From 0da07fe81c2495125a224eddf339a9c522319467 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Wed, 2 Jan 2019 19:31:06 +0200 Subject: [PATCH 1/6] get SFI records --- client/emv/emvcore.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/client/emv/emvcore.c b/client/emv/emvcore.c index b582792ac..8b774eaf0 100644 --- a/client/emv/emvcore.c +++ b/client/emv/emvcore.c @@ -335,6 +335,8 @@ int EMVSelectPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t PSENum, bool decodeTLV, struct tlvdb *tlv) { uint8_t data[APDU_RES_LEN] = {0}; size_t datalen = 0; + uint8_t sfidata[APDU_RES_LEN] = {0}; + size_t sfidatalen = 0; uint16_t sw = 0; int res; @@ -342,9 +344,47 @@ int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO res = EMVSelectPSE(channel, ActivateField, true, PSENum, data, sizeof(data), &datalen, &sw); if (!res){ + if (sw != 0x9000) { + PrintAndLogEx(FAILED, "Select PSE error. APDU error: %04x.", sw); + return 1; + } + struct tlvdb *t = NULL; t = tlvdb_parse_multi(data, datalen); if (t) { + struct tlvdb *tsfi = tlvdb_find_path(t, (tlv_tag_t[]){0x6f, 0xa5, 0x88, 0x00}); + if (tsfi) { + const struct tlv *tsfi_tlv = tlvdb_get_tlv(tsfi); + uint8_t sfin = tsfi_tlv->value[0]; + PrintAndLogEx(INFO, "* PPSE get SFI: 0x%02x.", sfin); + + for (uint8_t ui = 0x01; ui <= 0x10; ui++) { + PrintAndLogEx(INFO, "* * Get SFI: 0x%02x. num: 0x%02x", sfin, ui); + res = EMVReadRecord(channel, true, sfin, ui, sfidata, sizeof(sfidata), &sfidatalen, &sw, NULL); + + // end of records + if (sw == 0x6a83) { + PrintAndLogEx(INFO, "* * PPSE get SFI. End of records."); + break; + } + + // here must bee an error catch! + if (sw != 0x9000) { + PrintAndLogEx(FAILED, "PPSE get Error. APDU error: %04x.", sw); + break; + } + + if (decodeTLV){ + TLVPrintFromBuffer(sfidata, sfidatalen); + } + + } + + + } + + + int retrycnt = 0; struct tlvdb *ttmp = tlvdb_find_path(t, (tlv_tag_t[]){0x6f, 0xa5, 0xbf0c, 0x61, 0x00}); if (!ttmp) From a5f8454168600d638354ccbe19ff75f599060777 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Thu, 3 Jan 2019 13:41:28 +0200 Subject: [PATCH 2/6] added pse sfi files get --- client/emv/emvcore.c | 84 +++++++++++++++++++++++++++++++------------- 1 file changed, 60 insertions(+), 24 deletions(-) diff --git a/client/emv/emvcore.c b/client/emv/emvcore.c index 8b774eaf0..bc2fa1a1a 100644 --- a/client/emv/emvcore.c +++ b/client/emv/emvcore.c @@ -332,11 +332,38 @@ int EMVSelectPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO return res; } +int EMVSelectWithRetry(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t *AID, size_t AIDLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) { + int retrycnt = 0; + int res = 0; + do { + res = EMVSelect(channel, false, true, AID, AIDLen, Result, MaxResultLen, ResultLen, sw, tlv); + + // retry if error and not returned sw error + if (res && res != 5) { + if (++retrycnt < 3){ + continue; + } else { + // card select error, proxmark error + if (res == 1) { + PrintAndLogEx(WARNING, "Exit..."); + return 1; + } + + retrycnt = 0; + PrintAndLogEx(NORMAL, "Retry failed [%s]. Skiped...", sprint_hex_inrow(AID, AIDLen)); + return res; + } + } + } while (res && res != 5); + + return res; +} + int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t PSENum, bool decodeTLV, struct tlvdb *tlv) { uint8_t data[APDU_RES_LEN] = {0}; size_t datalen = 0; - uint8_t sfidata[APDU_RES_LEN] = {0}; - size_t sfidatalen = 0; + uint8_t sfidata[0x11][APDU_RES_LEN] = {0}; + size_t sfidatalen[0x11] = {0}; uint16_t sw = 0; int res; @@ -360,24 +387,45 @@ int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO for (uint8_t ui = 0x01; ui <= 0x10; ui++) { PrintAndLogEx(INFO, "* * Get SFI: 0x%02x. num: 0x%02x", sfin, ui); - res = EMVReadRecord(channel, true, sfin, ui, sfidata, sizeof(sfidata), &sfidatalen, &sw, NULL); + res = EMVReadRecord(channel, true, sfin, ui, sfidata[ui], APDU_RES_LEN, &sfidatalen[ui], &sw, NULL); // end of records if (sw == 0x6a83) { + sfidatalen[ui] = 0; PrintAndLogEx(INFO, "* * PPSE get SFI. End of records."); break; } - // here must bee an error catch! + // error catch! if (sw != 0x9000) { + sfidatalen[ui] = 0; PrintAndLogEx(FAILED, "PPSE get Error. APDU error: %04x.", sw); break; } if (decodeTLV){ - TLVPrintFromBuffer(sfidata, sfidatalen); + TLVPrintFromBuffer(sfidata[ui], sfidatalen[ui]); + } + } + + for (uint8_t ui = 0x01; ui <= 0x10; ui++) { + if (sfidatalen[ui]) { + struct tlvdb *tsfi = NULL; + tsfi = tlvdb_parse_multi(sfidata[ui], sfidatalen[ui]); + if (tsfi) { + struct tlvdb *tsfitmp = tlvdb_find_path(tsfi, (tlv_tag_t[]){0x70, 0x61, 0x00}); + if (!tsfitmp) { + PrintAndLogEx(FAILED, "SFI 0x%02d don't have records.", sfidatalen[ui]); + continue; + } + + // todo: check + PrintAndLogEx(INFO, "OK SFI 0x%02d.", sfidatalen[ui]); + + + } + tlvdb_free(tsfi); } - } @@ -385,7 +433,6 @@ int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO - int retrycnt = 0; struct tlvdb *ttmp = tlvdb_find_path(t, (tlv_tag_t[]){0x6f, 0xa5, 0xbf0c, 0x61, 0x00}); if (!ttmp) PrintAndLogEx(FAILED, "PPSE don't have records."); @@ -393,28 +440,17 @@ int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO while (ttmp) { const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x4f, NULL); if (tgAID) { - res = EMVSelect(channel, false, true, (uint8_t *)tgAID->value, tgAID->len, data, sizeof(data), &datalen, &sw, tlv); + res = EMVSelectWithRetry(channel, false, true, (uint8_t *)tgAID->value, tgAID->len, data, sizeof(data), &datalen, &sw, tlv); - // retry if error and not returned sw error - if (res && res != 5) { - if (++retrycnt < 3){ - continue; - } else { - // card select error, proxmark error - if (res == 1) { - PrintAndLogEx(WARNING, "Exit..."); - return 1; - } - - retrycnt = 0; - PrintAndLogEx(NORMAL, "Retry failed [%s]. Skiped...", sprint_hex_inrow(tgAID->value, tgAID->len)); - } - + // if returned sw error + if (res == 5) { // next element ttmp = tlvdb_find_next(ttmp, 0x61); continue; } - retrycnt = 0; + + if (res) + break; // all is ok if (decodeTLV){ From 723298d00cb2628e3f70375e489c7acb5ba59d12 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Thu, 3 Jan 2019 19:42:40 +0200 Subject: [PATCH 3/6] added new tlv function --- client/emv/tlv.c | 38 ++++++++++++++++++++++++++++++++++++++ client/emv/tlv.h | 3 +++ 2 files changed, 41 insertions(+) diff --git a/client/emv/tlv.c b/client/emv/tlv.c index 35bdb5d4c..a41d98c95 100644 --- a/client/emv/tlv.c +++ b/client/emv/tlv.c @@ -25,6 +25,7 @@ #include #include #include +#include #define TLV_TAG_CLASS_MASK 0xc0 #define TLV_TAG_COMPLEX 0x20 @@ -534,3 +535,40 @@ struct tlvdb *tlvdb_elm_get_parent(struct tlvdb *tlvdb) { return tlvdb->parent; } + +bool tlv_get_uint8(const struct tlv *etlv, uint8_t *value) +{ + *value = 0; + if (etlv) + { + if (etlv->len == 0) + return true; + + if (etlv->len == 1) + { + *value = etlv->value[0]; + return true; + } + } + return false; +} + +bool tlv_get_int(const struct tlv *etlv, int *value) +{ + *value = 0; + if (etlv) + { + if (etlv->len == 0) + return true; + + if (etlv->len <= 4) + { + for (int i = 0; i < etlv->len; i++) + { + *value += etlv->value[i] * pow(0x100, i); + } + return true; + } + } + return false; +} diff --git a/client/emv/tlv.h b/client/emv/tlv.h index b25b51de2..e3c7c97fa 100644 --- a/client/emv/tlv.h +++ b/client/emv/tlv.h @@ -61,4 +61,7 @@ unsigned char *tlv_encode(const struct tlv *tlv, size_t *len); bool tlv_is_constructed(const struct tlv *tlv); bool tlv_equal(const struct tlv *a, const struct tlv *b); +bool tlv_get_uint8(const struct tlv *etlv, uint8_t *value); +bool tlv_get_int(const struct tlv *etlv, int *value); + #endif From 00d4393af49a5d9a283ae53eaf40545e124adb7e Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Thu, 3 Jan 2019 19:43:01 +0200 Subject: [PATCH 4/6] tlv_get_uint8 --- client/emv/emvcore.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/emv/emvcore.c b/client/emv/emvcore.c index bc2fa1a1a..80affb6c1 100644 --- a/client/emv/emvcore.c +++ b/client/emv/emvcore.c @@ -381,8 +381,8 @@ int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO if (t) { struct tlvdb *tsfi = tlvdb_find_path(t, (tlv_tag_t[]){0x6f, 0xa5, 0x88, 0x00}); if (tsfi) { - const struct tlv *tsfi_tlv = tlvdb_get_tlv(tsfi); - uint8_t sfin = tsfi_tlv->value[0]; + uint8_t sfin = 0; + tlv_get_uint8(tlvdb_get_tlv(tsfi), &sfin); PrintAndLogEx(INFO, "* PPSE get SFI: 0x%02x.", sfin); for (uint8_t ui = 0x01; ui <= 0x10; ui++) { From b5c2ccb78f62d6eb5a5c87aa8c8a61810d514d75 Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Thu, 3 Jan 2019 20:07:08 +0200 Subject: [PATCH 5/6] pse/ppse works --- client/emv/emvcore.c | 77 +++++++++++++++++++++++++------------------- 1 file changed, 43 insertions(+), 34 deletions(-) diff --git a/client/emv/emvcore.c b/client/emv/emvcore.c index 80affb6c1..47705cc60 100644 --- a/client/emv/emvcore.c +++ b/client/emv/emvcore.c @@ -359,6 +359,38 @@ int EMVSelectWithRetry(EMVCommandChannel channel, bool ActivateField, bool Leave return res; } +int EMVCheckAID(EMVCommandChannel channel, bool decodeTLV, struct tlvdb *tlvdbelm, struct tlvdb *tlv){ + uint8_t data[APDU_RES_LEN] = {0}; + size_t datalen = 0; + int res = 0; + uint16_t sw = 0; + + while (tlvdbelm) { + const struct tlv *tgAID = tlvdb_get_inchild(tlvdbelm, 0x4f, NULL); + if (tgAID) { + res = EMVSelectWithRetry(channel, false, true, (uint8_t *)tgAID->value, tgAID->len, data, sizeof(data), &datalen, &sw, tlv); + + // if returned sw error + if (res == 5) { + // next element + tlvdbelm = tlvdb_find_next(tlvdbelm, 0x61); + continue; + } + + if (res) + break; + + // all is ok + if (decodeTLV){ + PrintAndLogEx(NORMAL, "%s:", sprint_hex_inrow(tgAID->value, tgAID->len)); + TLVPrintFromBuffer(data, datalen); + } + } + tlvdbelm = tlvdb_find_next(tlvdbelm, 0x61); + } + return res; +} + int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t PSENum, bool decodeTLV, struct tlvdb *tlv) { uint8_t data[APDU_RES_LEN] = {0}; size_t datalen = 0; @@ -366,6 +398,7 @@ int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO size_t sfidatalen[0x11] = {0}; uint16_t sw = 0; int res; + bool fileFound = false; // select PPSE res = EMVSelectPSE(channel, ActivateField, true, PSENum, data, sizeof(data), &datalen, &sw); @@ -379,6 +412,7 @@ int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO struct tlvdb *t = NULL; t = tlvdb_parse_multi(data, datalen); if (t) { + // PSE/PPSE with SFI struct tlvdb *tsfi = tlvdb_find_path(t, (tlv_tag_t[]){0x6f, 0xa5, 0x88, 0x00}); if (tsfi) { uint8_t sfin = 0; @@ -418,49 +452,24 @@ int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldO PrintAndLogEx(FAILED, "SFI 0x%02d don't have records.", sfidatalen[ui]); continue; } - - // todo: check - PrintAndLogEx(INFO, "OK SFI 0x%02d.", sfidatalen[ui]); - - + res = EMVCheckAID(channel, decodeTLV, tsfitmp, tlv); + fileFound = true; } tlvdb_free(tsfi); } } - - } - + // PSE/PPSE plain (wo SFI) struct tlvdb *ttmp = tlvdb_find_path(t, (tlv_tag_t[]){0x6f, 0xa5, 0xbf0c, 0x61, 0x00}); - if (!ttmp) - PrintAndLogEx(FAILED, "PPSE don't have records."); - - while (ttmp) { - const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x4f, NULL); - if (tgAID) { - res = EMVSelectWithRetry(channel, false, true, (uint8_t *)tgAID->value, tgAID->len, data, sizeof(data), &datalen, &sw, tlv); - - // if returned sw error - if (res == 5) { - // next element - ttmp = tlvdb_find_next(ttmp, 0x61); - continue; - } - - if (res) - break; - - // all is ok - if (decodeTLV){ - PrintAndLogEx(NORMAL, "%s:", sprint_hex_inrow(tgAID->value, tgAID->len)); - TLVPrintFromBuffer(data, datalen); - } - } - - ttmp = tlvdb_find_next(ttmp, 0x61); + if (ttmp) { + res = EMVCheckAID(channel, decodeTLV, ttmp, tlv); + fileFound = true; } + + if (!fileFound) + PrintAndLogEx(FAILED, "PPSE don't have records."); tlvdb_free(t); } else { From a86c6fa1a8cf10dac8b8d4f4849f455e562e38af Mon Sep 17 00:00:00 2001 From: merlokk <807634+merlokk@users.noreply.github.com> Date: Thu, 3 Jan 2019 21:00:07 +0200 Subject: [PATCH 6/6] get rid of math.h ) --- client/emv/tlv.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/client/emv/tlv.c b/client/emv/tlv.c index a41d98c95..013e9735a 100644 --- a/client/emv/tlv.c +++ b/client/emv/tlv.c @@ -25,7 +25,6 @@ #include #include #include -#include #define TLV_TAG_CLASS_MASK 0xc0 #define TLV_TAG_COMPLEX 0x20 @@ -565,7 +564,7 @@ bool tlv_get_int(const struct tlv *etlv, int *value) { for (int i = 0; i < etlv->len; i++) { - *value += etlv->value[i] * pow(0x100, i); + *value += etlv->value[i] * (1 << (i * 8)); } return true; }