mirror of
https://github.com/RfidResearchGroup/proxmark3.git
synced 2024-09-20 23:36:31 +08:00
448 lines
16 KiB
C
448 lines
16 KiB
C
//-----------------------------------------------------------------------------
|
|
// Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// See LICENSE.txt for the text of the license.
|
|
//-----------------------------------------------------------------------------
|
|
// Routines to support Picopass <-> SAM communication
|
|
//-----------------------------------------------------------------------------
|
|
#include "sam_picopass.h"
|
|
#include "iclass.h"
|
|
#include "crc16.h"
|
|
#include "proxmark3_arm.h"
|
|
#include "BigBuf.h"
|
|
#include "cmd.h"
|
|
#include "commonutil.h"
|
|
#include "ticks.h"
|
|
#include "dbprint.h"
|
|
#include "i2c.h"
|
|
#include "iso15693.h"
|
|
#include "protocols.h"
|
|
#include "optimized_cipher.h"
|
|
#include "fpgaloader.h"
|
|
|
|
static int sam_rxtx(const uint8_t *data, uint16_t n, uint8_t *resp, uint16_t *resplen) {
|
|
|
|
StartTicks();
|
|
|
|
bool res = I2C_BufferWrite(data, n, I2C_DEVICE_CMD_SEND_T0, I2C_DEVICE_ADDRESS_MAIN);
|
|
if (res == false) {
|
|
DbpString("failed to send to SIM CARD");
|
|
goto out;
|
|
}
|
|
|
|
*resplen = ISO7816_MAX_FRAME;
|
|
|
|
res = sc_rx_bytes(resp, resplen, SIM_WAIT_DELAY);
|
|
if (res == false) {
|
|
DbpString("failed to receive from SIM CARD");
|
|
goto out;
|
|
}
|
|
|
|
if (*resplen < 2) {
|
|
DbpString("received too few bytes from SIM CARD");
|
|
res = false;
|
|
goto out;
|
|
}
|
|
|
|
uint16_t more_len = 0;
|
|
|
|
if (resp[*resplen - 2] == 0x61 || resp[*resplen - 2] == 0x9F) {
|
|
more_len = resp[*resplen - 1];
|
|
} else {
|
|
// we done, return
|
|
goto out;
|
|
}
|
|
|
|
// Don't discard data we already received except the SW code.
|
|
// If we only received 1 byte, this is the echo of INS, we discard it.
|
|
*resplen -= 2;
|
|
if (*resplen == 1) {
|
|
*resplen = 0;
|
|
}
|
|
|
|
uint8_t cmd_getresp[] = {0x00, ISO7816_GET_RESPONSE, 0x00, 0x00, more_len};
|
|
|
|
res = I2C_BufferWrite(cmd_getresp, sizeof(cmd_getresp), I2C_DEVICE_CMD_SEND_T0, I2C_DEVICE_ADDRESS_MAIN);
|
|
if (res == false) {
|
|
DbpString("failed to send to SIM CARD 2");
|
|
goto out;
|
|
}
|
|
|
|
more_len = 255 - *resplen;
|
|
|
|
res = sc_rx_bytes(resp + *resplen, &more_len, SIM_WAIT_DELAY);
|
|
if (res == false) {
|
|
DbpString("failed to receive from SIM CARD 2");
|
|
goto out;
|
|
}
|
|
|
|
*resplen += more_len;
|
|
|
|
out:
|
|
StopTicks();
|
|
return res;
|
|
}
|
|
|
|
// using HID SAM to authenticate w PICOPASS
|
|
int sam_picopass_get_pacs(void) {
|
|
|
|
static uint8_t act_all[] = { ICLASS_CMD_ACTALL };
|
|
static uint8_t identify[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x00, 0x73, 0x33 };
|
|
static uint8_t read_conf[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x01, 0xfa, 0x22 };
|
|
uint8_t select[] = { 0x80 | ICLASS_CMD_SELECT, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
|
|
uint8_t read_aia[] = { ICLASS_CMD_READ_OR_IDENTIFY, 0x05, 0xde, 0x64};
|
|
uint8_t read_check_cc[] = { 0x80 | ICLASS_CMD_READCHECK, 0x02 };
|
|
|
|
picopass_hdr_t hdr = {0};
|
|
// Bit 4: K.If this bit equals to one, the READCHECK will use the Credit Key (Kc); if equals to zero, Debit Key (Kd) will be used
|
|
// bit 7: parity.
|
|
// if (use_credit_key)
|
|
// read_check_cc[0] = 0x10 | ICLASS_CMD_READCHECK;
|
|
|
|
BigBuf_free_keep_EM();
|
|
|
|
clear_trace();
|
|
|
|
I2C_Reset_EnterMainProgram();
|
|
StopTicks();
|
|
|
|
uint8_t *resp = BigBuf_calloc(ISO7816_MAX_FRAME);
|
|
|
|
bool shallow_mod = false;
|
|
uint16_t resp_len = 0;
|
|
int res;
|
|
uint32_t eof_time = 0;
|
|
|
|
// wakeup
|
|
Iso15693InitReader();
|
|
|
|
uint32_t start_time = GetCountSspClk();
|
|
iclass_send_as_reader(act_all, 1, &start_time, &eof_time, shallow_mod);
|
|
|
|
res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_ACTALL, &eof_time, false, true, &resp_len);
|
|
if (res != PM3_SUCCESS) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
|
|
// send Identify
|
|
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
|
|
iclass_send_as_reader(identify, 1, &start_time, &eof_time, shallow_mod);
|
|
|
|
// expect a 10-byte response here, 8 byte anticollision-CSN and 2 byte CRC
|
|
res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
|
|
if (res != PM3_SUCCESS || resp_len != 10) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
|
|
// copy the Anti-collision CSN to our select-packet
|
|
memcpy(&select[1], resp, 8);
|
|
|
|
// select the card
|
|
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
|
|
iclass_send_as_reader(select, sizeof(select), &start_time, &eof_time, shallow_mod);
|
|
|
|
// expect a 10-byte response here, 8 byte CSN and 2 byte CRC
|
|
res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
|
|
if (res != PM3_SUCCESS || resp_len != 10) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
|
|
// store CSN
|
|
memcpy(hdr.csn, resp, sizeof(hdr.csn));
|
|
|
|
// card selected, now read config (block1) (only 8 bytes no CRC)
|
|
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
|
|
iclass_send_as_reader(read_conf, sizeof(read_conf), &start_time, &eof_time, shallow_mod);
|
|
|
|
// expect a 8-byte response here
|
|
res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
|
|
if (res != PM3_SUCCESS || resp_len != 10) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
|
|
// store CONFIG
|
|
memcpy((uint8_t *)&hdr.conf, resp, sizeof(hdr.conf));
|
|
|
|
uint8_t pagemap = get_pagemap(&hdr);
|
|
if (pagemap == PICOPASS_NON_SECURE_PAGEMODE) {
|
|
res = PM3_EWRONGANSWER;
|
|
goto out;
|
|
}
|
|
|
|
// read App Issuer Area block 5
|
|
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
|
|
iclass_send_as_reader(read_aia, sizeof(read_aia), &start_time, &eof_time, shallow_mod);
|
|
|
|
// expect a 10-byte response here
|
|
res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
|
|
if (res != PM3_SUCCESS || resp_len != 10) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
|
|
// store AIA
|
|
memcpy(hdr.app_issuer_area, resp, sizeof(hdr.app_issuer_area));
|
|
|
|
// card selected, now read e-purse (cc) (block2) (only 8 bytes no CRC)
|
|
start_time = eof_time + DELAY_ICLASS_VICC_TO_VCD_READER;
|
|
iclass_send_as_reader(read_check_cc, sizeof(read_check_cc), &start_time, &eof_time, shallow_mod);
|
|
|
|
// expect a 8-byte response here
|
|
res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
|
|
if (res != PM3_SUCCESS || resp_len != 8) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
|
|
// store EPURSE
|
|
memcpy(hdr.epurse, resp, sizeof(hdr.epurse));
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// SAM comms
|
|
// -----------------------------------------------------------------------------
|
|
size_t sam_len = 0;
|
|
uint8_t *sam_apdu = BigBuf_calloc(ISO7816_MAX_FRAME);
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// first
|
|
// a0 da 02 63 1a 44 0a 44 00 00 00 a0 12 ad 10 a0 0e 80 02 00 04 81 08 9b fc a4 00 fb ff 12 e0
|
|
hexstr_to_byte_array("a0da02631a440a44000000a012ad10a00e800200048108", sam_apdu, &sam_len);
|
|
memcpy(sam_apdu + sam_len, hdr.csn, sizeof(hdr.csn));
|
|
sam_len += sizeof(hdr.csn);
|
|
|
|
if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("-- 1", resp, resp_len);
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// second
|
|
// a0 da 02 63 0d 44 0a 44 00 00 00 a0 05 a1 03 80 01 04
|
|
hexstr_to_byte_array("a0da02630d440a44000000a005a103800104", sam_apdu, &sam_len);
|
|
if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("-- 2", resp, resp_len);
|
|
|
|
// TAG response
|
|
// -- 0c 05 de64 // read block 5
|
|
// Tag|c00a140a000000a110a10e8004 0c05de64 8102 0004 820201f4
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// third AIA block 5
|
|
// a0da02631c140a00000000bd14a012a010800a ffffff0006fffffff88e 81020000
|
|
// picopass legacy is fixed. wants AIA and crc. ff ff ff ff ff ff ff ff ea f5
|
|
// picpoasss SE ff ff ff 00 06 ff ff ff f8 8e
|
|
hexstr_to_byte_array("a0da02631c140a00000000bd14a012a010800affffff0006fffffff88e81020000", sam_apdu, &sam_len);
|
|
memcpy(sam_apdu + 19, hdr.app_issuer_area, sizeof(hdr.app_issuer_area));
|
|
AddCrc(sam_apdu + 19, 8);
|
|
|
|
if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("-- 3", resp, resp_len);
|
|
|
|
// 88 02 -- readcheck (block2 epurse, start of auth)
|
|
// Tag|c00a140a000000a10ea10c8002 8802 8102 0004 820201f4 9000
|
|
// 61 16 f5 0a140a000000a10ea10c 8002 8802 8102 0004 820201f4 9000
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// forth EPURSE
|
|
// a0da02631a140a00000000bd12a010a00e8008 ffffffffedffffff 81020000
|
|
hexstr_to_byte_array("a0da02631a140a00000000bd12a010a00e8008ffffffffedffffff81020000", sam_apdu, &sam_len);
|
|
memcpy(sam_apdu + 19, hdr.epurse, sizeof(hdr.epurse));
|
|
|
|
if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("-- 4", resp, resp_len);
|
|
|
|
uint8_t nr_mac[9] = {0};
|
|
memcpy(nr_mac, resp + 11, sizeof(nr_mac));
|
|
// resp here hold the whole NR/MAC
|
|
// 05 9bcd475e965ee20e // CHECK (w key)
|
|
print_dbg("NR/MAC", nr_mac, sizeof(nr_mac));
|
|
|
|
// c00a140a000000a115a1138009 059bcd475e965ee20e 8102 0004 820201f4 9000
|
|
|
|
// pre calc ourself?
|
|
// uint8_t cc_nr[] = {0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0};
|
|
uint8_t div_key[8] = {0};
|
|
static uint8_t legacy_aa1_key[] = {0xAE, 0xA6, 0x84, 0xA6, 0xDA, 0xB2, 0x32, 0x78};
|
|
iclass_calc_div_key(hdr.csn, legacy_aa1_key, div_key, false);
|
|
|
|
uint8_t mac[4] = {0};
|
|
if (g_dbglevel == DBG_DEBUG) {
|
|
uint8_t wb[16] = {0};
|
|
memcpy(wb, hdr.epurse, sizeof(hdr.epurse));
|
|
memcpy(wb + sizeof(hdr.epurse), nr_mac + 1, 4);
|
|
print_dbg("cc_nr...", wb, sizeof(wb));
|
|
doMAC_N(wb, sizeof(wb), div_key, mac);
|
|
print_dbg("Calc MAC...", mac, sizeof(mac));
|
|
}
|
|
|
|
// start ssp clock again...
|
|
StartCountSspClk();
|
|
|
|
// NOW we auth against tag
|
|
uint8_t cmd_check[9] = { ICLASS_CMD_CHECK };
|
|
memcpy(cmd_check + 1, nr_mac + 1, 8);
|
|
|
|
start_time = GetCountSspClk();
|
|
iclass_send_as_reader(cmd_check, sizeof(cmd_check), &start_time, &eof_time, shallow_mod);
|
|
|
|
// expect a 10-byte response here
|
|
res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
|
|
if (res != PM3_SUCCESS || resp_len != 4) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
// store MAC
|
|
memcpy(mac, resp, sizeof(mac));
|
|
print_dbg("Got MAC", mac, sizeof(mac));
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// fifth send received MAC
|
|
// A0DA026316140A00000000BD0EA00CA00A8004 311E32E9 81020000
|
|
hexstr_to_byte_array("A0DA026316140A00000000BD0EA00CA00A8004311E32E981020000", sam_apdu, &sam_len);
|
|
memcpy(sam_apdu + 19, mac, sizeof(mac));
|
|
|
|
if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("-- 5", resp, resp_len);
|
|
|
|
uint8_t tmp_p1[4] = {0};
|
|
uint8_t tmp_p2[4] = {0};
|
|
|
|
// c161c10000a11aa118800e8702 ffffffff88ffffff 0a914eb981020004820236b09000
|
|
|
|
memcpy(tmp_p1, resp + 13, sizeof(tmp_p1));
|
|
memcpy(tmp_p2, resp + 13 + 4, sizeof(tmp_p2));
|
|
// -----------------------------------------------------------------------------
|
|
// sixth send fake epurse update
|
|
// A0DA02631C140A00000000BD14A012A010800A 88FFFFFFFFFFFFFF9DE1 81020000
|
|
hexstr_to_byte_array("A0DA02631C140A00000000BD14A012A010800A88FFFFFFFFFFFFFF9DE181020000", sam_apdu, &sam_len);
|
|
|
|
memcpy(sam_apdu + 19, tmp_p2, sizeof(tmp_p1));
|
|
memcpy(sam_apdu + 19 + 4, tmp_p1, sizeof(tmp_p1));
|
|
AddCrc(sam_apdu + 19, 8);
|
|
|
|
if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("-- 6", resp, resp_len);
|
|
// c1 61 c1 00 00 a1 10 a1 0e 80 04 0c 06 45 56 81 02 00 04 82 02 01 f4 90 00
|
|
|
|
// read block 6
|
|
StartCountSspClk();
|
|
start_time = GetCountSspClk();
|
|
iclass_send_as_reader(resp + 11, 4, &start_time, &eof_time, shallow_mod);
|
|
|
|
// expect a 10-byte response here
|
|
res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
|
|
if (res != PM3_SUCCESS || resp_len != 10) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("Block 6 from Picopass", resp, resp_len);
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// eight send block 6 config to SAM
|
|
// A0DA02631C140A00000000BD14A012A010800A 030303030003E0174323 81020000
|
|
hexstr_to_byte_array("A0DA02631C140A00000000BD14A012A010800A030303030003E017432381020000", sam_apdu, &sam_len);
|
|
memcpy(sam_apdu + 19, resp, resp_len);
|
|
|
|
if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("-- 7", resp, resp_len);
|
|
|
|
// c161c10000a110a10e8004 0606455681020004820201f49000
|
|
|
|
// read the credential blocks
|
|
StartCountSspClk();
|
|
start_time = GetCountSspClk();
|
|
iclass_send_as_reader(resp + 11, 4, &start_time, &eof_time, shallow_mod);
|
|
|
|
// expect a 10-byte response here
|
|
res = GetIso15693AnswerFromTag(resp, ISO7816_MAX_FRAME, ICLASS_READER_TIMEOUT_OTHERS, &eof_time, false, true, &resp_len);
|
|
if (res != PM3_SUCCESS) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("Block 6-9 from Picopass", resp, resp_len);
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// nine send credential blocks to SAM
|
|
// A0DA026334140A00000000BD2CA02AA0288022 030303030003E017769CB4A198E0DEC82AD4C8211F9968712BE7393CF8E71D7E804C 81020000
|
|
hexstr_to_byte_array("A0DA026334140A00000000BD2CA02AA0288022030303030003E017769CB4A198E0DEC82AD4C8211F9968712BE7393CF8E71D7E804C81020000", sam_apdu, &sam_len);
|
|
memcpy(sam_apdu + 19, resp, resp_len);
|
|
|
|
if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
print_dbg("-- 8", resp, resp_len);
|
|
|
|
|
|
// -----------------------------------------------------------------------------
|
|
// TEN ask for PACS data
|
|
// A0DA02630C440A00000000BD04A0028200
|
|
hexstr_to_byte_array("A0DA02630C440A00000000BD04A0028200", sam_apdu, &sam_len);
|
|
memcpy(sam_apdu + 19, resp, resp_len);
|
|
|
|
if (sam_rxtx(sam_apdu, sam_len, resp, &resp_len) == false) {
|
|
res = PM3_ECARDEXCHANGE;
|
|
goto out;
|
|
}
|
|
|
|
print_dbg("-- 9 response", resp, resp_len);
|
|
if (memcmp(resp, "\xc1\x64\x00\x00\x00\xbd\x17\x8a\x15", 9) == 0) {
|
|
res = PM3_ENOPACS;
|
|
goto out;
|
|
}
|
|
|
|
// c164000000bd098a07 030506951f9a00 9000
|
|
uint8_t *pacs = BigBuf_calloc(resp[8]);
|
|
memcpy(pacs, resp + 9, resp[8]);
|
|
|
|
print_dbg("-- 10 PACS data", pacs, resp[8]);
|
|
|
|
reply_ng(CMD_HF_SAM_PICOPASS, PM3_SUCCESS, pacs, resp[8]);
|
|
res = PM3_SUCCESS;
|
|
goto off;
|
|
|
|
out:
|
|
reply_ng(CMD_HF_SAM_PICOPASS, res, NULL, 0);
|
|
|
|
off:
|
|
switch_off();
|
|
BigBuf_free();
|
|
return res;
|
|
}
|
|
|
|
// HID SAM <-> MFC
|
|
// HID SAM <-> SEOS
|