RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-09-20 15:26:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

hf mfdes enum - fixes WIP

Browse source
This commit is contained in:
iceman1001 2020-03-17 11:37:38 +01:00
parent 8cf88c5cd5
commit fe0d9c8d9f
4 changed files with 65 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
armsrc/mifaredesfire.c
View file

@ -15,6 +15,7 @@
#include "mbedtls/aes.h"
#include "commonutil.h"
#include "util.h"
#include "mifare.h"
#define MAX_APPLICATION_COUNT 28
#define MAX_FILE_COUNT 16
@ -35,6 +36,8 @@ static uint8_t deselect_cmd[] = {0xc2, 0xe0, 0xb4};
bool InitDesfireCard() {
pcb_blocknum = 0;
iso14a_card_select_t card;
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
@ -48,28 +51,14 @@ bool InitDesfireCard() {
return true;
}
// ARG0 flag enums
enum {
NONE = 0x00,
INIT = 0x01,
DISCONNECT = 0x02,
CLEARTRACE = 0x04,
BAR = 0x08,
} CmdOptions ;
void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain) {
/* ARG0 contains flags.
0x01 = init card.
0x02 = Disconnect
0x03
*/
uint8_t flags = arg0;
size_t datalen = arg1;
uint8_t resp[RECEIVE_SIZE];
memset(resp, 0, sizeof(resp));
if (DBGLEVEL >= 4) {
if (DBGLEVEL >= DBG_EXTENDED) {
Dbprintf(" flags : %02X", flags);
Dbprintf(" len : %02X", datalen);
print_result(" RX : ", datain, datalen);
@ -79,12 +68,13 @@ void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain) {
clear_trace();
if (flags & INIT) {
if (!InitDesfireCard())
if (!InitDesfireCard()) {
return;
}
}
int len = DesfireAPDU(datain, datalen, resp);
if (DBGLEVEL >= 4)
if (DBGLEVEL >= DBG_EXTENDED)
print_result("RESP <--: ", resp, len);
if (!len) {
@ -92,9 +82,6 @@ void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain) {
return;
}
// reset the pcb_blocknum,
pcb_blocknum = 0;
if (flags & DISCONNECT)
OnSuccess();
@ -482,7 +469,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
// dekryptera tagnonce.
if (mbedtls_aes_setkey_dec(&ctx, key->data, 128) != 0) {
if (DBGLEVEL >= 4) {
if (DBGLEVEL >= DBG_EXTENDED) {
DbpString("mbedtls_aes_setkey_dec failed");
}
OnError(7);
@ -495,7 +482,7 @@ void MifareDES_Auth1(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
memcpy(both + 16, decRndB, 16);
uint8_t encBoth[32] = {0x00};
if (mbedtls_aes_setkey_enc(&ctx, key->data, 128) != 0) {
if (DBGLEVEL >= 4) {
if (DBGLEVEL >= DBG_EXTENDED) {
DbpString("mbedtls_aes_setkey_enc failed");
}
OnError(7);
@ -549,23 +536,23 @@ int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout) {
wrappedLen = CreateAPDU(cmd, cmd_len, wCmd);
if (DBGLEVEL >= 4)
if (DBGLEVEL >= DBG_EXTENDED)
print_result("WCMD <--: ", wCmd, wrappedLen);
ReaderTransmit(wCmd, wrappedLen, NULL);
len = ReaderReceive(resp, par);
if (!len) {
if (DBGLEVEL >= 4) Dbprintf("fukked");
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("fukked");
return false; //DATA LINK ERROR
}
// if we received an I- or R(ACK)-Block with a block number equal to the
// current block number, toggle the current block number
else if (len >= 4 // PCB+CID+CRC = 4 bytes
if (len >= 4 // PCB+CID+CRC = 4 bytes
&& ((resp[0] & 0xC0) == 0 // I-Block
|| (resp[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
&& (resp[0] & 0x01) == pcb_blocknum) { // equal block numbers
pcb_blocknum ^= 1; //toggle next block
pcb_blocknum ^= 1; //toggle next block
}
memcpy(dataout, resp, len);
@ -583,6 +570,8 @@ size_t CreateAPDU(uint8_t *datain, size_t len, uint8_t *dataout) {
cmd[0] = 0x02; // 0x0A = send cid, 0x02 = no cid.
cmd[0] |= pcb_blocknum; // OR the block number into the PCB
if (DBGLEVEL >= DBG_EXTENDED) Dbprintf("pcb_blocknum %d == %d ", pcb_blocknum, cmd[0] );
cmd[1] = 0x90; // CID: 0x00 //TODO: allow multiple selected cards
memcpy(cmd + 2, datain, len);

82
client/cmdhfmfdes.c
View file

@ -19,6 +19,7 @@
#include "mbedtls/des.h"
#include "crypto/libpcrypto.h"
#include "protocols.h"
#include "mifare.h" // desfire raw command options
uint8_t key_zero_data[16] = { 0x00 };
uint8_t key_ones_data[16] = { 0x01 };
@ -299,54 +300,49 @@ void getKeySettings(uint8_t *aid) {
PrintAndLogEx(SUCCESS, " Master key Version : " _YELLOW_("%d (0x%02x)"), resp.data.asBytes[3], resp.data.asBytes[3]);
PrintAndLogEx(INFO, " ----------------------------------------------------------");
}
{
// 0x0A
uint8_t data[] = {AUTHENTICATE, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x0A, KEY 0
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, INIT | DISCONNECT, sizeof(data), 0, data, sizeof(data));
}
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {return;}
isOK = resp.data.asBytes[2] & 0xff;
if (resp.length == 13)
PrintAndLogEx(SUCCESS, " [0x0A] Authenticate : %s", (isOK == 0xAE) ? "NO" : _YELLOW_("YES"));
PrintAndLogEx(SUCCESS, " [0x0A] Authenticate : %s", (resp.length == 13) ? _YELLOW_("YES") : "NO");
{
// 0x1A
uint8_t data[] = {AUTHENTICATE_ISO, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x1A, KEY 0
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, INIT | DISCONNECT, sizeof(data), 0, data, sizeof(data));
}
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {return;}
isOK = resp.data.asBytes[2] & 0xff;
if (resp.length >= 13)
PrintAndLogEx(SUCCESS, " [0x1A] Authenticate ISO : %s", (isOK == 0xAE) ? "NO" : _YELLOW_("YES"));
PrintAndLogEx(SUCCESS, " [0x1A] Authenticate ISO : %s", (resp.length >= 13) ? _YELLOW_("YES") : "NO");
{
// 0xAA
uint8_t data[] = {AUTHENTICATE_AES, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0xAA, KEY 0
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, INIT | DISCONNECT, sizeof(data), 0, data, sizeof(data));
}
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {return;}
isOK = resp.data.asBytes[2] & 0xff;
if (resp.length == 13)
PrintAndLogEx(SUCCESS, " [0xAA] Authenticate AES : %s", (isOK == 0xAE) ? "NO" : _YELLOW_("YES"));
PrintAndLogEx(SUCCESS, " [0xAA] Authenticate AES : %s", (resp.length >= 13) ? _YELLOW_("YES") : "NO");
PrintAndLogEx(INFO, "-------------------------------------------------------------");
} else {
// AID - APPLICATIO MASTER KEYS
// AID - APPLICATION MASTER KEYS
PrintAndLogEx(SUCCESS, " AMK - Application Master Key settings");
PrintAndLogEx(INFO, " ----------------------------------------------------------");
PrintAndLogEx(INFO, "Selecting AID: %s", sprint_hex(aid, 3) );
PrintAndLogEx(INFO, " ----------------------------------------------------------");
PrintAndLogEx(INFO, " select AID: " _YELLOW_("%s"), sprint_hex(aid, 3) );
// SELECT AID
{
uint8_t data[] = {SELECT_APPLICATION, 0x00, 0x00, 0x00}; // 0x5a
memcpy(data + 1, aid, 3);
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, INIT | CLEARTRACE, sizeof(data), 0, data, sizeof(data));
uint8_t data[] = {SELECT_APPLICATION, 0x00, 0x00, 0x03, aid[0], aid[1], aid[2], 0x00}; // 0x5a
//memcpy(data + 1, aid, 3);
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, INIT, sizeof(data), 0, data, sizeof(data));
}
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) {
PrintAndLogEx(WARNING, _RED_(" Timed-out"));
return;
}
@ -362,7 +358,7 @@ void getKeySettings(uint8_t *aid) {
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(data), 0, data, sizeof(data));
}
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) {
return;
}
isOK = resp.oldarg[0] & 0xff;
@ -370,15 +366,15 @@ void getKeySettings(uint8_t *aid) {
PrintAndLogEx(WARNING, _RED_(" Can't read Application Master key settings"));
} else {
// Access rights.
uint8_t rights = (resp.data.asBytes[3] >> 4 & 0xff);
uint8_t rights = (resp.data.asBytes[1] >> 4 & 0x0F);
switch (rights) {
case 0x00:
case 0x0:
str = "AMK authentication is necessary to change any key (default)";
break;
case 0x0e:
case 0xE:
str = "Authentication with the key to be changed (same KeyNo) is necessary to change a key";
break;
case 0x0f:
case 0xF:
str = "All keys (except AMK,see Bit0) within this application are frozen";
break;
default:
@ -389,20 +385,20 @@ void getKeySettings(uint8_t *aid) {
PrintAndLogEx(SUCCESS, "-- " _GREEN_("%s"), str);
PrintAndLogEx(SUCCESS, "");
// same as CMK
str = (resp.data.asBytes[3] & (1 << 3)) ? "YES" : "NO";
str = (resp.data.asBytes[1] & (1 << 3)) ? "YES" : "NO";
PrintAndLogEx(SUCCESS, " 0x08 Configuration changeable : %s", str);
str = (resp.data.asBytes[3] & (1 << 2)) ? "NO" : "YES";
str = (resp.data.asBytes[1] & (1 << 2)) ? "NO" : "YES";
PrintAndLogEx(SUCCESS, " 0x04 AMK required for create/delete : %s", str);
str = (resp.data.asBytes[3] & (1 << 1)) ? "NO" : "YES";
str = (resp.data.asBytes[1] & (1 << 1)) ? "NO" : "YES";
PrintAndLogEx(SUCCESS, " 0x02 Directory list access with AMK : %s", str);
str = (resp.data.asBytes[3] & (1 << 0)) ? "YES" : "NO";
str = (resp.data.asBytes[1] & (1 << 0)) ? "YES" : "NO";
PrintAndLogEx(SUCCESS, " 0x01 AMK is changeable : %s", str);
}
// KEY VERSION - AMK
{
uint8_t data[] = {GET_KEY_VERSION, 0x00, 0x00, 0x00}; // 0x64
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(data), 0, data, sizeof(data));
uint8_t data[] = {GET_KEY_VERSION, 0x00, 0x00, 0x01, 0x00, 0x00}; // 0x64
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, DISCONNECT, sizeof(data), 0, data, sizeof(data));
}
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
@ -439,8 +435,8 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
uint8_t isOK = 0x00;
uint8_t aid[3];
{
uint8_t data[1] = {GET_APPLICATION_IDS}; //0x6a
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, INIT | DISCONNECT, sizeof(data), 0, data, sizeof(data));
uint8_t data[] = {GET_APPLICATION_IDS, 0x00, 0x00, 0x00}; //0x6a
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, INIT | CLEARTRACE | DISCONNECT, sizeof(data), 0, data, sizeof(data));
}
PacketResponseNG resp;
@ -454,17 +450,18 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
return PM3_ESOFT;
}
PrintAndLogEx(NORMAL, "");
PrintAndLogEx(SUCCESS, "-- Desfire Enumerate Applications ---------------------------");
PrintAndLogEx(INFO, "-- Desfire Enumerate Applications ---------------------------");
PrintAndLogEx(INFO, "-------------------------------------------------------------");
PacketResponseNG respAid;
PacketResponseNG respFiles;
// PacketResponseNG respAid;
// PacketResponseNG respFiles;
uint8_t num = 0;
int max = resp.oldarg[1] - 3 - 2;
PrintAndLogEx(INFO," MAX %d", max);
for (int i = 3; i <= max; i += 3) {
PrintAndLogEx(SUCCESS, " Aid %d : %02X %02X %02X ", num, resp.data.asBytes[i], resp.data.asBytes[i + 1], resp.data.asBytes[i + 2]);
for (int i = 1; i < max; i += 3) {
PrintAndLogEx(SUCCESS, " Aid %d : %02X %02X %02X ", num, resp.data.asBytes[i], resp.data.asBytes[i+1], resp.data.asBytes[i+2]);
num++;
aid[0] = resp.data.asBytes[i];
@ -472,11 +469,11 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
aid[2] = resp.data.asBytes[i + 2];
getKeySettings(aid);
/*
// Select Application
{
uint8_t data[4] = {SELECT_APPLICATION}; // 0x5a
memcpy(data + 1, &resp.data.asBytes[i], 3);
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, INIT, sizeof(data), 0, data, sizeof(data));
uint8_t data[] = {SELECT_APPLICATION, 0x00, 0x00, 0x03, aid[0], aid[1], aid[2], 0x00}; // 0x5a
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(data), 0, data, sizeof(data));
}
if (!WaitForResponseTimeout(CMD_ACK, &respAid, 1500)) {
@ -491,7 +488,7 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
// Get File IDs
{
uint8_t data[1] = {GET_FILE_IDS}; // 0x6f
uint8_t data[] = {GET_FILE_IDS, 0x00, 0x00, 0x00}; // 0x6f
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, NONE, sizeof(data), 0, data, sizeof(data));
}
@ -512,7 +509,7 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
// Get ISO File IDs
{
uint8_t data[1] = {GET_ISOFILE_IDS}; // 0x61
uint8_t data[] = {GET_ISOFILE_IDS, 0x00, 0x00, 0x00}; // 0x61
SendCommandMIX(CMD_HF_DESFIRE_COMMAND, DISCONNECT, sizeof(data), 0, data, sizeof(data));
}
@ -530,6 +527,7 @@ static int CmdHF14ADesEnumApplications(const char *Cmd) {
}
}
}
*/
}
PrintAndLogEx(INFO, "-------------------------------------------------------------");
return PM3_SUCCESS;

10
client/cmdhfmfdes.h
View file

@ -19,16 +19,6 @@ char *getProtocolStr(uint8_t id);
char *getVersionStr(uint8_t major, uint8_t minor);
void getKeySettings(uint8_t *aid);
// Command options for Desfire behavior.
enum {
NONE = 0x00,
INIT = 0x01,
DISCONNECT = 0x02,
CLEARTRACE = 0x04,
BAR = 0x08,
} CmdOptions ;
#define CREATE_APPLICATION 0xca
#define DELETE_APPLICATION 0xda
#define GET_APPLICATION_IDS 0x6a

10
include/mifare.h
View file

@ -70,6 +70,16 @@ typedef struct {
uint32_t ProxToAirDuration;
uint8_t par; // enough for precalculated parity of 8 Byte responses
} PACKED tag_response_info_t;
// DESFIRE_RAW flag enums
typedef enum DESFIRE_COMMAND {
NONE = 0x00,
INIT = 0x01,
DISCONNECT = 0x02,
CLEARTRACE = 0x04,
BAR = 0x10,
} desfire_command_t;
//-----------------------------------------------------------------------------
// ISO 14443B
//-----------------------------------------------------------------------------