diff --git a/client/src/mifare/desfirecore.c b/client/src/mifare/desfirecore.c index 42eb206ba..bb06f2671 100644 --- a/client/src/mifare/desfirecore.c +++ b/client/src/mifare/desfirecore.c @@ -344,7 +344,7 @@ void DesfirePrintContext(DesfireContext *ctx) { CLIGetOptionListStr(DesfireSecureChannelOpts, ctx->secureChannel), CLIGetOptionListStr(DesfireCommandSetOpts, ctx->cmdSet), CLIGetOptionListStr(DesfireCommunicationModeOpts, ctx->commMode)); - + if (DesfireIsAuthenticated(ctx)) { PrintAndLogEx(INFO, "Session key MAC [%d]: %s ", @@ -853,7 +853,7 @@ void DesfirePrintAIDFunctions(uint32_t appid) { int DesfireSelectAndAuthenticateEx(DesfireContext *dctx, DesfireSecureChannel secureChannel, uint32_t aid, bool noauth, bool verbose) { if (verbose) DesfirePrintContext(dctx); - + // needs card uid for diversification if (dctx->kdfAlgo == MFDES_KDF_ALGO_GALLAGHER) DesfireGetCardUID(dctx); @@ -1038,13 +1038,13 @@ static int DesfireAuthenticateEV1(DesfireContext *dctx, DesfireSecureChannel sec if (secureChannel == DACd40) { memset(IV, 0, DESFIRE_MAX_CRYPTO_BLOCK_SIZE); DesfireCryptoEncDecEx(dctx, DCOMainKey, RndA, rndlen, encRndA, true, true, IV); - + memcpy(both, encRndA, rndlen); bin_xor(rotRndB, encRndA, rndlen); - + memset(IV, 0, DESFIRE_MAX_CRYPTO_BLOCK_SIZE); DesfireCryptoEncDecEx(dctx, DCOMainKey, rotRndB, rndlen, encRndB, true, true, IV); - + memcpy(both + rndlen, encRndB, rndlen); } else if (secureChannel == DACEV1) { uint8_t tmp[32] = {0x00}; @@ -1084,7 +1084,7 @@ static int DesfireAuthenticateEV1(DesfireContext *dctx, DesfireSecureChannel sec if (secureChannel == DACd40) memset(IV, 0, DESFIRE_MAX_CRYPTO_BLOCK_SIZE); DesfireCryptoEncDecEx(dctx, DCOMainKey, encRndA, rndlen, encRndA, false, false, IV); - + // generate session key from rnda and rndb. before rol(RndA)! DesfireGenSessionKeyEV1(RndA, RndB, dctx->keyType, dctx->sessionKeyEnc); @@ -1100,7 +1100,7 @@ static int DesfireAuthenticateEV1(DesfireContext *dctx, DesfireSecureChannel sec return 11; } } - + // If the 3Des key first 8 bytes = 2nd 8 Bytes then we are really using Singe Des // As such we need to set the session key such that the 2nd 8 bytes = 1st 8 Bytes if (dctx->keyType == T_3DES) { @@ -2652,21 +2652,21 @@ int DesfireISOAppendRecord(DesfireContext *dctx, uint8_t fileid, uint8_t *data, int DesfireGetCardUID(DesfireContext *ctx) { iso14a_card_select_t card = {0}; - + SendCommandMIX(CMD_HF_ISO14443A_READER, ISO14A_CONNECT, 0, 0, NULL, 0); PacketResponseNG resp; WaitForResponse(CMD_ACK, &resp); memcpy(&card, (iso14a_card_select_t *)resp.data.asBytes, sizeof(iso14a_card_select_t)); uint64_t select_status = resp.oldarg[0]; - + if (select_status == 0 || select_status == 2 || select_status == 3) { return PM3_ESOFT; } memcpy(ctx->uid, card.uid, card.uidlen); ctx->uidlen = card.uidlen; - + return PM3_SUCCESS; } diff --git a/client/src/mifare/desfirecrypto.c b/client/src/mifare/desfirecrypto.c index db559e850..85ce60f40 100644 --- a/client/src/mifare/desfirecrypto.c +++ b/client/src/mifare/desfirecrypto.c @@ -44,7 +44,7 @@ void DesfireClearContext(DesfireContext *ctx) { ctx->appSelected = false; ctx->selectedAID = 0; - + memset(ctx->uid, 0, sizeof(ctx->uid)); ctx->uidlen = 0; @@ -164,7 +164,7 @@ uint8_t *DesfireGetKey(DesfireContext *ctx, DesfireCryptoOpKeyType key_type) { } else if (key_type == DCOMasterKey) { return ctx->masterKey; } - + return ctx->key; } @@ -370,7 +370,7 @@ void MifareKdfAn10922(DesfireContext *ctx, DesfireCryptoOpKeyType key_type, cons DesfireClearIV(ctx); DesfireCryptoCMACEx(ctx, key_type, buffer, len + 1, kbs * 2, cmac); - + buffer[0] = 0x22; memcpy(&buffer[1], data, len); @@ -384,13 +384,13 @@ void MifareKdfAn10922(DesfireContext *ctx, DesfireCryptoOpKeyType key_type, cons DesfireClearIV(ctx); DesfireCryptoCMACEx(ctx, key_type, buffer, len + 1, kbs * 2, cmac); - + buffer[0] = 0x32; memcpy(&buffer[1], data, len); DesfireClearIV(ctx); DesfireCryptoCMACEx(ctx, key_type, buffer, len + 1, kbs * 2, &cmac[kbs]); - + buffer[0] = 0x33; memcpy(&buffer[1], data, len); diff --git a/client/src/mifare/desfirecrypto.h b/client/src/mifare/desfirecrypto.h index e5a7643e8..125647289 100644 --- a/client/src/mifare/desfirecrypto.h +++ b/client/src/mifare/desfirecrypto.h @@ -88,7 +88,7 @@ typedef struct DesfireContextS { bool appSelected; // for iso auth uint32_t selectedAID; - + uint8_t uid[10]; uint8_t uidlen; @@ -121,7 +121,7 @@ void DesfireCMACGenerateSubkeys(DesfireContext *ctx, DesfireCryptoOpKeyType key_ void DesfireCryptoCMAC(DesfireContext *ctx, uint8_t *srcdata, size_t srcdatalen, uint8_t *cmac); void DesfireCryptoCMACEx(DesfireContext *ctx, DesfireCryptoOpKeyType key_type, uint8_t *data, size_t len, size_t minlen, uint8_t *cmac); void MifareKdfAn10922(DesfireContext *ctx, DesfireCryptoOpKeyType key_type, const uint8_t *data, size_t len); - + void DesfireDESKeySetVersion(uint8_t *key, DesfireCryptoAlgorythm keytype, uint8_t version); uint8_t DesfireDESKeyGetVersion(uint8_t *key); diff --git a/client/src/mifare/desfiretest.c b/client/src/mifare/desfiretest.c index 1f3425246..dcf4ddd54 100644 --- a/client/src/mifare/desfiretest.c +++ b/client/src/mifare/desfiretest.c @@ -81,9 +81,9 @@ static bool TestCRC32(void) { // https://www.nxp.com/docs/en/application-note/AN10922.pdf static bool TestCMACSubkeys(void) { bool res = true; - + uint8_t key[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}; - + uint8_t sk1[DESFIRE_MAX_CRYPTO_BLOCK_SIZE] = {0}; uint8_t sk2[DESFIRE_MAX_CRYPTO_BLOCK_SIZE] = {0}; DesfireContext dctx; @@ -94,7 +94,7 @@ static bool TestCMACSubkeys(void) { uint8_t sk1test[] = {0xFB, 0xC9, 0xF7, 0x5C, 0x94, 0x13, 0xC0, 0x41, 0xDF, 0xEE, 0x45, 0x2D, 0x3F, 0x07, 0x06, 0xD1}; uint8_t sk2test[] = {0xF7, 0x93, 0xEE, 0xB9, 0x28, 0x27, 0x80, 0x83, 0xBF, 0xDC, 0x8A, 0x5A, 0x7E, 0x0E, 0x0D, 0x25}; - + res = res && (memcmp(sk1, sk1test, sizeof(sk1test)) == 0); res = res && (memcmp(sk2, sk2test, sizeof(sk2test)) == 0); @@ -105,7 +105,7 @@ static bool TestCMACSubkeys(void) { uint8_t sk1_2tdea[] = {0xF6, 0x12, 0xEB, 0x32, 0xE4, 0x60, 0x35, 0xF3}; uint8_t sk2_2tdea[] = {0xEC, 0x25, 0xD6, 0x65, 0xC8, 0xC0, 0x6B, 0xFD}; - + res = res && (memcmp(sk1, sk1_2tdea, sizeof(sk1_2tdea)) == 0); res = res && (memcmp(sk2, sk2_2tdea, sizeof(sk2_2tdea)) == 0); @@ -117,7 +117,7 @@ static bool TestCMACSubkeys(void) { uint8_t sk1_3tdea[] = {0xA3, 0xED, 0x58, 0xF8, 0xE6, 0x94, 0x1B, 0xCA}; uint8_t sk2_3tdea[] = {0x47, 0xDA, 0xB1, 0xF1, 0xCD, 0x28, 0x37, 0x8F}; - + res = res && (memcmp(sk1, sk1_3tdea, sizeof(sk1_3tdea)) == 0); res = res && (memcmp(sk2, sk2_3tdea, sizeof(sk2_3tdea)) == 0); @@ -133,15 +133,15 @@ static bool TestCMACSubkeys(void) { // page 8 static bool TestAn10922KDFAES(void) { bool res = true; - + uint8_t key[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}; - + DesfireContext dctx; DesfireSetKey(&dctx, 0, T_AES, key); - + uint8_t kdfInput[] = {0x04, 0x78, 0x2E, 0x21, 0x80, 0x1D, 0x80, 0x30, 0x42, 0xF5, 0x4E, 0x58, 0x50, 0x20, 0x41, 0x62, 0x75}; MifareKdfAn10922(&dctx, DCOMainKey, kdfInput, sizeof(kdfInput)); - + uint8_t dkey[] = {0xA8, 0xDD, 0x63, 0xA3, 0xB8, 0x9D, 0x54, 0xB3, 0x7C, 0xA8, 0x02, 0x47, 0x3F, 0xDA, 0x91, 0x75}; res = res && (memcmp(dctx.key, dkey, sizeof(dkey)) == 0); @@ -155,15 +155,15 @@ static bool TestAn10922KDFAES(void) { static bool TestAn10922KDF2TDEA(void) { bool res = true; - + uint8_t key[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}; - + DesfireContext dctx; DesfireSetKey(&dctx, 0, T_3DES, key); uint8_t kdfInput[] = {0x04, 0x78, 0x2E, 0x21, 0x80, 0x1D, 0x80, 0x30, 0x42, 0xF5, 0x4E, 0x58, 0x50, 0x20, 0x41}; MifareKdfAn10922(&dctx, DCOMainKey, kdfInput, sizeof(kdfInput)); - + uint8_t dkey[] = {0x16, 0xF8, 0x59, 0x7C, 0x9E, 0x89, 0x10, 0xC8, 0x6B, 0x96, 0x48, 0xD0, 0x06, 0x10, 0x7D, 0xD7}; res = res && (memcmp(dctx.key, dkey, sizeof(dkey)) == 0); @@ -177,17 +177,18 @@ static bool TestAn10922KDF2TDEA(void) { static bool TestAn10922KDF3TDEA(void) { bool res = true; - + uint8_t key[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08}; - + DesfireContext dctx; DesfireSetKey(&dctx, 0, T_3K3DES, key); uint8_t kdfInput[] = {0x04, 0x78, 0x2E, 0x21, 0x80, 0x1D, 0x80, 0x30, 0x42, 0xF5, 0x4E, 0x58, 0x50}; MifareKdfAn10922(&dctx, DCOMainKey, kdfInput, sizeof(kdfInput)); - - uint8_t dkey[] = {0x2F, 0x0D, 0xD0, 0x36, 0x75, 0xD3, 0xFB, 0x9A, 0x57, 0x05, 0xAB, 0x0B, 0xDA, 0x91, 0xCA, 0x0B, - 0x55, 0xB8, 0xE0, 0x7F, 0xCD, 0xBF, 0x10, 0xEC}; + + uint8_t dkey[] = {0x2F, 0x0D, 0xD0, 0x36, 0x75, 0xD3, 0xFB, 0x9A, 0x57, 0x05, 0xAB, 0x0B, 0xDA, 0x91, 0xCA, 0x0B, + 0x55, 0xB8, 0xE0, 0x7F, 0xCD, 0xBF, 0x10, 0xEC + }; res = res && (memcmp(dctx.key, dkey, sizeof(dkey)) == 0); if (res) diff --git a/doc/commands.json b/doc/commands.json index ce7b2d51e..c6779527c 100644 --- a/doc/commands.json +++ b/doc/commands.json @@ -973,7 +973,7 @@ }, "help": { "command": "help", - "description": "help use ` help` for details of a command prefs { edit client/device preferences... } -------- ----------------------- technology ----------------------- analyse { analyse utils... } data { plot window / data buffer manipulation... } emv { emv iso-14443 / iso-7816... } hf { high frequency commands... } hw { hardware commands... } lf { low frequency commands... } nfc { nfc commands... } reveng { crc calculations from reveng software... } smart { smart card iso-7816 commands... } script { scripting commands... } trace { trace manipulation... } wiegand { wiegand format manipulation... } -------- ----------------------- general ----------------------- clear clear screen hints turn hints on / off msleep add a pause in milliseconds rem add a text line in log file quit exit exit program [=] session log /home/iceman/.proxmark3/logs/log_20210808.txt --------------------------------------------------------------------------------------- auto available offline: no run lf search / hf search / data plot / data save", + "description": "help use ` help` for details of a command prefs { edit client/device preferences... } -------- ----------------------- technology ----------------------- analyse { analyse utils... } data { plot window / data buffer manipulation... } emv { emv iso-14443 / iso-7816... } hf { high frequency commands... } hw { hardware commands... } lf { low frequency commands... } nfc { nfc commands... } reveng { crc calculations from reveng software... } smart { smart card iso-7816 commands... } script { scripting commands... } trace { trace manipulation... } wiegand { wiegand format manipulation... } -------- ----------------------- general ----------------------- clear clear screen hints turn hints on / off msleep add a pause in milliseconds rem add a text line in log file quit exit exit program [=] session log e:\\proxspace\\pm3/.proxmark3/logs/log_20210808.txt --------------------------------------------------------------------------------------- auto available offline: no run lf search / hf search / data plot / data save", "notes": [ "auto" ], @@ -4873,7 +4873,7 @@ }, "hf mfdes test": { "command": "hf mfdes test", - "description": "[=] ------ desfire tests ------ [!] no space for crc. pos: 1 [=] crc16............. passed [!] no space for crc. pos: 2 [=] crc32............. passed [=] cmac 3tdea........ passed [=] cmac 2tdea........ passed [=] cmac des.......... passed [=] ev2 session keys.. passed [=] ev2 iv calc....... passed [=] ev2 mac calc...... passed [=] --------------------------- [+] tests [ ok ] ======================================================================================= hf seos { seos rfids... } --------------------------------------------------------------------------------------- hf seos help available offline: yes help this help list list seos history --------------------------------------------------------------------------------------- hf seos info available offline: no get info from seos tags", + "description": "[=] ------ desfire tests ------ [!] no space for crc. pos: 1 [=] crc16............. passed [!] no space for crc. pos: 2 [=] crc32............. passed [=] cmac subkeys...... passed [=] an10922 aes....... passed [=] an10922 2tdea..... passed [=] an10922 3tdea..... passed [=] cmac 3tdea........ passed [=] cmac 2tdea........ passed [=] cmac des.......... passed [=] ev2 session keys.. passed [=] ev2 iv calc....... passed [=] ev2 mac calc...... passed [=] --------------------------- [+] tests [ ok ] ======================================================================================= hf seos { seos rfids... } --------------------------------------------------------------------------------------- hf seos help available offline: yes help this help list list seos history --------------------------------------------------------------------------------------- hf seos info available offline: no get info from seos tags", "notes": [ "hf seos info" ], @@ -5737,8 +5737,8 @@ "command": "hw connect", "description": "connects to a proxmark3 device via specified serial port. baudrate here is only for physical uart or uart-bt, not for usb-cdc or blue shark add-on", "notes": [ - "hw connect -p /dev/ttyacm0", - "hw connect -p /dev/ttyacm0 -b 115200" + "hw connect -p com3", + "hw connect -p com3 -b 115200" ], "offline": true, "options": [ @@ -6187,7 +6187,7 @@ "-h, --help this help", "--clk <32|64> clock (default 64)", "--delay pause delay in milliseconds between uids simulation (default 1000ms)", - "-f, --file file with em tag ids, one id per line", + "-f, --file file with uids in hex format, one per line", "--gap gap (0's) between id repeats (default 20)" ], "usage": "lf em 410x brute [-h] [--clk ] [--delay ] -f [--gap ]" @@ -6196,14 +6196,14 @@ "command": "lf em 410x clone", "description": "writes em410x id to a t55x7 or q5/t5555 tag", "notes": [ - "lf em 410x clone --id 0f0368568b -> write t55x7 tag", - "lf em 410x clone --id 0f0368568b --q5 -> write q5/t5555 tag" + "lf em 410x clone --id 0f0368568b -> write id to t55x7 tag", + "lf em 410x clone --id 0f0368568b --q5 -> write id to q5/t5555 tag" ], "offline": false, "options": [ "-h, --help this help", "--clk <16|32|40|64> clock (default 64)", - "--id em tag id number (5 hex bytes)", + "--id id number (5 hex bytes)", "--q5 specify writing to q5/t5555 tag" ], "usage": "lf em 410x clone [-h] [--clk ] --id [--q5]" @@ -6212,12 +6212,12 @@ "command": "lf em 410x reader", "description": "read em 410x tag", "notes": [ - "lf em 410x reader", + "lf em 410x reader -> reader", "lf em 410x reader -@ -> continuous reader mode", - "lf em 410x reader --clk 32 -> using a clock of rf/32", - "lf em 410x reader --clk 32 -i -> using a clock of rf/32 and inverting data", - "lf em 410x reader -i -> inverting data", - "lf em 410x reader --clk 64 -i --err 0 -> using a clock of rf/64 and inverting data and allowing 0 demod errors" + "lf em 410x reader --clk 32 -> reader using a clock of rf/32", + "lf em 410x reader --clk 32 -i -> reader using a clock of rf/32 and inverting data", + "lf em 410x reader -i -> reader while inverting data", + "lf em 410x reader --clk 64 -i --err 0 -> reader using a clock of rf/64 and inverting data and allowing 0 demod errors" ], "offline": false, "options": [ @@ -6245,14 +6245,14 @@ "options": [ "-h, --help this help", "--clk <32|64> clock (default 64)", - "--id em tag id number (5 hex bytes)", + "--id id number (5 hex bytes)", "--gap gap (0's) between id repeats (default 20)" ], "usage": "lf em 410x sim [-h] [--clk ] --id [--gap ]" }, "lf em 410x spoof": { "command": "lf em 410x spoof", - "description": "watch 'nd spoof, activates reader waits until a em 410x tag gets presented then proxmark3 starts simulating the found em tag id", + "description": "watch 'nd spoof, activates reader waits until a em 410x tag gets presented then proxmark3 starts simulating the found uid", "notes": [ "lf em 410x spoof" ], @@ -9891,6 +9891,6 @@ "metadata": { "commands_extracted": 587, "extracted_by": "PM3Help2JSON v1.00", - "extracted_on": "2021-08-08T13:35:19" + "extracted_on": "2021-08-08T21:11:10" } } \ No newline at end of file diff --git a/doc/commands.md b/doc/commands.md index 9e710bb39..a5dbcfb3e 100644 --- a/doc/commands.md +++ b/doc/commands.md @@ -710,9 +710,9 @@ Check column "offline" for their availability. |`lf em 410x reader `|N |`attempt to read and extract tag data` |`lf em 410x sim `|N |`simulate EM410x tag` |`lf em 410x brute `|N |`reader bruteforce attack by simulating EM410x tags` -|`lf em 410x watch `|N |`watches for EM410x 125/134 kHz tags` -|`lf em 410x spoof `|N |`watches for EM410x 125/134 kHz tags, and replays them` -|`lf em 410x clone `|N |`write EM410x Tag ID to T55x7 or Q5/T5555 tag` +|`lf em 410x watch `|N |`watches for EM410x 125/134 kHz tags (option 'h' for 134)` +|`lf em 410x spoof `|N |`watches for EM410x 125/134 kHz tags, and replays them. (option 'h' for 134)` +|`lf em 410x clone `|N |`write EM410x UID to T55x7 or Q5/T5555 tag` ### lf em 4x05