Update cmdhfmfdes.c

Desfire changekey AES Seems to work, but response validation fails.
2025-02-26 00:55:19 +08:00 · 2021-04-24 13:43:00 +10:00 · 2021-04-24 13:43:00 +10:00 · ae42c9445a
commit ae42c9445a
parent 6780b852d4
1 changed files with 28 additions and 3 deletions
--- a/client/src/cmdhfmfdes.c
+++ b/client/src/cmdhfmfdes.c
@ -1204,6 +1204,7 @@ static int mifare_desfire_change_key(uint8_t key_no, uint8_t *new_key, uint8_t n
    sAPDU apdu = {0x90, MFDES_CHANGE_KEY, 0x00, 0x00, 0x01, data}; // 0xC4

    size_t cmdcnt = 0;
+    uint8_t csPkt[30] = {0x00}; // temp storage for AES first CheckSum

    uint8_t new_key_length = 16;
    switch (new_algo) {
@ -1252,10 +1253,21 @@ static int mifare_desfire_change_key(uint8_t key_no, uint8_t *new_key, uint8_t n
                cmdcnt += 2;
                break;
            case AS_NEW:
+                if (new_algo == MFDES_ALGO_AES) {
+                    // AES Checksum must cover : C4<KeyNo>    <PrevKey XOR Newkey>          <NewKeyVer>
+                    //                           C4  01   A0B08090E0F0C0D02030001060704050      03
+                    // 19 bytes
+                    //uint8_t csPkt[30] = {0x00};
+                    csPkt[0] = 0xC4;
+                    memcpy (&csPkt[1],data,18);
+                
+                    desfire_crc32(csPkt, 19, data + 1 + cmdcnt);
+                } else {
                    desfire_crc32_append(data + 1, cmdcnt);
+                }
                cmdcnt += 4;

-                desfire_crc32(new_key, new_key_length, data + cmdcnt);
+                desfire_crc32(new_key, new_key_length, data + 1 + cmdcnt);
                cmdcnt += 4;
                break;
        }
@ -1295,10 +1307,23 @@ static int mifare_desfire_change_key(uint8_t key_no, uint8_t *new_key, uint8_t n
    }

    size_t sn = recv_len;
+
    p = mifare_cryto_postprocess_data(tag, data, &sn, MDCM_PLAIN | CMAC_COMMAND | CMAC_VERIFY);

-    if (!p)
+    // Should be finished processing the changekey so lets ensure the field is dropped.
+    DropFieldDesfire();
+
+    if (!p) {
+        /*
+            Note in my testing on an EV1, the AES password did change, with the number of returned bytes was 8, expected 9 <status><8 byte cmac>
+            As such !p is true and the code reports "Error on changing key"; so comment back to user until its fixed.
+        */
+        if (new_algo == MFDES_ALGO_AES) {
+            PrintAndLogEx(WARNING,"AES password may have been changed, please check new password with the auth command.");
+        }
+
        return PM3_ESOFT;
+    }

    /*
     * If we changed the current authenticated key, we are not authenticated