From cc6837a9e41bdb9694e3e57fd39a0eeb4497b7cb Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Sat, 21 Aug 2021 17:51:28 +0300 Subject: [PATCH] CommitReaderID works via lrp and ev2 channel --- client/src/cmdhfmfdes.c | 3 ++- client/src/mifare/desfirecrypto.c | 16 ++++++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/client/src/cmdhfmfdes.c b/client/src/cmdhfmfdes.c index a74647184..a210c3e8e 100644 --- a/client/src/cmdhfmfdes.c +++ b/client/src/cmdhfmfdes.c @@ -4853,7 +4853,8 @@ static int CmdHF14ADesWriteData(const char *Cmd) { "hf mfdes write --aid 123456 --fid 01 --type record --offset 000000 -d 11223344 -> write record to record file. use default channel settings from `default` command\n" "hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304 -> write data to std/backup file via iso commandset\n" "hf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304 -> send record to record file via iso commandset\n" - "hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203 -> write data to file with CommitReaderID command before write and CommitTransaction after write"); + "hf mfdes write --aid 123456 --fid 01 -d 01020304 --readerid 010203 -> write data to file with CommitReaderID command before write and CommitTransaction after write\n" + "hf mfdes write --appisoid df01 --fid 04 -d 01020304 --trkey 00112233445566778899aabbccddeeff --readerid 5532 -t aes -s lrp -> advanced CommitReaderID via lrp channel sample"); void *argtable[] = { arg_param_begin, diff --git a/client/src/mifare/desfirecrypto.c b/client/src/mifare/desfirecrypto.c index f3c332213..be0e84b06 100644 --- a/client/src/mifare/desfirecrypto.c +++ b/client/src/mifare/desfirecrypto.c @@ -671,10 +671,16 @@ void DesfireGenTransSessionKeyEV2(uint8_t *key, uint32_t trCntr, uint8_t *uid, b // page 43 void DesfireGenTransSessionKeyLRP(uint8_t *key, uint32_t trCntr, uint8_t *uid, bool forMAC, uint8_t *sessionkey) { uint8_t data[CRYPTO_AES_BLOCK_SIZE] = {0}; + + // SV1 = 00h||01h||00h||80h||(actTMC+1)||(sesTMC+1)||UID||5Ah + // SV2 = 00h||01h||00h||80h||(actTMC+1)||(sesTMC+1)||UID||A5h + // SesTMMACKey = MACLRP (AppTransactionMACKey; SV1) + // SesTMENCKey = MACLRP (AppTransactionMACKey; SV2) data[1] = 0x01; data[3] = 0x80; - Uint4byteToMemLe(&data[4], trCntr + 0x00010001); + // we thought that CommitReaderID is the first command in the transaction (actTMC == 0 !!!) + Uint4byteToMemLe(&data[4], (trCntr & 0xffff) + 0x00010001); memcpy(&data[8], uid, 7); if (forMAC) { data[15] = 0x5a; @@ -683,23 +689,21 @@ void DesfireGenTransSessionKeyLRP(uint8_t *key, uint32_t trCntr, uint8_t *uid, b } LRPContext lctx = {0}; - LRPSetKey(&lctx, key, 0, true); + LRPSetKey(&lctx, key, 0, false); LRPCMAC(&lctx, data, sizeof(data), sessionkey); } void DesfireDecodePrevReaderID(DesfireContext *ctx, uint8_t *key, uint32_t trCntr, uint8_t *encPrevReaderID, uint8_t *prevReaderID) { - uint8_t sessionkey[16] = {0}; + uint8_t sessionkey[CRYPTO_AES128_KEY_SIZE] = {0}; uint8_t uid[12] = {0}; memcpy(uid, ctx->uid, MAX(ctx->uidlen, 7)); if (ctx->secureChannel == DACEV2) { DesfireGenTransSessionKeyEV2(key, trCntr, uid, false, sessionkey); - - aes_decode(NULL, sessionkey, encPrevReaderID, prevReaderID, CRYPTO_AES_BLOCK_SIZE); } else if (ctx->secureChannel == DACLRP) { DesfireGenTransSessionKeyLRP(key, trCntr, uid, false, sessionkey); - } + aes_decode(NULL, sessionkey, encPrevReaderID, prevReaderID, CRYPTO_AES128_KEY_SIZE); } int DesfireLRPCalcCMAC(DesfireContext *ctx, uint8_t cmd, uint8_t *data, size_t datalen, uint8_t *mac) {