RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-11-11 01:55:38 +08:00
Code Issues Projects Releases Packages Wiki Activity

CommitReaderID works via lrp and ev2 channel

Browse source
This commit is contained in:
merlokk 2021-08-21 17:51:28 +03:00
parent a78c6a7721
commit cc6837a9e4
2 changed files with 12 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
client/src/cmdhfmfdes.c
View file

@ -4853,7 +4853,8 @@ static int CmdHF14ADesWriteData(const char *Cmd) {
"hf mfdes write --aid 123456 --fid 01 --type record --offset 000000 -d 11223344 -> write record to record file. use default channel settings from `default` command\n"
"hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304 -> write data to std/backup file via iso commandset\n"
"hf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304 -> send record to record file via iso commandset\n"
"hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203 -> write data to file with CommitReaderID command before write and CommitTransaction after write");
"hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203 -> write data to file with CommitReaderID command before write and CommitTransaction after write\n"
"hf mfdes write --appisoid df01 --fid 04 -d 01020304 --trkey 00112233445566778899aabbccddeeff --readerid 5532 -t aes -s lrp -> advanced CommitReaderID via lrp channel sample");
void *argtable[] = {
arg_param_begin,

16
client/src/mifare/desfirecrypto.c
View file

@ -671,10 +671,16 @@ void DesfireGenTransSessionKeyEV2(uint8_t *key, uint32_t trCntr, uint8_t *uid, b
// page 43
void DesfireGenTransSessionKeyLRP(uint8_t *key, uint32_t trCntr, uint8_t *uid, bool forMAC, uint8_t *sessionkey) {
uint8_t data[CRYPTO_AES_BLOCK_SIZE] = {0};
// SV1 = 00h||01h||00h||80h||(actTMC+1)||(sesTMC+1)||UID||5Ah
// SV2 = 00h||01h||00h||80h||(actTMC+1)||(sesTMC+1)||UID||A5h
// SesTMMACKey = MACLRP (AppTransactionMACKey; SV1)
// SesTMENCKey = MACLRP (AppTransactionMACKey; SV2)
data[1] = 0x01;
data[3] = 0x80;
Uint4byteToMemLe(&data[4], trCntr + 0x00010001);
// we thought that CommitReaderID is the first command in the transaction (actTMC == 0 !!!)
Uint4byteToMemLe(&data[4], (trCntr & 0xffff) + 0x00010001);
memcpy(&data[8], uid, 7);
if (forMAC) {
data[15] = 0x5a;
@ -683,23 +689,21 @@ void DesfireGenTransSessionKeyLRP(uint8_t *key, uint32_t trCntr, uint8_t *uid, b
}
LRPContext lctx = {0};
LRPSetKey(&lctx, key, 0, true);
LRPSetKey(&lctx, key, 0, false);
LRPCMAC(&lctx, data, sizeof(data), sessionkey);
}
void DesfireDecodePrevReaderID(DesfireContext *ctx, uint8_t *key, uint32_t trCntr, uint8_t *encPrevReaderID, uint8_t *prevReaderID) {
uint8_t sessionkey[16] = {0};
uint8_t sessionkey[CRYPTO_AES128_KEY_SIZE] = {0};
uint8_t uid[12] = {0};
memcpy(uid, ctx->uid, MAX(ctx->uidlen, 7));
if (ctx->secureChannel == DACEV2) {
DesfireGenTransSessionKeyEV2(key, trCntr, uid, false, sessionkey);
aes_decode(NULL, sessionkey, encPrevReaderID, prevReaderID, CRYPTO_AES_BLOCK_SIZE);
} else if (ctx->secureChannel == DACLRP) {
DesfireGenTransSessionKeyLRP(key, trCntr, uid, false, sessionkey);
}
aes_decode(NULL, sessionkey, encPrevReaderID, prevReaderID, CRYPTO_AES128_KEY_SIZE);
}
int DesfireLRPCalcCMAC(DesfireContext *ctx, uint8_t cmd, uint8_t *data, size_t datalen, uint8_t *mac) {