctx, DCMEncryptedPlain); + res = DesfireSetConfiguration(&dctx, paramid, param, paramlen); + if (res == PM3_SUCCESS) { + PrintAndLogEx(SUCCESS, "Set configuration 0x%02x " _GREEN_("ok") " ", paramid); + } else { + PrintAndLogEx(FAILED, "Set configuration 0x%02x " _RED_("failed") " ", paramid); + } + DesfireSetCommMode(&dctx, DCMEncrypted); + + DropField(); + return res; +} + static int CmdHF14ADesChangeKey(const char *Cmd) { CLIParserContext *ctx; CLIParserInit(&ctx, "hf mfdes changekey", @@ -5003,6 +5090,7 @@ static int CmdHF14ADesChangeKey(const char *Cmd) { } else { PrintAndLogEx(FAILED, "Change key " _RED_("failed") " "); } + DesfireSetCommMode(&dctx, DCMEncrypted); DropField(); return res; @@ -5885,6 +5973,7 @@ static command_t CommandTable[] = { {"formatpicc", CmdHF14ADesFormatPICC, IfPm3Iso14443a, "[new]Format PICC"}, {"freemem", CmdHF14ADesGetFreeMem, IfPm3Iso14443a, "[new]Get free memory size"}, {"getuid", CmdHF14ADesGetUID, IfPm3Iso14443a, "[new]Get uid from card"}, + {"setconfig", CmdHF14ADesSetConfiguration, IfPm3Iso14443a, "[new]Set card configuration"}, {"info", CmdHF14ADesInfo, IfPm3Iso14443a, "Tag information"}, {"list", CmdHF14ADesList, AlwaysAvailable, "List DESFire (ISO 14443A) history"}, // {"ndefread", CmdHF14aDesNDEFRead, IfPm3Iso14443a, "Prints NDEF records from card"}, @@ -5933,7 +6022,6 @@ int CmdHFMFDes(const char *Cmd) { Native Cmds ----------- - SetConfiguration ChangeFileSettings ISO/IEC 7816 Cmds diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index 47046095c..a0611120d 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -611,8 +611,10 @@ int DesfireSelectAndAuthenticate(DesfireContext *dctx, DesfireSecureChannel secu PrintAndLogEx(ERR, "Desfire select " _RED_("error") "."); return PM3_ESOFT; } + if (verbose) + PrintAndLogEx(INFO, "App %06x " _GREEN_("selected"), aid); - res = DesfireAuthenticate(dctx, secureChannel); + res = DesfireAuthenticate(dctx, secureChannel, verbose); if (res != PM3_SUCCESS) { PrintAndLogEx(ERR, "Desfire authenticate " _RED_("error") ". Result: %d", res); return PM3_ESOFT; @@ -628,7 +630,7 @@ int DesfireSelectAndAuthenticate(DesfireContext *dctx, DesfireSecureChannel secu return PM3_SUCCESS; } -int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel) { +int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel, bool verbose) { // 3 different way to authenticate AUTH (CRC16) , AUTH_ISO (CRC32) , AUTH_AES (CRC32) // 4 different crypto arg1 DES, 3DES, 3K3DES, AES // 3 different communication modes, PLAIN,MAC,CRYPTO @@ -695,6 +697,9 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel uint8_t respcode = 0; uint8_t recv_data[256] = {0}; + if (verbose) + PrintAndLogEx(INFO, _CYAN_("Auth:") " cmd: 0x%02x keynum: 0x%02x", subcommand, dctx->keyNum); + // Let's send our auth command int res = DesfireExchangeEx(false, dctx, subcommand, &dctx->keyNum, 1, &respcode, recv_data, &recv_len, false, 0); if (res != PM3_SUCCESS) { @@ -907,7 +912,8 @@ int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel memset(dctx->IV, 0, DESFIRE_MAX_KEY_SIZE); dctx->secureChannel = secureChannel; memcpy(dctx->sessionKeyMAC, dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType)); - PrintAndLogEx(INFO, "Session key : %s", sprint_hex(dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType))); + if (verbose) + PrintAndLogEx(INFO, _GREEN_("Session key") " : %s", sprint_hex(dctx->sessionKeyEnc, desfire_get_key_length(dctx->keyType))); return PM3_SUCCESS; } @@ -1003,6 +1009,10 @@ int DesfireChangeKeyCmd(DesfireContext *dctx, uint8_t *data, size_t len, uint8_t return DesfireCommand(dctx, MFDES_CHANGE_KEY, data, len, resp, resplen, -1); } +int DesfireSetConfigurationCmd(DesfireContext *dctx, uint8_t *data, size_t len, uint8_t *resp, size_t *resplen) { + return DesfireCommand(dctx, MFDES_CHANGE_CONFIGURATION, data, len, resp, resplen, -1); +} + uint8_t DesfireKeyAlgoToType(DesfireCryptoAlgorythm keyType) { switch (keyType) { case T_DES: @@ -1098,7 +1108,7 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke uint8_t pckcdata[DESFIRE_MAX_KEY_SIZE + 10] = {0}; uint8_t *cdata = &pckcdata[2]; uint8_t keynodata = newkeynum & 0x3f; - + /* * Because new crypto methods can be setup only at application creation, * changing the card master key to one of them require a key_no tweak. @@ -1106,7 +1116,7 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke if (change_master_key) { keynodata |= (DesfireKeyAlgoToType(newkeytype) & 0x03) << 6; } - + pckcdata[0] = MFDES_CHANGE_KEY; // TODO pckcdata[1] = keynodata; @@ -1179,3 +1189,38 @@ int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newke return res; } +int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *param, size_t paramlen) { + uint8_t cdata[200] = {0}; + cdata[0] = MFDES_CHANGE_CONFIGURATION; + uint8_t *data = &cdata[1]; + data[0] = paramid; + memcpy(&data[1], param, paramlen); + size_t datalen = 1 + paramlen; + + + // add crc + if (dctx->secureChannel == DACd40) { + iso14443a_crc_append(&data[1], datalen - 1); + datalen += 2; + } else { + desfire_crc32_append(cdata, datalen + 1); + datalen += 4; + } + + // dynamic length + if (paramid == 0x02) { + data[datalen] = 0x80; + datalen++; + } + + // send command + uint8_t resp[257] = {0}; + size_t resplen = 0; + int res = DesfireSetConfigurationCmd(dctx, data, datalen, resp, &resplen); + + // check response + if (res == 0 && resplen > 0) + res = -20; + + return res; +} diff --git a/client/src/mifare/desfirecore.h b/client/src/mifare/desfirecore.h index 611a3c8cd..d96ffc54f 100644 --- a/client/src/mifare/desfirecore.h +++ b/client/src/mifare/desfirecore.h @@ -38,7 +38,7 @@ int DesfireSelectAID(DesfireContext *ctx, uint8_t *aid1, uint8_t *aid2); int DesfireSelectAIDHex(DesfireContext *ctx, uint32_t aid1, bool select_two, uint32_t aid2); int DesfireSelectAndAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel, uint32_t aid, bool verbose); -int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel); +int DesfireAuthenticate(DesfireContext *dctx, DesfireSecureChannel secureChannel, bool verbose); int DesfireFormatPICC(DesfireContext *dctx); int DesfireGetFreeMem(DesfireContext *dctx, uint32_t *freemem); @@ -58,4 +58,7 @@ uint8_t DesfireKeyAlgoToType(DesfireCryptoAlgorythm keyType); int DesfireChangeKeyCmd(DesfireContext *dctx, uint8_t *data, size_t datalen, uint8_t *resp, size_t *resplen); int DesfireChangeKey(DesfireContext *dctx, bool change_master_key, uint8_t newkeynum, DesfireCryptoAlgorythm newkeytype, uint32_t newkeyver, uint8_t *newkey, DesfireCryptoAlgorythm oldkeytype, uint8_t *oldkey, bool verbose); +int DesfireSetConfigurationCmd(DesfireContext *dctx, uint8_t *data, size_t len, uint8_t *resp, size_t *resplen); +int DesfireSetConfiguration(DesfireContext *dctx, uint8_t paramid, uint8_t *param, size_t paramlen); + #endif // __DESFIRECORE_H diff --git a/client/src/mifare/desfiresecurechan.c b/client/src/mifare/desfiresecurechan.c index f63659ec1..fdf292fca 100644 --- a/client/src/mifare/desfiresecurechan.c +++ b/client/src/mifare/desfiresecurechan.c @@ -126,6 +126,7 @@ static void DesfireSecureChannelEncodeD40(DesfireContext *ctx, uint8_t cmd, uint memcpy(dstdata, srcdata, hdrlen); DesfireCryptoEncDec(ctx, true, &data[hdrlen], rlen - hdrlen, &dstdata[hdrlen], true); *dstdatalen = rlen; + ctx->commMode = DCMEncrypted; break; case DCMNone: ; @@ -172,6 +173,7 @@ static void DesfireSecureChannelEncodeEV1(DesfireContext *ctx, uint8_t cmd, uint rlen = padded_data_length(srcdatalen - hdrlen, desfire_get_key_block_length(ctx->keyType)); DesfireCryptoEncDec(ctx, true, data, rlen, &dstdata[hdrlen], true); *dstdatalen = hdrlen + rlen; + ctx->commMode = DCMEncrypted; } }