]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaredesfire.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ADD: marshmellows new lf command and DetectClock. (works great!)
[proxmark3-svn] / armsrc / mifaredesfire.c
1 #include "mifaredesfire.h"
2
3 #define MAX_APPLICATION_COUNT 28
4 #define MAX_FILE_COUNT 16
5 #define MAX_DESFIRE_FRAME_SIZE 60
6 #define NOT_YET_AUTHENTICATED 255
7 #define FRAME_PAYLOAD_SIZE (MAX_DESFIRE_FRAME_SIZE - 5)
8 #define RECEIVE_SIZE 64
9
10 // the block number for the ISO14443-4 PCB
11 uint8_t pcb_blocknum = 0;
12 // Deselect card by sending a s-block. the crc is precalced for speed
13 static uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};
14
15 //static uint8_t __msg[MAX_FRAME_SIZE] = { 0x0A, 0x00, 0x00, /* ..., */ 0x00 };
16 /* PCB CID CMD PAYLOAD */
17 //static uint8_t __res[MAX_FRAME_SIZE];
18
19 bool InitDesfireCard(){
20
21 // Make sure it is off.
22 // FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
23 // SpinDelay(300);
24
25 byte_t cardbuf[USB_CMD_DATA_SIZE];
26 memset(cardbuf,0,sizeof(cardbuf));
27
28 iso14a_set_tracing(TRUE);
29 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
30
31 iso14a_card_select_t *card = (iso14a_card_select_t*)cardbuf;
32 int len = iso14443a_select_card(NULL,card,NULL);
33
34 if (!len) {
35 if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");
36 OnError();
37 return false;
38 }
39 return true;
40 }
41
42 // ARG0 flag enums
43 enum {
44 NONE = 0x00,
45 INIT = 0x01,
46 DISCONNECT = 0x02,
47 CLEARTRACE = 0x04,
48 BAR = 0x08,
49 } CmdOptions ;
50
51 void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain){
52
53 /* ARG0 contains flags.
54 0x01 = init card.
55 0x02 = Disconnect
56 0x03
57 */
58 uint8_t flags = arg0;
59 size_t datalen = arg1;
60 uint8_t resp[RECEIVE_SIZE];
61 memset(resp,0,sizeof(resp));
62
63 if (MF_DBGLEVEL >= 4) {
64 Dbprintf(" flags : %02X", flags);
65 Dbprintf(" len : %02X", datalen);
66 print_result(" RX : ", datain, datalen);
67 }
68
69 if ( flags & CLEARTRACE ){
70 iso14a_clear_trace();
71 }
72
73 if ( flags & INIT ){
74 if ( !InitDesfireCard() )
75 return;
76 }
77
78 int len = DesfireAPDU(datain, datalen, resp);
79 if (MF_DBGLEVEL >= 4) {
80 print_result("ERR <--: ", resp, len);
81 }
82
83 if ( !len ) {
84 OnError();
85 return;
86 }
87
88 // reset the pcb_blocknum,
89 pcb_blocknum = 0;
90
91 if ( flags & DISCONNECT ){
92 OnSuccess();
93 }
94
95 cmd_send(CMD_ACK,1,len,0,resp,len);
96 }
97
98 void MifareDesfireGetInformation(){
99
100 int len = 0;
101 uint8_t resp[USB_CMD_DATA_SIZE];
102 uint8_t dataout[USB_CMD_DATA_SIZE];
103 byte_t cardbuf[USB_CMD_DATA_SIZE];
104
105 memset(resp,0,sizeof(resp));
106 memset(dataout,0, sizeof(dataout));
107 memset(cardbuf,0,sizeof(cardbuf));
108
109 /*
110 1 = PCB 1
111 2 = cid 2
112 3 = desfire command 3
113 4-5 = crc 4 key
114 5-6 crc
115 PCB == 0x0A because sending CID byte.
116 CID == 0x00 first card?
117 */
118 iso14a_clear_trace();
119 iso14a_set_tracing(TRUE);
120 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
121
122 // card select - information
123 iso14a_card_select_t *card = (iso14a_card_select_t*)cardbuf;
124 byte_t isOK = iso14443a_select_card(NULL, card, NULL);
125 if ( isOK == 0) {
126 if (MF_DBGLEVEL >= 1) {
127 Dbprintf("Can't select card");
128 }
129 OnError();
130 return;
131 }
132
133 memcpy(dataout,card->uid,7);
134
135 LED_A_ON();
136 LED_B_OFF();
137 LED_C_OFF();
138
139 uint8_t cmd[] = {GET_VERSION};
140 size_t cmd_len = sizeof(cmd);
141
142 len = DesfireAPDU(cmd, cmd_len, resp);
143 if ( !len ) {
144 print_result("ERROR <--: ", resp, len);
145 OnError();
146 return;
147 }
148
149 LED_A_OFF();
150 LED_B_ON();
151 memcpy(dataout+7,resp+3,7);
152
153 // ADDITION_FRAME 1
154 cmd[0] = ADDITIONAL_FRAME;
155 len = DesfireAPDU(cmd, cmd_len, resp);
156 if ( !len ) {
157 print_result("ERROR <--: ", resp, len);
158 OnError();
159 return;
160 }
161
162 LED_B_OFF();
163 LED_C_ON();
164 memcpy(dataout+7+7,resp+3,7);
165
166 // ADDITION_FRAME 2
167 len = DesfireAPDU(cmd, cmd_len, resp);
168 if ( !len ) {
169 print_result("ERROR <--: ", resp, len);
170 OnError();
171 return;
172 }
173
174 memcpy(dataout+7+7+7,resp+3,14);
175
176 cmd_send(CMD_ACK,1,0,0,dataout,sizeof(dataout));
177
178 // reset the pcb_blocknum,
179 pcb_blocknum = 0;
180 OnSuccess();
181 }
182
183 void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain){
184
185 int len = 0;
186 //uint8_t PICC_MASTER_KEY8[8] = { 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47};
187 uint8_t PICC_MASTER_KEY16[16] = { 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f };
188 //uint8_t null_key_data8[8] = {0x00};
189 //uint8_t null_key_data16[16] = {0x00};
190 //uint8_t new_key_data8[8] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77};
191 //uint8_t new_key_data16[16] = { 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF};
192
193 //uint8_t* bigbuffer = get_bigbufptr_recvrespbuf();
194 uint8_t resp[256] = {0x00};
195 uint8_t IV[16] = {0x00};
196
197 size_t datalen = datain[0];
198
199 uint8_t cmd[40] = {0x00};
200 uint8_t encRndB[16] = {0x00};
201 uint8_t decRndB[16] = {0x00};
202 uint8_t nonce[16] = {0x00};
203 uint8_t both[32] = {0x00};
204 uint8_t encBoth[32] = {0x00};
205
206 InitDesfireCard();
207
208 LED_A_ON();
209 LED_B_OFF();
210 LED_C_OFF();
211
212 // 3 olika sätt att authenticera. AUTH (CRC16) , AUTH_ISO (CRC32) , AUTH_AES (CRC32)
213 // 4 olika crypto algo DES, 3DES, 3K3DES, AES
214 // 3 olika kommunikations sätt, PLAIN,MAC,CRYPTO
215
216 // des, nyckel 0,
217 switch (mode){
218 case 1:
219 // if ( SendDesfireCommand(AUTHENTICATE, &keyno, resp) > 0 ){
220 // // fick nonce från kortet
221 // }
222 break;
223 case 2:
224 //SendDesfireCommand(AUTHENTICATE_ISO, &keyno, resp);
225 break;
226 case 3:{
227
228 //defaultkey
229 uint8_t keybytes[16];
230 if (datain[1] == 0xff){
231 memcpy(keybytes,PICC_MASTER_KEY16,16);
232 } else{
233 memcpy(keybytes, datain+1, datalen);
234 }
235
236 struct desfire_key defaultkey = {0};
237 desfirekey_t key = &defaultkey;
238 Desfire_aes_key_new( keybytes, key);
239
240 AesCtx ctx;
241 if ( AesCtxIni(&ctx, IV, key->data, KEY128, CBC) < 0 ){
242 if( MF_DBGLEVEL >= 4) {
243 Dbprintf("AES context failed to init");
244 }
245 OnError();
246 return;
247 }
248
249 cmd[0] = AUTHENTICATE_AES;
250 cmd[1] = 0x00; //keynumber
251 len = DesfireAPDU(cmd, 2, resp);
252 if ( !len ) {
253 if (MF_DBGLEVEL >= 1) {
254 DbpString("Authentication failed. Card timeout.");
255 }
256 OnError();
257 return;
258 }
259
260 memcpy( encRndB, resp+3, 16);
261
262 // dekryptera tagnonce.
263 AesDecrypt(&ctx, encRndB, decRndB, 16);
264 rol(decRndB,16);
265 memcpy(both, nonce,16);
266 memcpy(both+16, decRndB ,16 );
267 AesEncrypt(&ctx, both, encBoth, 32 );
268
269 cmd[0] = ADDITIONAL_FRAME;
270 memcpy(cmd+1, encBoth, 32 );
271
272 len = DesfireAPDU(cmd, 33, resp); // 1 + 32 == 33
273 if ( !len ) {
274 if (MF_DBGLEVEL >= 1) {
275 DbpString("Authentication failed. Card timeout.");
276 }
277 OnError();
278 return;
279 }
280
281 if ( resp[2] == 0x00 ){
282 // Create AES Session key
283 struct desfire_key sessionKey = {0};
284 desfirekey_t skey = &sessionKey;
285 Desfire_session_key_new( nonce, decRndB , key, skey );
286 print_result("SESSION : ", skey->data, 16);
287 } else {
288 DbpString("Authetication failed.");
289 OnError();
290 return;
291 }
292
293 break;
294 }
295 }
296
297 OnSuccess();
298 cmd_send(CMD_ACK,1,len,0,resp,len);
299 }
300
301 // 3 olika ISO sätt att skicka data till DESFIRE (direkt, inkapslat, inkapslat ISO)
302 // cmd = cmd bytes to send
303 // cmd_len = length of cmd
304 // dataout = pointer to response data array
305 int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout){
306
307 size_t len = 0;
308 size_t wrappedLen = 0;
309 uint8_t wCmd[USB_CMD_DATA_SIZE] = {0};
310
311 uint8_t *resp = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
312 uint8_t *resp_par = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
313
314 wrappedLen = CreateAPDU( cmd, cmd_len, wCmd);
315
316 if (MF_DBGLEVEL >= 4) {
317 print_result("WCMD <--: ", wCmd, wrappedLen);
318 }
319 ReaderTransmit( wCmd, wrappedLen, NULL);
320
321 len = ReaderReceive(resp, resp_par);
322
323 if( len == 0x00 ){
324 if (MF_DBGLEVEL >= 4) {
325 Dbprintf("fukked");
326 }
327 return FALSE; //DATA LINK ERROR
328 }
329 // if we received an I- or R(ACK)-Block with a block number equal to the
330 // current block number, toggle the current block number
331 else if (len >= 4 // PCB+CID+CRC = 4 bytes
332 && ((resp[0] & 0xC0) == 0 // I-Block
333 || (resp[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
334 && (resp[0] & 0x01) == pcb_blocknum) // equal block numbers
335 {
336 pcb_blocknum ^= 1; //toggle next block
337 }
338
339 memcpy(dataout, resp, len);
340 return len;
341 }
342
343 // CreateAPDU
344 size_t CreateAPDU( uint8_t *datain, size_t len, uint8_t *dataout){
345
346 size_t cmdlen = MIN(len+4, USB_CMD_DATA_SIZE-1);
347
348 uint8_t cmd[cmdlen];
349 memset(cmd, 0, cmdlen);
350
351 cmd[0] = 0x0A; // 0x0A = skicka cid, 0x02 = ingen cid. Särskilda bitar //
352 cmd[0] |= pcb_blocknum; // OR the block number into the PCB
353 cmd[1] = 0x00; // CID: 0x00 //FIXME: allow multiple selected cards
354
355 memcpy(cmd+2, datain, len);
356 AppendCrc14443a(cmd, len+2);
357
358 memcpy(dataout, cmd, cmdlen);
359
360 return cmdlen;
361 }
362
363 // crc_update(&desfire_crc32, 0, 1); /* CMD_WRITE */
364 // crc_update(&desfire_crc32, addr, addr_sz);
365 // crc_update(&desfire_crc32, byte, 8);
366 // uint32_t crc = crc_finish(&desfire_crc32);
367
368 void OnSuccess(){
369 pcb_blocknum = 0;
370 ReaderTransmit(deselect_cmd, 3 , NULL);
371 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
372 LEDsoff();
373 }
374
375 void OnError(){
376 pcb_blocknum = 0;
377 ReaderTransmit(deselect_cmd, 3 , NULL);
378 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
379 cmd_send(CMD_ACK,0,0,0,0,0);
380 LEDsoff();
381 }
Proxmark3 GIT tracking
Impressum, Datenschutz