]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaredesfire.c
14c6aa349910e69109467c5394f747b815b4f80f
[proxmark3-svn] / armsrc / mifaredesfire.c
1 #include "mifaredesfire.h"
2
3 #define MAX_APPLICATION_COUNT 28
4 #define MAX_FILE_COUNT 16
5 #define MAX_FRAME_SIZE 60
6 #define NOT_YET_AUTHENTICATED 255
7 #define FRAME_PAYLOAD_SIZE (MAX_FRAME_SIZE - 5)
8
9 //static uint8_t __msg[MAX_FRAME_SIZE] = { 0x0A, 0x00, 0x00, /* ..., */ 0x00 };
10 /* PCB CID CMD PAYLOAD */
11 //static uint8_t __res[MAX_FRAME_SIZE];
12
13 void MifareDesfireGetInformation(){
14
15
16 uint8_t len = 0;
17 uint8_t resp[RECV_RES_SIZE];
18 uint8_t dataout[RECV_CMD_SIZE];
19 byte_t buf[RECV_RES_SIZE];
20
21 memset(resp,0,sizeof(resp));
22 memset(dataout,0, sizeof(dataout));
23 memset(buf,0,sizeof(buf));
24
25 /*
26 1 = PCB 1
27 2 = cid 2
28 3 = desfire command 3
29 4-5 = crc 4 key
30 5-6 crc
31
32 PCB == 0x0A because sending CID byte.
33 CID == 0x00 first card?
34
35 */
36 uint8_t cmd1[] = {0x0a,0x00,GET_VERSION, 0x00, 0x00 };
37 uint8_t cmd2[] = {0x0a,0x00,GET_KEY_VERSION, 0x00, 0x00, 0x00 };
38
39 iso14a_clear_trace();
40 iso14a_set_tracing(TRUE);
41 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
42
43 // card select - information
44 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
45 byte_t isOK = iso14443a_select_card(NULL, card, NULL);
46 if (isOK != 1) {
47 if (MF_DBGLEVEL >= 1) {
48 Dbprintf("Can't select card");
49 }
50 OnError();
51 return;
52 }
53
54
55 memcpy(dataout,card->uid,7);
56
57 LED_A_ON();
58 LED_B_OFF();
59 LED_C_OFF();
60
61 // GET INFORMATION
62 AppendCrc14443a(cmd1, 3);
63 ReaderTransmit(cmd1, sizeof(cmd1), NULL);
64 len = ReaderReceive(resp);
65 if ( resp[2] != ADDITIONAL_FRAME) {
66 print_result("ERROR <--: ", resp, len);
67 OnError();
68 return;
69 }
70
71 memcpy(dataout+7,resp+3,7);
72
73 // ADDITION_FRAME 1
74 ++cmd1[0];
75 cmd1[2] = ADDITIONAL_FRAME;
76 AppendCrc14443a(cmd1, 3);
77 ReaderTransmit(cmd1, sizeof(cmd1), NULL);
78 len = ReaderReceive(resp);
79
80 if ( resp[2] != ADDITIONAL_FRAME) {
81 print_result("ERROR <--: ", resp, len);
82 OnError();
83 return;
84 }
85 memcpy(dataout+7+7,resp+3,7);
86
87 // ADDITION_FRAME 2
88 --cmd1[0];
89 AppendCrc14443a(cmd1, 3);
90 ReaderTransmit(cmd1, sizeof(cmd1), NULL);
91 len = ReaderReceive(resp);
92 if ( resp[2] != OPERATION_OK) {
93 print_result("ERROR <--: ", resp, len);
94 OnError();
95 return;
96 }
97
98 memcpy(dataout+7+7+7,resp+3,14);
99
100 // GET MASTER KEYSETTINGS
101 cmd1[2] = GET_KEY_SETTINGS;
102 AppendCrc14443a(cmd1, 3);
103 ReaderTransmit(cmd1, sizeof(cmd1), NULL);
104 len = ReaderReceive(resp);
105 if (len){
106 memcpy(dataout+7+7+7+14,resp+3,2);
107 }
108
109
110 // GET MASTER KEY VERSION
111 AppendCrc14443a(cmd2, 4);
112 ReaderTransmit(cmd2, sizeof(cmd2), NULL);
113 len = ReaderReceive(resp);
114 if (len){
115 memcpy(dataout+7+7+7+14+2,resp+3,1);
116 }
117
118 // GET FREE MEMORY
119 cmd1[2] = GET_FREE_MEMORY;
120 AppendCrc14443a(cmd1, 3);
121 ReaderTransmit(cmd1, sizeof(cmd1), NULL);
122 len = ReaderReceive(resp);
123 if (len){
124 memcpy(dataout+7+7+7+14+2+1,resp+3,3);
125 }
126
127 cmd_send(CMD_ACK,1,0,0,dataout,sizeof(dataout));
128 OnSuccess();
129 }
130
131 void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain){
132
133 uint8_t null_key_data[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
134 //uint8_t new_key_data[8] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 };
135 int res = 0;
136
137 desfirekey_t default_key = Desfire_des_key_new_with_version (null_key_data);
138
139 // res = Desfire_select_application (tags[i], aid);
140 if (res < 0) {
141 print_result("default key: ", default_key->data, 24 );
142 return;
143 }
144
145 return;
146 // pcb cid cmd key crc1 cr2
147 //uint8_t cmd2[] = {0x02,0x00,GET_KEY_VERSION, 0x00, 0x00, 0x00 };
148
149 //uint8_t* bigbuffer = mifare_get_bigbufptr();
150 byte_t isOK = 1;
151 uint8_t resp[256];
152 uint8_t key[24];
153 uint8_t IV[16];
154
155 // första byten håller keylength.
156 uint8_t keylen = datain[0];
157 memcpy(key, datain+1, keylen);
158
159 if (MF_DBGLEVEL >= 1) {
160
161 Dbprintf("MODE: %d", mode);
162 Dbprintf("ALGO: %d", algo);
163 Dbprintf("KEYNO: %d", keyno);
164 Dbprintf("KEYLEN: %d", keylen);
165
166 print_result("KEY", key, keylen);
167 }
168
169 // card select - information
170 byte_t buf[USB_CMD_DATA_SIZE];
171 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
172
173 // test of DES on ARM side.
174 /*
175 if ( mode == 1){
176 uint8_t IV[8];
177 uint8_t plain[16];
178 uint8_t encData[16];
179
180 uint8_t tmpData[8];
181 uint8_t tmpPlain[8];
182
183 memset(IV, 0, 8);
184 memset(tmpData, 0 ,8);
185 memset(tmpPlain,0 ,8);
186 memcpy(key, datain, 8);
187 memcpy(plain, datain+30, 16);
188
189 for(uint8_t i=0; i< sizeof(plain); i=i+8 ){
190
191 memcpy(tmpPlain, plain+i, 8);
192 des_enc( &tmpData, &tmpPlain, &key);
193 memcpy(encData+i, tmpData, 8);
194 }
195 }
196 */
197
198 iso14a_clear_trace();
199
200 iso14a_set_tracing(TRUE);
201
202 // power up the field
203 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
204
205 // select the card
206 isOK = iso14443a_select_card(resp, card, NULL);
207 if (isOK != 1) {
208 if (MF_DBGLEVEL >= 1) {
209 Dbprintf("CAN'T SELECT CARD, SOMETHING WENT WRONG BEFORE AUTH");
210 }
211 OnError();
212 return;
213 }
214
215 LED_A_ON();
216 LED_B_OFF();
217 LED_C_OFF();
218
219 // 3 olika sätt att authenticera. AUTH (CRC16) , AUTH_ISO (CRC32) , AUTH_AES (CRC32)
220 // 4 olika crypto algo DES, 3DES, 3K3DES, AES
221 // 3 olika kommunikations sätt, PLAIN,MAC,CRYPTO
222
223 // des, nyckel 0,
224 switch (mode){
225 case 1:
226 // if ( SendDesfireCommand(AUTHENTICATE, &keyno, resp) > 0 ){
227 // // fick nonce från kortet
228 // }
229 break;
230 case 2:
231 //SendDesfireCommand(AUTHENTICATE_ISO, &keyno, resp);
232 break;
233 case 3:{
234 AesCtx ctx;
235 if ( AesCtxIni(&ctx, IV, key, KEY128, CBC) < 0 ){
236 if (MF_DBGLEVEL >= 1) {
237 Dbprintf("AES context failed to init");
238 }
239 OnError();
240 return;
241 }
242 uint8_t real_cmd[6];
243 real_cmd[0] = 0x90;
244 real_cmd[1] = 0x02;
245 real_cmd[2] = AUTHENTICATE_AES;
246 real_cmd[3] = keyno;
247
248 AppendCrc14443a(real_cmd, 2);
249 ReaderTransmit(real_cmd, sizeof(real_cmd), NULL);
250
251 int len = ReaderReceive(resp);
252 if(!len) {
253 OnError();
254 return;
255 }
256
257 print_result("RX:", resp, len);
258
259 enum DESFIRE_STATUS status = resp[1];
260 if ( status != ADDITIONAL_FRAME) {
261 OnError();
262 return;
263 }
264
265 // tags enc nonce
266 uint8_t encRndB[16];
267 uint8_t decRndB[16];
268 uint8_t nonce[16];
269 uint8_t both[32];
270 uint8_t encBoth[32];
271
272 memset(nonce, 0, 16);
273 memcpy( encRndB, resp+2, 16);
274
275 // dekryptera tagnonce.
276 AesDecrypt(&ctx, encRndB, decRndB, 16);
277
278 rol(decRndB,16);
279
280 memcpy(both, nonce,16);
281 memcpy(both+16, decRndB ,16 );
282
283 AesEncrypt(&ctx, both, encBoth, 32 );
284
285 uint8_t real_cmd_A[36];
286 real_cmd_A[0] = 0x03;
287 real_cmd_A[1] = ADDITIONAL_FRAME;
288
289 memcpy(real_cmd_A+2, encBoth, sizeof(encBoth) );
290 AppendCrc14443a(real_cmd_A, sizeof(real_cmd_A));
291 ReaderTransmit(real_cmd_A, sizeof(real_cmd_A), NULL);
292
293 len = ReaderReceive(resp);
294
295 print_result("Auth1a ", resp, 36);
296
297 status = resp[1];
298 if ( status != OPERATION_OK) {
299 Dbprintf("Cmd Error: %02x Len: %d", status,len);
300 OnError();
301 return;
302 }
303
304 break;
305 }
306
307 }
308
309 OnSuccess(resp);
310 }
311
312
313 // desfire_cmd = enum DESFIRE_CMD in desfire.h
314 // cmd = pointer to
315 // dataout = point to array for response data.
316 int SendDesfireCommand(enum DESFIRE_CMD desfire_cmd,uint8_t *dataout, uint8_t fromscratch){
317
318 uint8_t resp[80];
319 uint8_t len;
320
321 if ( fromscratch){
322
323 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
324
325 // power up the field
326 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
327 // select the card
328 iso14443a_select_card(NULL, NULL, NULL);
329 }
330
331 // 3 olika ISO sätt att skicka data till DESFIRE (direkt, inkapslat, inkapslat ISO)
332 uint8_t real_cmd[4];
333 real_cmd[0] = 0x02;
334 real_cmd[1] = desfire_cmd;
335 AppendCrc14443a(real_cmd, 2);
336 ReaderTransmit(real_cmd, sizeof(real_cmd), NULL);
337 len = ReaderReceive(resp);
338 if(!len)
339 return -1; //DATA LINK ERROR
340
341 if ( fromscratch){
342 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
343 }
344
345 enum DESFIRE_STATUS status = resp[1];
346 //1 bytes iso, 1 byte status, in the end: 2 bytes crc
347 if ( status == OPERATION_OK || status == ADDITIONAL_FRAME) {
348 memcpy(dataout, resp+2, 2);
349 return len;
350 }
351 else {
352 Dbprintf("unexpected desfire response: %X (to %X)", status, desfire_cmd);
353 return -status;
354 }
355 }
356
357 // crc_update(&desfire_crc32, 0, 1); /* CMD_WRITE */
358 // crc_update(&desfire_crc32, addr, addr_sz);
359 // crc_update(&desfire_crc32, byte, 8);
360 // uint32_t crc = crc_finish(&desfire_crc32);
361
362
363 /* Version
364
365 //uint8_t versionCmd1[] = {0x02, 0x60};
366 //uint8_t versionCmd2[] = {0x03, 0xaf};
367 //uint8_t versionCmd3[] = {0x02, 0xaf};
368
369 // AUTH 1 - CMD: 0x02, 0x0A, 0x00 = Auth
370 // 0x02 = status byte för simpla svar?!?
371 // 0x0a = krypto typ
372 // 0x00 = key nr
373 //uint8_t initAuthCmdDES[] = {0x02, 0x0a, 0x00}; // DES
374 //uint8_t initAuthCmd3DES[] = {0x02, 0x1a, 0x00}; // 3DES
375 //uint8_t initAuthCmdAES[] = {0x02, 0xaa, 0x00}; // AES
376 // auth 1 - answer command
377 // 0x03 = status byte för komplexa typer?
378 // 0xaf = additional frame
379 // LEN = 1+1+32+2 = 36
380 //uint8_t answerAuthCmd[34] = {0x03, 0xaf};
381
382 // Lägg till CRC
383 //AppendCrc14443a(versionCmd1,sizeof(versionCmd1));
384 */
385
386 // Sending commands
387 /*ReaderTransmit(versionCmd1,sizeof(versionCmd1)+2, NULL);
388 len = ReaderReceive(buffer);
389 print_result("Get Version 3", buffer, 9);
390 */
391
392 // for( int i = 0; i < 8; i++){
393 // // Auth 1 - Request authentication
394 // ReaderTransmit(initAuthCmdAES,sizeof(initAuthCmdAES)+2, NULL);
395 // //len = ReaderReceive(buffer);
396
397 // // 0xAE = authentication error
398 // if (buffer[1] == 0xae) {
399 // Dbprintf("Cmd Error: %02x", buffer[1]);
400 // OnError();
401 // return;
402 // }
403
404 // // tags enc nonce
405 // memcpy(encRndB, buffer+2, 16);
406
407 // // dekryptera svaret från tag.
408 // AesDecrypt(&ctx, encRndB, decRndB, 16);
409
410 // rol8(decRndB,16);
411 // memcpy(RndARndB, RndA,16);
412 // memcpy(RndARndB+16, decRndB ,16 );
413
414 // AesEncrypt(&ctx, RndARndB, encRndARndB, 32 );
415
416 // memcpy(answerAuthCmd+2, encRndARndB, 32);
417 // AppendCrc14443a(answerAuthCmd,sizeof(answerAuthCmd));
418
419 // ReaderTransmit(answerAuthCmd,sizeof(answerAuthCmd)+2, NULL);
420
421 // len = ReaderReceive(buffer);
422
423 // print_result("Auth1a ", buffer, 8);
424 // Dbprintf("Rx len: %02x", len);
425
426 // if (buffer[1] == 0xCA) {
427 // Dbprintf("Cmd Error: %02x Len: %d", buffer[1],len);
428 // cmd_send(CMD_ACK,0,0,0,0,0);
429 // key[1] = i;
430 // AesCtxIni(&ctx, iv, key, KEY128, CBC);
431 // }
432 // }
433
434 //des_dec(decRndB, encRndB, key);
435
436 //Do crypto magic
437 /*
438 DES_ede2_cbc_encrypt(e_RndB,RndB,sizeof(e_RndB),&ks1,&ks2,&iv,0);
439 memcpy(RndARndB,RndA,8);
440 memcpy(RndARndB+8,RndB,8);
441 PrintAndLog(" RA+B:%s",sprint_hex(RndARndB, 16));
442 DES_ede2_cbc_encrypt(RndARndB,RndARndB,sizeof(RndARndB),&ks1,&ks2,&e_RndB,1);
443 PrintAndLog("enc(RA+B):%s",sprint_hex(RndARndB, 16));
444 */
445
446
447 int mifare_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData){
448
449 uint8_t* buffer = mifare_get_bigbufptr();
450 uint8_t dcmd[19];
451
452 dcmd[0] = 0xAF;
453 memcpy(dcmd+1,key,16);
454 AppendCrc14443a(dcmd, 17);
455
456
457 ReaderTransmit(dcmd, sizeof(dcmd), NULL);
458 int len = ReaderReceive(buffer);
459 if(!len) {
460 if (MF_DBGLEVEL >= 1) Dbprintf("Authentication failed. Card timeout.");
461 len = ReaderReceive(buffer);
462 }
463
464 if(len==1) {
465 if (MF_DBGLEVEL >= 1) {
466 Dbprintf("NAK - Authentication failed.");
467 Dbprintf("Cmd Error: %02x", buffer[0]);
468 }
469 return 1;
470 }
471
472 if (len == 11){
473 if (MF_DBGLEVEL >= 1) {
474 Dbprintf("Auth2 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
475 buffer[0],buffer[1],buffer[2],buffer[3],buffer[4],
476 buffer[5],buffer[6],buffer[7],buffer[8],buffer[9],
477 buffer[10]);
478 }
479 return 0;
480 }
481 return 1;
482 }
483
484 void MifareDES_Auth2(uint32_t arg0, uint8_t *datain){
485
486 return;
487 uint32_t cuid = arg0;
488 uint8_t key[16];
489
490 byte_t isOK = 0;
491 byte_t dataoutbuf[16];
492
493 memset(key, 0, 16);
494 memcpy(key, datain, 16);
495
496 LED_A_ON();
497 LED_B_OFF();
498 LED_C_OFF();
499
500 if(mifare_des_auth2(cuid, key, dataoutbuf)){
501 if (MF_DBGLEVEL >= 1) Dbprintf("Authentication part2: Fail...");
502 }
503 isOK=1;
504 if (MF_DBGLEVEL >= 2) DbpString("AUTH 2 FINISHED");
505
506 LED_B_ON();
507 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,11);
508 LED_B_OFF();
509
510 // Thats it...
511 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
512 LEDsoff();
513 }
514
515 // CreateAPDU
516 uint8_t* CreateAPDU( uint8_t *datain, size_t len){
517
518 len = MIN(len, USB_CMD_DATA_SIZE);
519
520 uint8_t tmpcmd[len];
521 uint8_t *cmd = tmpcmd;
522 memset(cmd, 0, len);
523 cmd[0] = 0x0a;
524 cmd[1] = 0x00;
525
526 memcpy(cmd, datain,len);
527 AppendCrc14443a(cmd, len+2);
528 return cmd;
529 }
530
531 void SelectCard(){
532
533 uint8_t resp[RECV_RES_SIZE];
534 byte_t buf[RECV_RES_SIZE];
535
536 memset(resp,0,sizeof(resp));
537 memset(buf,0,sizeof(buf));
538
539 iso14a_clear_trace();
540 iso14a_set_tracing(TRUE);
541 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
542
543 // card select - information
544 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
545 byte_t isOK = iso14443a_select_card(NULL, card, NULL);
546 if (isOK != 1) {
547 if (MF_DBGLEVEL >= 1) {
548 Dbprintf("Can't select card");
549 }
550 OnError();
551 return;
552 }
553 }
554
555 void OnSuccess(){
556 // Deselect card by sending a s-block. the crc is precalced for speed
557 uint8_t cmd[] = {0xc2,0xe0,0xb4};
558 ReaderTransmit(cmd, sizeof(cmd), NULL);
559 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
560 LEDsoff();
561 }
562
563 void OnError(){
564 cmd_send(CMD_ACK,0,0,0,0,0);
565 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
566 LEDsoff();
567 }
Impressum, Datenschutz