[proxmark3-svn] / client / cmdsmartcard.c

//-----------------------------------------------------------------------------
// Copyright (C) 2018 iceman
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// Proxmark3 RDV40 Smartcard module commands
//-----------------------------------------------------------------------------
#include "cmdsmartcard.h"

#include <ctype.h>

#include "ui.h"
#include "cmdparser.h"
#include "util.h"
#include "smartcard.h"
#include "comms.h"
#include "protocols.h"
#include "cmdhf.h"              // CmdHFlist
#include "emv/apduinfo.h"       // APDUcode description
#include "emv/emvcore.h"        // decodeTVL


static int CmdHelp(const char *Cmd);

static int usage_sm_raw(void) {
	PrintAndLogEx(NORMAL, "Usage: sc raw [h|r|c] d <0A 0B 0C ... hex>");
	PrintAndLogEx(NORMAL, "       h          :  this help");
	PrintAndLogEx(NORMAL, "       r          :  do not read response");
	PrintAndLogEx(NORMAL, "       a          :  active smartcard without select");
	PrintAndLogEx(NORMAL, "       s          :  active smartcard with select");
	PrintAndLogEx(NORMAL, "       t          :  executes TLV decoder if it possible");
	PrintAndLogEx(NORMAL, "       d <bytes>  :  bytes to send");
	PrintAndLogEx(NORMAL, "");
	PrintAndLogEx(NORMAL, "Examples:");
	PrintAndLogEx(NORMAL, "        sc raw d 00a404000e315041592e5359532e444446303100    - `1PAY.SYS.DDF01` PPSE directory");
	PrintAndLogEx(NORMAL, "        sc raw d 00a404000e325041592e5359532e444446303100    - `2PAY.SYS.DDF01` PPSE directory");
	return 0;
}

static int usage_sm_reader(void) {
	PrintAndLogEx(NORMAL, "Usage: sc reader [h|s]");
	PrintAndLogEx(NORMAL, "       h          :  this help");
	PrintAndLogEx(NORMAL, "       s          :  silent (no messages)");
	PrintAndLogEx(NORMAL, "");
	PrintAndLogEx(NORMAL, "Examples:");
	PrintAndLogEx(NORMAL, "        sc reader");
	return 0;
}

static int usage_sm_info(void) {
	PrintAndLogEx(NORMAL, "Usage: s info [h|s]");
	PrintAndLogEx(NORMAL, "       h          :  this help");
	PrintAndLogEx(NORMAL, "       s          :  silent (no messages)");
	PrintAndLogEx(NORMAL, "");
	PrintAndLogEx(NORMAL, "Examples:");
	PrintAndLogEx(NORMAL, "        sc info");
	return 0;
}

static int usage_sm_upgrade(void) {
	PrintAndLogEx(NORMAL, "Upgrade firmware");
	PrintAndLogEx(NORMAL, "Usage:  sc upgrade f <file name>");
	PrintAndLogEx(NORMAL, "       h               :  this help");
	PrintAndLogEx(NORMAL, "       f <filename>    :  firmware file name");
	PrintAndLogEx(NORMAL, "");
	PrintAndLogEx(NORMAL, "Examples:");
	PrintAndLogEx(NORMAL, "        sc upgrade f myfile");
	return 0;
}

static int usage_sm_setclock(void) {
	PrintAndLogEx(NORMAL, "Usage: sc setclock [h] c <clockspeed>");
	PrintAndLogEx(NORMAL, "       h          :  this help");
	PrintAndLogEx(NORMAL, "       c <>       :  clockspeed (0 = 16mhz, 1=8mhz, 2=4mhz) ");
	PrintAndLogEx(NORMAL, "");
	PrintAndLogEx(NORMAL, "Examples:");
	PrintAndLogEx(NORMAL, "        sc setclock c 2");
	return 0;
}

static int usage_sm_brute(void) {
	PrintAndLogEx(NORMAL, "Tries to bruteforce SFI, ");
	PrintAndLogEx(NORMAL, "Usage: sc brute [h]");
	PrintAndLogEx(NORMAL, "       h          :  this help");
	PrintAndLogEx(NORMAL, "");
	PrintAndLogEx(NORMAL, "Examples:");
	PrintAndLogEx(NORMAL, "        sc brute");
	return 0;
}

static bool smart_select(bool silent) {
	UsbCommand c = {CMD_SMART_ATR, {0, 0, 0}};
	clearCommandBuffer();
	SendCommand(&c);
	UsbCommand resp;
	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
		if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
		return false;
	}

	uint8_t isok = resp.arg[0] & 0xFF;
	if (!isok) {
		if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
		return false;
	}

	if (!silent) {
		smart_card_atr_t card;
		memcpy(&card, (smart_card_atr_t *)resp.d.asBytes, sizeof(smart_card_atr_t));

		PrintAndLogEx(INFO, "ISO7816-3 ATR : %s", sprint_hex(card.atr, card.atr_len));
	}

	return true;
}

static int smart_wait(uint8_t *data) {
	UsbCommand resp;
	if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
		PrintAndLogEx(WARNING, "smart card response failed");
		return -1;
	}

	uint32_t len = resp.arg[0];
	if ( !len ) {
		PrintAndLogEx(WARNING, "smart card response failed");
		return -2;
	}
	memcpy(data, resp.d.asBytes, len);
	PrintAndLogEx(SUCCESS, " %d | %s", len, sprint_hex_inrow_ex(data,  len, 32));

	if (len >= 2) {
		PrintAndLogEx(SUCCESS, "%02X%02X | %s", data[len - 2], data[len - 1], GetAPDUCodeDescription(data[len - 2], data[len - 1]));
	}
	return len;
}

static int smart_response(uint8_t *data) {

	int len = -1;
	int datalen = smart_wait(data);

	if ( data[datalen - 2] == 0x61 || data[datalen - 2] == 0x9F ) {
		len = data[datalen - 1];
	}

	if (len == -1 ) {
		goto out;
	}

	PrintAndLogEx(INFO, "Requesting response. len=0x%x", len);
	uint8_t getstatus[] = {ISO7816_GETSTATUS, 0x00, 0x00, len};
	UsbCommand cStatus = {CMD_SMART_RAW, {SC_RAW, sizeof(getstatus), 0}};
	memcpy(cStatus.d.asBytes, getstatus, sizeof(getstatus) );
	clearCommandBuffer();
	SendCommand(&cStatus);

	datalen = smart_wait(data);
out:

	return datalen;
}

int CmdSmartRaw(const char *Cmd) {

	int hexlen = 0;
	bool active = false;
	bool active_select = false;
	uint8_t cmdp = 0;
	bool errors = false, reply = true, decodeTLV = false, breakloop = false;
	uint8_t data[USB_CMD_DATA_SIZE] = {0x00};

	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
		switch (tolower(param_getchar(Cmd, cmdp))) {
		case 'h': return usage_sm_raw();
		case 'r':
			reply = false;
			cmdp++;
			break;
		case 'a':
			active = true;
			cmdp++;
			break;
		case 's':
			active_select = true;
			cmdp++;
			break;
		case 't':
			decodeTLV = true;
			cmdp++;
			break;
		case 'd': {
			switch (param_gethex_to_eol(Cmd, cmdp+1, data, sizeof(data), &hexlen)) {
			case 1:
				PrintAndLogEx(WARNING, "Invalid HEX value.");
				return 1;
			case 2:
				PrintAndLogEx(WARNING, "Too many bytes.  Max %d bytes", sizeof(data));
				return 1;
			case 3:
				PrintAndLogEx(WARNING, "Hex must have even number of digits.");
				return 1;
			}
			cmdp++;
			breakloop = true;
			break;
		}
		default:
			PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
			errors = true;
			break;
		}

		if ( breakloop )
			break;
	}

	//Validations
	if (errors || cmdp == 0 ) return usage_sm_raw();

	// arg0 = RFU flags
	// arg1 = length
	UsbCommand c = {CMD_SMART_RAW, {0, hexlen, 0}};

	if (active || active_select) {
        c.arg[0] |= SC_CONNECT;
        if (active_select)
            c.arg[0] |= SC_SELECT;
    }

	if (hexlen > 0) {
        c.arg[0] |= SC_RAW;
	}

	memcpy(c.d.asBytes, data, hexlen );
	clearCommandBuffer();
	SendCommand(&c);

	// reading response from smart card
	if ( reply ) {

		uint8_t* buf = calloc(USB_CMD_DATA_SIZE, sizeof(uint8_t));
		if ( !buf )
			return 1;

		int len = smart_response(buf);
		if ( len < 0 ) {
			free(buf);
			return 2;
		}

		if ( buf[0] == 0x6C ) {
			data[4]	= buf[1];

			memcpy(c.d.asBytes, data, sizeof(data) );
			clearCommandBuffer();
			SendCommand(&c);
			len = smart_response(buf);

			data[4] = 0;
		}

		if (decodeTLV && len > 4)
			TLVPrintFromBuffer(buf+1, len-3);

		free(buf);
	}
	return 0;
}

int ExchangeAPDUSC(uint8_t *datain, int datainlen, bool activateCard, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
	*dataoutlen = 0;

	if (activateCard)
		smart_select(false);
	printf("* APDU SC\n");

	UsbCommand c = {CMD_SMART_RAW, {SC_RAW | SC_CONNECT, datainlen, 0}};
	if (activateCard) {
		c.arg[0] |= SC_SELECT;
	}
	memcpy(c.d.asBytes, datain, datainlen);
	clearCommandBuffer();
	SendCommand(&c);

	int len = smart_response(dataout);

	if ( len < 0 ) {
		return 2;
	}

	*dataoutlen = len;

	return 0;
}


int CmdSmartUpgrade(const char *Cmd) {

	PrintAndLogEx(WARNING, "WARNING - Smartcard socket firmware upgrade.");
	PrintAndLogEx(WARNING, "A dangerous command, do wrong and you will brick the smart card socket");

	FILE *f;
	char filename[FILE_PATH_SIZE] = {0};
	uint8_t cmdp = 0;
	bool errors = false;

	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
		switch (tolower(param_getchar(Cmd, cmdp))) {
		case 'f':
			//File handling and reading
			if ( param_getstr(Cmd, cmdp+1, filename, FILE_PATH_SIZE) >= FILE_PATH_SIZE ) {
				PrintAndLogEx(FAILED, "Filename too long");
				errors = true;
				break;
			}
			cmdp += 2;
			break;
		case 'h':
			return usage_sm_upgrade();
		default:
			PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
			errors = true;
			break;
		}
	}

	//Validations
	if (errors || cmdp == 0 ) return usage_sm_upgrade();

	// load file
	f = fopen(filename, "rb");
	if ( !f ){
		PrintAndLogEx(FAILED, "File: %s: not found or locked.", filename);
		return 1;
	}

	// get filesize in order to malloc memory
	fseek(f, 0, SEEK_END);
	long fsize = ftell(f);
	fseek(f, 0, SEEK_SET);

	if (fsize < 0) 	{
		PrintAndLogEx(WARNING, "error, when getting filesize");
		fclose(f);
		return 1;
	}

	uint8_t *dump = calloc(fsize, sizeof(uint8_t));
	if (!dump) {
		PrintAndLogEx(WARNING, "error, cannot allocate memory ");
		fclose(f);
		return 1;
	}

	size_t bytes_read = fread(dump, 1, fsize, f);
	if (f)
		fclose(f);

	PrintAndLogEx(SUCCESS, "Smartcard socket firmware uploading to PM3");
	//Send to device
	uint32_t index = 0;
	uint32_t bytes_sent = 0;
	uint32_t bytes_remaining = bytes_read;

	while (bytes_remaining > 0){
		uint32_t bytes_in_packet = MIN(USB_CMD_DATA_SIZE, bytes_remaining);
		UsbCommand c = {CMD_SMART_UPLOAD, {index + bytes_sent, bytes_in_packet, 0}};

		// Fill usb bytes with 0xFF
		memset(c.d.asBytes, 0xFF, USB_CMD_DATA_SIZE);
		memcpy(c.d.asBytes, dump + bytes_sent, bytes_in_packet);
		clearCommandBuffer();
		SendCommand(&c);
		if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000) ) {
			PrintAndLogEx(WARNING, "timeout while waiting for reply.");
			free(dump);
			return 1;
		}

		bytes_remaining -= bytes_in_packet;
		bytes_sent += bytes_in_packet;
		printf("."); fflush(stdout);
	}
	free(dump);
	printf("\n");
	PrintAndLogEx(SUCCESS, "Smartcard socket firmware updating,  don\'t turn off your PM3!");

	// trigger the firmware upgrade
	UsbCommand c = {CMD_SMART_UPGRADE, {bytes_read, 0, 0}};
	clearCommandBuffer();
	SendCommand(&c);
	UsbCommand resp;
	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
		PrintAndLogEx(WARNING, "timeout while waiting for reply.");
		return 1;
	}
	if ( (resp.arg[0] & 0xFF ) )
		PrintAndLogEx(SUCCESS, "Smartcard socket firmware upgraded successful");
	else
		PrintAndLogEx(FAILED, "Smartcard socket firmware updating failed");
	return 0;
}

int CmdSmartInfo(const char *Cmd){
	uint8_t cmdp = 0;
	bool errors = false, silent = false;

	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
		switch (tolower(param_getchar(Cmd, cmdp))) {
		case 'h': return usage_sm_info();
		case 's':
			silent = true;
			break;
		default:
			PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
			errors = true;
			break;
		}
		cmdp++;
	}

	//Validations
	if (errors ) return usage_sm_info();

	UsbCommand c = {CMD_SMART_ATR, {0, 0, 0}};
	clearCommandBuffer();
	SendCommand(&c);
	UsbCommand resp;
	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
		if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
		return 1;
	}

	uint8_t isok = resp.arg[0] & 0xFF;
	if (!isok) {
		if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
		return 1;
	}

	smart_card_atr_t card;
	memcpy(&card, (smart_card_atr_t *)resp.d.asBytes, sizeof(smart_card_atr_t));

	// print header
	PrintAndLogEx(INFO, "\n--- Smartcard Information ---------");
	PrintAndLogEx(INFO, "-------------------------------------------------------------");
	PrintAndLogEx(INFO, "ISO76183 ATR : %s", sprint_hex(card.atr, card.atr_len));
	PrintAndLogEx(INFO, "look up ATR");
	PrintAndLogEx(INFO, "http://smartcard-atr.appspot.com/parse?ATR=%s", sprint_hex_inrow(card.atr, card.atr_len) );
	return 0;
}

int CmdSmartReader(const char *Cmd){
	uint8_t cmdp = 0;
	bool errors = false, silent = false;

	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
		switch (tolower(param_getchar(Cmd, cmdp))) {
		case 'h': return usage_sm_reader();
		case 's':
			silent = true;
			break;
		default:
			PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
			errors = true;
			break;
		}
		cmdp++;
	}

	//Validations
	if (errors ) return usage_sm_reader();

	UsbCommand c = {CMD_SMART_ATR, {0, 0, 0}};
	clearCommandBuffer();
	SendCommand(&c);
	UsbCommand resp;
	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
		if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
		return 1;
	}

	uint8_t isok = resp.arg[0] & 0xFF;
	if (!isok) {
		if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
		return 1;
	}
	smart_card_atr_t card;
	memcpy(&card, (smart_card_atr_t *)resp.d.asBytes, sizeof(smart_card_atr_t));

	PrintAndLogEx(INFO, "ISO7816-3 ATR : %s", sprint_hex(card.atr, card.atr_len));
	return 0;
}

int CmdSmartSetClock(const char *Cmd){
	uint8_t cmdp = 0;
	bool errors = false;
	uint8_t clock = 0;
	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
		switch (tolower(param_getchar(Cmd, cmdp))) {
		case 'h': return usage_sm_setclock();
		case 'c':
			clock = param_get8ex(Cmd, cmdp+1, 2, 10);
			if ( clock > 2)
				errors = true;

			cmdp += 2;
			break;
		default:
			PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
			errors = true;
			break;
		}
	}

	//Validations
	if (errors || cmdp == 0) return usage_sm_setclock();

	UsbCommand c = {CMD_SMART_SETCLOCK, {clock, 0, 0}};
	clearCommandBuffer();
	SendCommand(&c);
	UsbCommand resp;
	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
		PrintAndLogEx(WARNING, "smart card select failed");
		return 1;
	}

	uint8_t isok = resp.arg[0] & 0xFF;
	if (!isok) {
		PrintAndLogEx(WARNING, "smart card set clock failed");
		return 1;
	}

	switch (clock) {
		case 0:
			PrintAndLogEx(SUCCESS, "Clock changed to 16mhz giving 10800 baudrate");
			break;
		case 1:
			PrintAndLogEx(SUCCESS, "Clock changed to 8mhz giving 21600 baudrate");
			break;
		case 2:
			PrintAndLogEx(SUCCESS, "Clock changed to 4mhz giving 86400 baudrate");
			break;
		default:
			break;
	}
	return 0;
}

int CmdSmartList(const char *Cmd) {
	CmdHFList("7816");
	return 0;
}

int CmdSmartBruteforceSFI(const char *Cmd) {

	char ctmp = tolower(param_getchar(Cmd, 0));
	if (ctmp == 'h') return usage_sm_brute();

	uint8_t data[5] = {0x00, 0xB2, 0x00, 0x00, 0x00};

	PrintAndLogEx(INFO, "Selecting card");
	if ( !smart_select(false) ) {
		return 1;
	}

	PrintAndLogEx(INFO, "Selecting PPSE aid");
	CmdSmartRaw("d 00a404000e325041592e5359532e444446303100");
	CmdSmartRaw("d 00a4040007a000000004101000");

	PrintAndLogEx(INFO, "starting");

	UsbCommand c = {CMD_SMART_RAW, {SC_RAW, sizeof(data), 0}};
	uint8_t* buf = malloc(USB_CMD_DATA_SIZE);
	if ( !buf )
		return 1;

	for (uint8_t i=1; i < 4; i++) {
		for (int p1=1; p1 < 5; p1++) {

			data[2] = p1;
			data[3] = (i << 3) + 4;

			memcpy(c.d.asBytes, data, sizeof(data) );
			clearCommandBuffer();
			SendCommand(&c);

			smart_response(buf);

			// if 0x6C
			if ( buf[0] == 0x6C ) {
				data[4]	= buf[1];

				memcpy(c.d.asBytes, data, sizeof(data) );
				clearCommandBuffer();
				SendCommand(&c);
				uint8_t len = smart_response(buf);

				// TLV decoder
				if (len > 4)
					TLVPrintFromBuffer(buf+1, len-3);

				data[4] = 0;
			}
			memset(buf, 0x00, USB_CMD_DATA_SIZE);
		}
	}
	free(buf);
	return 0;
}

static command_t CommandTable[] = {
	{"help",	CmdHelp,            1, "This help"},
	{"list",	CmdSmartList,       0, "List ISO 7816 history"},
	{"info",	CmdSmartInfo,		1, "Tag information"},
	{"reader",	CmdSmartReader,		1, "Act like an IS07816 reader"},
	{"raw",		CmdSmartRaw,		1, "Send raw hex data to tag"},
	{"upgrade",	CmdSmartUpgrade,	1, "Upgrade firmware"},
	{"setclock", CmdSmartSetClock,	1, "Set clock speed"},
	{"brute", 	CmdSmartBruteforceSFI, 1, "Bruteforce SFI"},
	{NULL, NULL, 0, NULL}
};

int CmdSmartcard(const char *Cmd) {
	clearCommandBuffer();
	CmdsParse(CommandTable, Cmd);
	return 0;
}

int CmdHelp(const char *Cmd) {
	CmdsHelp(CommandTable);
	return 0;
}
Commit	Line	Data
43591e64	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2018 iceman
	3	//
	4	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	5	// at your option, any later version. See the LICENSE.txt file for the text of
	6	// the license.
	7	//-----------------------------------------------------------------------------
	8	// Proxmark3 RDV40 Smartcard module commands
	9	//-----------------------------------------------------------------------------
	10	#include "cmdsmartcard.h"
8d7d7b61	11
	12	#include <ctype.h>
	13
	14	#include "ui.h"
	15	#include "cmdparser.h"
	16	#include "util.h"
43591e64	17	#include "smartcard.h"
	18	#include "comms.h"
	19	#include "protocols.h"
8d7d7b61	20	#include "cmdhf.h" // CmdHFlist
	21	#include "emv/apduinfo.h" // APDUcode description
	22	#include "emv/emvcore.h" // decodeTVL
43591e64	23
	24
	25	static int CmdHelp(const char *Cmd);
	26
8d7d7b61	27	static int usage_sm_raw(void) {
	28	PrintAndLogEx(NORMAL, "Usage: sc raw [h\|r\|c] d <0A 0B 0C ... hex>");
	29	PrintAndLogEx(NORMAL, " h : this help");
	30	PrintAndLogEx(NORMAL, " r : do not read response");
	31	PrintAndLogEx(NORMAL, " a : active smartcard without select");
	32	PrintAndLogEx(NORMAL, " s : active smartcard with select");
	33	PrintAndLogEx(NORMAL, " t : executes TLV decoder if it possible");
	34	PrintAndLogEx(NORMAL, " d <bytes> : bytes to send");
	35	PrintAndLogEx(NORMAL, "");
	36	PrintAndLogEx(NORMAL, "Examples:");
	37	PrintAndLogEx(NORMAL, " sc raw d 00a404000e315041592e5359532e444446303100 - `1PAY.SYS.DDF01` PPSE directory");
	38	PrintAndLogEx(NORMAL, " sc raw d 00a404000e325041592e5359532e444446303100 - `2PAY.SYS.DDF01` PPSE directory");
43591e64	39	return 0;
43591e64	40	}
8d7d7b61	41
	42	static int usage_sm_reader(void) {
	43	PrintAndLogEx(NORMAL, "Usage: sc reader [h\|s]");
	44	PrintAndLogEx(NORMAL, " h : this help");
	45	PrintAndLogEx(NORMAL, " s : silent (no messages)");
	46	PrintAndLogEx(NORMAL, "");
	47	PrintAndLogEx(NORMAL, "Examples:");
	48	PrintAndLogEx(NORMAL, " sc reader");
43591e64	49	return 0;
43591e64	50	}
8d7d7b61	51
	52	static int usage_sm_info(void) {
	53	PrintAndLogEx(NORMAL, "Usage: s info [h\|s]");
	54	PrintAndLogEx(NORMAL, " h : this help");
	55	PrintAndLogEx(NORMAL, " s : silent (no messages)");
	56	PrintAndLogEx(NORMAL, "");
	57	PrintAndLogEx(NORMAL, "Examples:");
	58	PrintAndLogEx(NORMAL, " sc info");
43591e64	59	return 0;
43591e64	60	}
8d7d7b61	61
	62	static int usage_sm_upgrade(void) {
	63	PrintAndLogEx(NORMAL, "Upgrade firmware");
	64	PrintAndLogEx(NORMAL, "Usage: sc upgrade f <file name>");
	65	PrintAndLogEx(NORMAL, " h : this help");
	66	PrintAndLogEx(NORMAL, " f <filename> : firmware file name");
	67	PrintAndLogEx(NORMAL, "");
	68	PrintAndLogEx(NORMAL, "Examples:");
	69	PrintAndLogEx(NORMAL, " sc upgrade f myfile");
43591e64	70	return 0;
43591e64	71	}
8d7d7b61	72
	73	static int usage_sm_setclock(void) {
	74	PrintAndLogEx(NORMAL, "Usage: sc setclock [h] c <clockspeed>");
	75	PrintAndLogEx(NORMAL, " h : this help");
	76	PrintAndLogEx(NORMAL, " c <> : clockspeed (0 = 16mhz, 1=8mhz, 2=4mhz) ");
	77	PrintAndLogEx(NORMAL, "");
	78	PrintAndLogEx(NORMAL, "Examples:");
	79	PrintAndLogEx(NORMAL, " sc setclock c 2");
43591e64	80	return 0;
	81	}
	82
8d7d7b61	83	static int usage_sm_brute(void) {
	84	PrintAndLogEx(NORMAL, "Tries to bruteforce SFI, ");
	85	PrintAndLogEx(NORMAL, "Usage: sc brute [h]");
	86	PrintAndLogEx(NORMAL, " h : this help");
	87	PrintAndLogEx(NORMAL, "");
	88	PrintAndLogEx(NORMAL, "Examples:");
	89	PrintAndLogEx(NORMAL, " sc brute");
	90	return 0;
	91	}
	92
	93	static bool smart_select(bool silent) {
	94	UsbCommand c = {CMD_SMART_ATR, {0, 0, 0}};
	95	clearCommandBuffer();
	96	SendCommand(&c);
	97	UsbCommand resp;
	98	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
	99	if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
	100	return false;
	101	}
	102
	103	uint8_t isok = resp.arg[0] & 0xFF;
	104	if (!isok) {
	105	if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
	106	return false;
	107	}
	108
	109	if (!silent) {
	110	smart_card_atr_t card;
	111	memcpy(&card, (smart_card_atr_t *)resp.d.asBytes, sizeof(smart_card_atr_t));
	112
	113	PrintAndLogEx(INFO, "ISO7816-3 ATR : %s", sprint_hex(card.atr, card.atr_len));
	114	}
	115
	116	return true;
	117	}
	118
	119	static int smart_wait(uint8_t *data) {
	120	UsbCommand resp;
	121	if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
	122	PrintAndLogEx(WARNING, "smart card response failed");
	123	return -1;
	124	}
	125
	126	uint32_t len = resp.arg[0];
	127	if ( !len ) {
	128	PrintAndLogEx(WARNING, "smart card response failed");
	129	return -2;
	130	}
	131	memcpy(data, resp.d.asBytes, len);
	132	PrintAndLogEx(SUCCESS, " %d \| %s", len, sprint_hex_inrow_ex(data, len, 32));
	133
	134	if (len >= 2) {
	135	PrintAndLogEx(SUCCESS, "%02X%02X \| %s", data[len - 2], data[len - 1], GetAPDUCodeDescription(data[len - 2], data[len - 1]));
	136	}
	137	return len;
	138	}
	139
	140	static int smart_response(uint8_t *data) {
	141
	142	int len = -1;
	143	int datalen = smart_wait(data);
	144
	145	if ( data[datalen - 2] == 0x61 \|\| data[datalen - 2] == 0x9F ) {
	146	len = data[datalen - 1];
147	}
148
149	if (len == -1 ) {
150	goto out;
151	}
152
153	PrintAndLogEx(INFO, "Requesting response. len=0x%x", len);
154	uint8_t getstatus[] = {ISO7816_GETSTATUS, 0x00, 0x00, len};
155	UsbCommand cStatus = {CMD_SMART_RAW, {SC_RAW, sizeof(getstatus), 0}};
156	memcpy(cStatus.d.asBytes, getstatus, sizeof(getstatus) );
157	clearCommandBuffer();
158	SendCommand(&cStatus);
159
160	datalen = smart_wait(data);
161	out:
162
163	return datalen;
164	}
165
43591e64	166	int CmdSmartRaw(const char *Cmd) {
	167
	168	int hexlen = 0;
	169	bool active = false;
	170	bool active_select = false;
	171	uint8_t cmdp = 0;
	172	bool errors = false, reply = true, decodeTLV = false, breakloop = false;
	173	uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
	174
	175	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
	176	switch (tolower(param_getchar(Cmd, cmdp))) {
	177	case 'h': return usage_sm_raw();
	178	case 'r':
	179	reply = false;
	180	cmdp++;
	181	break;
	182	case 'a':
	183	active = true;
	184	cmdp++;
	185	break;
	186	case 's':
	187	active_select = true;
	188	cmdp++;
	189	break;
	190	case 't':
	191	decodeTLV = true;
	192	cmdp++;
	193	break;
	194	case 'd': {
	195	switch (param_gethex_to_eol(Cmd, cmdp+1, data, sizeof(data), &hexlen)) {
	196	case 1:
8d7d7b61	197	PrintAndLogEx(WARNING, "Invalid HEX value.");
43591e64	198	return 1;
43591e64	199	case 2:
8d7d7b61	200	PrintAndLogEx(WARNING, "Too many bytes. Max %d bytes", sizeof(data));
43591e64	201	return 1;
43591e64	202	case 3:
8d7d7b61	203	PrintAndLogEx(WARNING, "Hex must have even number of digits.");
43591e64	204	return 1;
	205	}
	206	cmdp++;
	207	breakloop = true;
	208	break;
	209	}
	210	default:
8d7d7b61	211	PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
43591e64	212	errors = true;
	213	break;
	214	}
	215
	216	if ( breakloop )
	217	break;
	218	}
	219
	220	//Validations
	221	if (errors \|\| cmdp == 0 ) return usage_sm_raw();
	222
	223	// arg0 = RFU flags
	224	// arg1 = length
	225	UsbCommand c = {CMD_SMART_RAW, {0, hexlen, 0}};
	226
	227	if (active \|\| active_select) {
8d7d7b61	228	c.arg[0] \|= SC_CONNECT;
	229	if (active_select)
	230	c.arg[0] \|= SC_SELECT;
	231	}
43591e64	232
43591e64	233	if (hexlen > 0) {
8d7d7b61	234	c.arg[0] \|= SC_RAW;
43591e64	235	}
	236
	237	memcpy(c.d.asBytes, data, hexlen );
	238	clearCommandBuffer();
	239	SendCommand(&c);
	240
	241	// reading response from smart card
	242	if ( reply ) {
8d7d7b61	243
	244	uint8_t* buf = calloc(USB_CMD_DATA_SIZE, sizeof(uint8_t));
	245	if ( !buf )
43591e64	246	return 1;
8d7d7b61	247
	248	int len = smart_response(buf);
	249	if ( len < 0 ) {
	250	free(buf);
	251	return 2;
43591e64	252	}
43591e64	253
8d7d7b61	254	if ( buf[0] == 0x6C ) {
	255	data[4] = buf[1];
	256
	257	memcpy(c.d.asBytes, data, sizeof(data) );
	258	clearCommandBuffer();
	259	SendCommand(&c);
	260	len = smart_response(buf);
	261
	262	data[4] = 0;
43591e64	263	}
43591e64	264
8d7d7b61	265	if (decodeTLV && len > 4)
8d7d7b61	266	TLVPrintFromBuffer(buf+1, len-3);
43591e64	267
8d7d7b61	268	free(buf);
	269	}
	270	return 0;
	271	}
43591e64	272
8d7d7b61	273	int ExchangeAPDUSC(uint8_t datain, int datainlen, bool activateCard, bool leaveSignalON, uint8_t dataout, int maxdataoutlen, int *dataoutlen) {
8d7d7b61	274	*dataoutlen = 0;
43591e64	275
8d7d7b61	276	if (activateCard)
	277	smart_select(false);
	278	printf("* APDU SC\n");
43591e64	279
8d7d7b61	280	UsbCommand c = {CMD_SMART_RAW, {SC_RAW \| SC_CONNECT, datainlen, 0}};
	281	if (activateCard) {
	282	c.arg[0] \|= SC_SELECT;
43591e64	283	}
8d7d7b61	284	memcpy(c.d.asBytes, datain, datainlen);
	285	clearCommandBuffer();
	286	SendCommand(&c);
	287
	288	int len = smart_response(dataout);
	289
	290	if ( len < 0 ) {
	291	return 2;
	292	}
	293
	294	*dataoutlen = len;
	295
43591e64	296	return 0;
	297	}
	298
8d7d7b61	299
43591e64	300	int CmdSmartUpgrade(const char *Cmd) {
43591e64	301
8d7d7b61	302	PrintAndLogEx(WARNING, "WARNING - Smartcard socket firmware upgrade.");
8d7d7b61	303	PrintAndLogEx(WARNING, "A dangerous command, do wrong and you will brick the smart card socket");
43591e64	304
	305	FILE *f;
	306	char filename[FILE_PATH_SIZE] = {0};
	307	uint8_t cmdp = 0;
	308	bool errors = false;
	309
	310	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
	311	switch (tolower(param_getchar(Cmd, cmdp))) {
	312	case 'f':
	313	//File handling and reading
	314	if ( param_getstr(Cmd, cmdp+1, filename, FILE_PATH_SIZE) >= FILE_PATH_SIZE ) {
8d7d7b61	315	PrintAndLogEx(FAILED, "Filename too long");
43591e64	316	errors = true;
	317	break;
	318	}
	319	cmdp += 2;
	320	break;
	321	case 'h':
	322	return usage_sm_upgrade();
	323	default:
8d7d7b61	324	PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
43591e64	325	errors = true;
	326	break;
	327	}
	328	}
	329
	330	//Validations
	331	if (errors \|\| cmdp == 0 ) return usage_sm_upgrade();
	332
	333	// load file
	334	f = fopen(filename, "rb");
8d7d7b61	335	if ( !f ){
8d7d7b61	336	PrintAndLogEx(FAILED, "File: %s: not found or locked.", filename);
43591e64	337	return 1;
	338	}
	339
	340	// get filesize in order to malloc memory
	341	fseek(f, 0, SEEK_END);
	342	long fsize = ftell(f);
	343	fseek(f, 0, SEEK_SET);
	344
8d7d7b61	345	if (fsize < 0) {
8d7d7b61	346	PrintAndLogEx(WARNING, "error, when getting filesize");
43591e64	347	fclose(f);
	348	return 1;
	349	}
8d7d7b61	350
43591e64	351	uint8_t *dump = calloc(fsize, sizeof(uint8_t));
43591e64	352	if (!dump) {
8d7d7b61	353	PrintAndLogEx(WARNING, "error, cannot allocate memory ");
43591e64	354	fclose(f);
	355	return 1;
	356	}
	357
	358	size_t bytes_read = fread(dump, 1, fsize, f);
	359	if (f)
	360	fclose(f);
	361
8d7d7b61	362	PrintAndLogEx(SUCCESS, "Smartcard socket firmware uploading to PM3");
43591e64	363	//Send to device
	364	uint32_t index = 0;
	365	uint32_t bytes_sent = 0;
	366	uint32_t bytes_remaining = bytes_read;
	367
	368	while (bytes_remaining > 0){
	369	uint32_t bytes_in_packet = MIN(USB_CMD_DATA_SIZE, bytes_remaining);
	370	UsbCommand c = {CMD_SMART_UPLOAD, {index + bytes_sent, bytes_in_packet, 0}};
	371
	372	// Fill usb bytes with 0xFF
	373	memset(c.d.asBytes, 0xFF, USB_CMD_DATA_SIZE);
	374	memcpy(c.d.asBytes, dump + bytes_sent, bytes_in_packet);
	375	clearCommandBuffer();
	376	SendCommand(&c);
	377	if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000) ) {
8d7d7b61	378	PrintAndLogEx(WARNING, "timeout while waiting for reply.");
43591e64	379	free(dump);
	380	return 1;
	381	}
	382
	383	bytes_remaining -= bytes_in_packet;
	384	bytes_sent += bytes_in_packet;
	385	printf("."); fflush(stdout);
	386	}
	387	free(dump);
	388	printf("\n");
8d7d7b61	389	PrintAndLogEx(SUCCESS, "Smartcard socket firmware updating, don\'t turn off your PM3!");
43591e64	390
	391	// trigger the firmware upgrade
	392	UsbCommand c = {CMD_SMART_UPGRADE, {bytes_read, 0, 0}};
	393	clearCommandBuffer();
	394	SendCommand(&c);
	395	UsbCommand resp;
	396	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
8d7d7b61	397	PrintAndLogEx(WARNING, "timeout while waiting for reply.");
43591e64	398	return 1;
43591e64	399	}
8d7d7b61	400	if ( (resp.arg[0] & 0xFF ) )
8d7d7b61	401	PrintAndLogEx(SUCCESS, "Smartcard socket firmware upgraded successful");
43591e64	402	else
8d7d7b61	403	PrintAndLogEx(FAILED, "Smartcard socket firmware updating failed");
43591e64	404	return 0;
	405	}
	406
	407	int CmdSmartInfo(const char *Cmd){
	408	uint8_t cmdp = 0;
	409	bool errors = false, silent = false;
	410
	411	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
	412	switch (tolower(param_getchar(Cmd, cmdp))) {
	413	case 'h': return usage_sm_info();
8d7d7b61	414	case 's':
43591e64	415	silent = true;
	416	break;
	417	default:
8d7d7b61	418	PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
43591e64	419	errors = true;
	420	break;
	421	}
	422	cmdp++;
	423	}
	424
	425	//Validations
	426	if (errors ) return usage_sm_info();
	427
	428	UsbCommand c = {CMD_SMART_ATR, {0, 0, 0}};
	429	clearCommandBuffer();
	430	SendCommand(&c);
	431	UsbCommand resp;
	432	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
8d7d7b61	433	if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
43591e64	434	return 1;
	435	}
	436
	437	uint8_t isok = resp.arg[0] & 0xFF;
	438	if (!isok) {
8d7d7b61	439	if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
43591e64	440	return 1;
	441	}
	442
	443	smart_card_atr_t card;
	444	memcpy(&card, (smart_card_atr_t *)resp.d.asBytes, sizeof(smart_card_atr_t));
	445
	446	// print header
8d7d7b61	447	PrintAndLogEx(INFO, "\n--- Smartcard Information ---------");
	448	PrintAndLogEx(INFO, "-------------------------------------------------------------");
	449	PrintAndLogEx(INFO, "ISO76183 ATR : %s", sprint_hex(card.atr, card.atr_len));
	450	PrintAndLogEx(INFO, "look up ATR");
	451	PrintAndLogEx(INFO, "http://smartcard-atr.appspot.com/parse?ATR=%s", sprint_hex_inrow(card.atr, card.atr_len) );
43591e64	452	return 0;
	453	}
	454
	455	int CmdSmartReader(const char *Cmd){
	456	uint8_t cmdp = 0;
	457	bool errors = false, silent = false;
	458
	459	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
	460	switch (tolower(param_getchar(Cmd, cmdp))) {
	461	case 'h': return usage_sm_reader();
8d7d7b61	462	case 's':
43591e64	463	silent = true;
	464	break;
	465	default:
8d7d7b61	466	PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
43591e64	467	errors = true;
	468	break;
	469	}
	470	cmdp++;
	471	}
	472
	473	//Validations
	474	if (errors ) return usage_sm_reader();
	475
	476	UsbCommand c = {CMD_SMART_ATR, {0, 0, 0}};
	477	clearCommandBuffer();
	478	SendCommand(&c);
	479	UsbCommand resp;
	480	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
8d7d7b61	481	if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
43591e64	482	return 1;
	483	}
	484
	485	uint8_t isok = resp.arg[0] & 0xFF;
	486	if (!isok) {
8d7d7b61	487	if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
43591e64	488	return 1;
	489	}
	490	smart_card_atr_t card;
	491	memcpy(&card, (smart_card_atr_t *)resp.d.asBytes, sizeof(smart_card_atr_t));
8d7d7b61	492
8d7d7b61	493	PrintAndLogEx(INFO, "ISO7816-3 ATR : %s", sprint_hex(card.atr, card.atr_len));
43591e64	494	return 0;
	495	}
	496
	497	int CmdSmartSetClock(const char *Cmd){
	498	uint8_t cmdp = 0;
	499	bool errors = false;
	500	uint8_t clock = 0;
	501	while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
	502	switch (tolower(param_getchar(Cmd, cmdp))) {
	503	case 'h': return usage_sm_setclock();
8d7d7b61	504	case 'c':
43591e64	505	clock = param_get8ex(Cmd, cmdp+1, 2, 10);
	506	if ( clock > 2)
	507	errors = true;
8d7d7b61	508
43591e64	509	cmdp += 2;
	510	break;
	511	default:
8d7d7b61	512	PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
43591e64	513	errors = true;
	514	break;
	515	}
	516	}
	517
	518	//Validations
	519	if (errors \|\| cmdp == 0) return usage_sm_setclock();
	520
	521	UsbCommand c = {CMD_SMART_SETCLOCK, {clock, 0, 0}};
	522	clearCommandBuffer();
	523	SendCommand(&c);
	524	UsbCommand resp;
	525	if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
8d7d7b61	526	PrintAndLogEx(WARNING, "smart card select failed");
43591e64	527	return 1;
	528	}
	529
	530	uint8_t isok = resp.arg[0] & 0xFF;
	531	if (!isok) {
8d7d7b61	532	PrintAndLogEx(WARNING, "smart card set clock failed");
43591e64	533	return 1;
	534	}
	535
	536	switch (clock) {
	537	case 0:
8d7d7b61	538	PrintAndLogEx(SUCCESS, "Clock changed to 16mhz giving 10800 baudrate");
43591e64	539	break;
43591e64	540	case 1:
8d7d7b61	541	PrintAndLogEx(SUCCESS, "Clock changed to 8mhz giving 21600 baudrate");
43591e64	542	break;
43591e64	543	case 2:
8d7d7b61	544	PrintAndLogEx(SUCCESS, "Clock changed to 4mhz giving 86400 baudrate");
43591e64	545	break;
	546	default:
	547	break;
	548	}
	549	return 0;
	550	}
	551
8d7d7b61	552	int CmdSmartList(const char *Cmd) {
	553	CmdHFList("7816");
	554	return 0;
43591e64	555	}
43591e64	556
8d7d7b61	557	int CmdSmartBruteforceSFI(const char *Cmd) {
43591e64	558
8d7d7b61	559	char ctmp = tolower(param_getchar(Cmd, 0));
8d7d7b61	560	if (ctmp == 'h') return usage_sm_brute();
43591e64	561
8d7d7b61	562	uint8_t data[5] = {0x00, 0xB2, 0x00, 0x00, 0x00};
43591e64	563
8d7d7b61	564	PrintAndLogEx(INFO, "Selecting card");
	565	if ( !smart_select(false) ) {
	566	return 1;
43591e64	567	}
43591e64	568
8d7d7b61	569	PrintAndLogEx(INFO, "Selecting PPSE aid");
	570	CmdSmartRaw("d 00a404000e325041592e5359532e444446303100");
	571	CmdSmartRaw("d 00a4040007a000000004101000");
43591e64	572
8d7d7b61	573	PrintAndLogEx(INFO, "starting");
43591e64	574
8d7d7b61	575	UsbCommand c = {CMD_SMART_RAW, {SC_RAW, sizeof(data), 0}};
	576	uint8_t* buf = malloc(USB_CMD_DATA_SIZE);
	577	if ( !buf )
	578	return 1;
43591e64	579
8d7d7b61	580	for (uint8_t i=1; i < 4; i++) {
8d7d7b61	581	for (int p1=1; p1 < 5; p1++) {
43591e64	582
8d7d7b61	583	data[2] = p1;
8d7d7b61	584	data[3] = (i << 3) + 4;
43591e64	585
8d7d7b61	586	memcpy(c.d.asBytes, data, sizeof(data) );
	587	clearCommandBuffer();
	588	SendCommand(&c);
43591e64	589
8d7d7b61	590	smart_response(buf);
43591e64	591
8d7d7b61	592	// if 0x6C
	593	if ( buf[0] == 0x6C ) {
	594	data[4] = buf[1];
43591e64	595
8d7d7b61	596	memcpy(c.d.asBytes, data, sizeof(data) );
	597	clearCommandBuffer();
	598	SendCommand(&c);
	599	uint8_t len = smart_response(buf);
43591e64	600
8d7d7b61	601	// TLV decoder
	602	if (len > 4)
	603	TLVPrintFromBuffer(buf+1, len-3);
43591e64	604
8d7d7b61	605	data[4] = 0;
43591e64	606	}
8d7d7b61	607	memset(buf, 0x00, USB_CMD_DATA_SIZE);
43591e64	608	}
43591e64	609	}
8d7d7b61	610	free(buf);
43591e64	611	return 0;
	612	}
	613
	614	static command_t CommandTable[] = {
8d7d7b61	615	{"help", CmdHelp, 1, "This help"},
	616	{"list", CmdSmartList, 0, "List ISO 7816 history"},
	617	{"info", CmdSmartInfo, 1, "Tag information"},
	618	{"reader", CmdSmartReader, 1, "Act like an IS07816 reader"},
	619	{"raw", CmdSmartRaw, 1, "Send raw hex data to tag"},
	620	{"upgrade", CmdSmartUpgrade, 1, "Upgrade firmware"},
	621	{"setclock", CmdSmartSetClock, 1, "Set clock speed"},
	622	{"brute", CmdSmartBruteforceSFI, 1, "Bruteforce SFI"},
43591e64	623	{NULL, NULL, 0, NULL}
	624	};
	625
	626	int CmdSmartcard(const char *Cmd) {
	627	clearCommandBuffer();
	628	CmdsParse(CommandTable, Cmd);
	629	return 0;
	630	}
	631
	632	int CmdHelp(const char *Cmd) {
	633	CmdsHelp(CommandTable);
	634	return 0;
	635	}