]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/emv/cmdemv.c
1d30fc83f651c542205e9bfe68314e1239188886
[proxmark3-svn] / client / emv / cmdemv.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2017, 2018 Merlok
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // EMV commands
9 //-----------------------------------------------------------------------------
10
11 #include <ctype.h>
12 #include "cmdemv.h"
13 #include "test/cryptotest.h"
14 #include "cliparser/cliparser.h"
15
16 int CmdHFEMVSelect(const char *cmd) {
17 uint8_t data[APDU_AID_LEN] = {0};
18 int datalen = 0;
19
20
21 CLIParserInit("hf 14a select",
22 "Executes select applet command",
23 "Usage:\n\thf emv select -s a00000000101 -> select card, select applet\n\thf emv select -st a00000000101 -> select card, select applet, show result in TLV\n");
24
25 void* argtable[] = {
26 arg_param_begin,
27 arg_lit0("sS", "select", "activate field and select card"),
28 arg_lit0("kK", "keep", "keep field for next command"),
29 arg_lit0("aA", "apdu", "show APDU reqests and responses"),
30 arg_lit0("tT", "tlv", "TLV decode results"),
31 arg_str0(NULL, NULL, "<HEX applet AID>", NULL),
32 arg_param_end
33 };
34 CLIExecWithReturn(cmd, argtable, true);
35
36 bool activateField = arg_get_lit(1);
37 bool leaveSignalON = arg_get_lit(2);
38 bool APDULogging = arg_get_lit(3);
39 bool decodeTLV = arg_get_lit(4);
40 CLIGetStrWithReturn(5, data, &datalen);
41 CLIParserFree();
42
43 SetAPDULogging(APDULogging);
44
45 // exec
46 uint8_t buf[APDU_RES_LEN] = {0};
47 size_t len = 0;
48 uint16_t sw = 0;
49 int res = EMVSelect(activateField, leaveSignalON, data, datalen, buf, sizeof(buf), &len, &sw, NULL);
50
51 if (sw)
52 PrintAndLog("APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff));
53
54 if (res)
55 return res;
56
57 if (decodeTLV)
58 TLVPrintFromBuffer(buf, len);
59
60 return 0;
61 }
62
63 int CmdHFEMVSearch(const char *cmd) {
64
65 CLIParserInit("hf 14a select",
66 "Tries to select all applets from applet list:\n",
67 "Usage:\n\thf emv search -s -> select card and search\n\thf emv search -st -> select card, search and show result in TLV\n");
68
69 void* argtable[] = {
70 arg_param_begin,
71 arg_lit0("sS", "select", "activate field and select card"),
72 arg_lit0("kK", "keep", "keep field ON for next command"),
73 arg_lit0("aA", "apdu", "show APDU reqests and responses"),
74 arg_lit0("tT", "tlv", "TLV decode results of selected applets"),
75 arg_param_end
76 };
77 CLIExecWithReturn(cmd, argtable, true);
78
79 bool activateField = arg_get_lit(1);
80 bool leaveSignalON = arg_get_lit(2);
81 bool APDULogging = arg_get_lit(3);
82 bool decodeTLV = arg_get_lit(4);
83 CLIParserFree();
84
85 SetAPDULogging(APDULogging);
86
87 struct tlvdb *t = NULL;
88 const char *al = "Applets list";
89 t = tlvdb_fixed(1, strlen(al), (const unsigned char *)al);
90
91 if (EMVSearch(activateField, leaveSignalON, decodeTLV, t)) {
92 tlvdb_free(t);
93 return 2;
94 }
95
96 PrintAndLog("Search completed.");
97
98 // print list here
99 if (!decodeTLV) {
100 TLVPrintAIDlistFromSelectTLV(t);
101 }
102
103 tlvdb_free(t);
104
105 return 0;
106 }
107
108 int CmdHFEMVPPSE(const char *cmd) {
109
110 CLIParserInit("hf 14a pse",
111 "Executes PSE/PPSE select command. It returns list of applet on the card:\n",
112 "Usage:\n\thf emv pse -s1 -> select, get pse\n\thf emv pse -st2 -> select, get ppse, show result in TLV\n");
113
114 void* argtable[] = {
115 arg_param_begin,
116 arg_lit0("sS", "select", "activate field and select card"),
117 arg_lit0("kK", "keep", "keep field ON for next command"),
118 arg_lit0("1", "pse", "pse (1PAY.SYS.DDF01) mode"),
119 arg_lit0("2", "ppse", "ppse (2PAY.SYS.DDF01) mode (default mode)"),
120 arg_lit0("aA", "apdu", "show APDU reqests and responses"),
121 arg_lit0("tT", "tlv", "TLV decode results of selected applets"),
122 arg_param_end
123 };
124 CLIExecWithReturn(cmd, argtable, true);
125
126 bool activateField = arg_get_lit(1);
127 bool leaveSignalON = arg_get_lit(2);
128 uint8_t PSENum = 2;
129 if (arg_get_lit(3))
130 PSENum = 1;
131 if (arg_get_lit(4))
132 PSENum = 2;
133 bool APDULogging = arg_get_lit(5);
134 bool decodeTLV = arg_get_lit(6);
135 CLIParserFree();
136
137 SetAPDULogging(APDULogging);
138
139 // exec
140 uint8_t buf[APDU_RES_LEN] = {0};
141 size_t len = 0;
142 uint16_t sw = 0;
143 int res = EMVSelectPSE(activateField, leaveSignalON, PSENum, buf, sizeof(buf), &len, &sw);
144
145 if (sw)
146 PrintAndLog("APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff));
147
148 if (res)
149 return res;
150
151
152 if (decodeTLV)
153 TLVPrintFromBuffer(buf, len);
154
155 return 0;
156 }
157
158 #define TLV_ADD(tag, value)( tlvdb_add(tlvRoot, tlvdb_fixed(tag, sizeof(value) - 1, (const unsigned char *)value)) )
159
160 int CmdHFEMVGPO(const char *cmd) {
161 uint8_t data[APDU_RES_LEN] = {0};
162 int datalen = 0;
163
164 CLIParserInit("hf 14a gpo",
165 "Executes Get Processing Options command. It returns data in TLV format (0x77 - format2) or plain format (0x80 - format1).\nNeeds a EMV applet to be selected.",
166 "Usage:\n\thf emv gpo -k -> execute GPO\n\thf emv gpo -st 01020304 -> execute GPO with 4-byte PDOL data, show result in TLV\n");
167 // here need to add load params from file and gen pdol
168
169 void* argtable[] = {
170 arg_param_begin,
171 arg_lit0("kK", "keep", "keep field ON for next command"),
172 arg_lit0("pP", "params", "load parameters for PDOL making from `emv/defparams.json` file (by default uses default parameters) (NOT WORK!!!)"),
173 arg_lit0("mM", "make", "make PDOLdata from PDOL (tag 9F38) and parameters (NOT WORK!!!)"),
174 arg_lit0("aA", "apdu", "show APDU reqests and responses"),
175 arg_lit0("tT", "tlv", "TLV decode results of selected applets"),
176 arg_str0(NULL, NULL, "<HEX PDOLdata/PDOL>", NULL),
177 arg_param_end
178 };
179 CLIExecWithReturn(cmd, argtable, true);
180
181 bool leaveSignalON = arg_get_lit(1);
182 bool paramsLoadFromFile = arg_get_lit(2);
183 bool dataMakeFromPDOL = arg_get_lit(3);
184 bool APDULogging = arg_get_lit(4);
185 bool decodeTLV = arg_get_lit(5);
186 CLIGetStrWithReturn(6, data, &datalen);
187 CLIParserFree();
188
189 SetAPDULogging(APDULogging);
190
191 // Init TLV tree
192 const char *alr = "Root terminal TLV tree";
193 struct tlvdb *tlvRoot = tlvdb_fixed(1, strlen(alr), (const unsigned char *)alr);
194
195 // calc PDOL
196 struct tlv *pdol_data_tlv = NULL;
197 struct tlv data_tlv = {
198 .tag = 0x01,
199 .len = datalen,
200 .value = (uint8_t *)data,
201 };
202 if (dataMakeFromPDOL) {
203 // TODO
204 PrintAndLog("Make PDOL data not implemented!");
205
206 //9F02:(Amount, authorized (Numeric)) len:6
207 TLV_ADD(0x9F02, "\x00\x00\x00\x00\x01\x00");
208 //9F1A:(Terminal Country Code) len:2
209 TLV_ADD(0x9F1A, "ru");
210 //5F2A:(Transaction Currency Code) len:2
211 // USD 840, EUR 978, RUR 810, RUB 643, RUR 810(old), UAH 980, AZN 031, n/a 999
212 TLV_ADD(0x5F2A, "\x09\x80");
213 //9A:(Transaction Date) len:3
214 TLV_ADD(0x9A, "\x00\x00\x00");
215 //9C:(Transaction Type) len:1 | 00 => Goods and service #01 => Cash
216 TLV_ADD(0x9C, "\x00");
217 // 9F37 Unpredictable Number len:4
218 TLV_ADD(0x9F37, "\x01\x02\x03\x04");
219 // 9F6A Unpredictable Number (MSD for UDOL) len:4
220 TLV_ADD(0x9F6A, "\x01\x02\x03\x04");
221 //9F66:(Terminal Transaction Qualifiers (TTQ)) len:4
222 TLV_ADD(0x9F66, "\x26\x00\x00\x00"); // qVSDC
223
224 if (paramsLoadFromFile) {
225 };
226 /* pdol_data_tlv = dol_process(tlvdb_get(tlvRoot, 0x9f38, NULL), tlvRoot, 0x83);
227 if (!pdol_data_tlv){
228 PrintAndLog("ERROR: can't create PDOL TLV.");
229 tlvdb_free(tlvRoot);
230 return 4;
231 }*/
232 return 0;
233 } else {
234 pdol_data_tlv = &data_tlv;
235 }
236
237 size_t pdol_data_tlv_data_len = 0;
238 unsigned char *pdol_data_tlv_data = tlv_encode(pdol_data_tlv, &pdol_data_tlv_data_len);
239 if (!pdol_data_tlv_data) {
240 PrintAndLog("ERROR: can't create PDOL data.");
241 tlvdb_free(tlvRoot);
242 return 4;
243 }
244 PrintAndLog("PDOL data[%d]: %s", pdol_data_tlv_data_len, sprint_hex(pdol_data_tlv_data, pdol_data_tlv_data_len));
245
246 // exec
247 uint8_t buf[APDU_RES_LEN] = {0};
248 size_t len = 0;
249 uint16_t sw = 0;
250 int res = EMVGPO(leaveSignalON, pdol_data_tlv_data, pdol_data_tlv_data_len, buf, sizeof(buf), &len, &sw, tlvRoot);
251
252 free(pdol_data_tlv_data);
253 tlvdb_free(tlvRoot);
254
255 if (sw)
256 PrintAndLog("APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff));
257
258 if (res)
259 return res;
260
261 if (decodeTLV)
262 TLVPrintFromBuffer(buf, len);
263
264 return 0;
265 }
266
267 int CmdHFEMVReadRecord(const char *cmd) {
268 uint8_t data[APDU_RES_LEN] = {0};
269 int datalen = 0;
270
271 CLIParserInit("hf 14a readrec",
272 "Executes Read Record command. It returns data in TLV format.\nNeeds a bank applet to be selected and sometimes needs GPO to be executed.",
273 "Usage:\n\thf emv readrec -k 0101 -> read file SFI=01, SFIrec=01\n\thf emv readrec -kt 0201-> read file 0201 and show result in TLV\n");
274
275 void* argtable[] = {
276 arg_param_begin,
277 arg_lit0("kK", "keep", "keep field ON for next command"),
278 arg_lit0("aA", "apdu", "show APDU reqests and responses"),
279 arg_lit0("tT", "tlv", "TLV decode results of selected applets"),
280 arg_str1(NULL, NULL, "<SFI 1byte HEX><SFIrec 1byte HEX>", NULL),
281 arg_param_end
282 };
283 CLIExecWithReturn(cmd, argtable, true);
284
285 bool leaveSignalON = arg_get_lit(1);
286 bool APDULogging = arg_get_lit(2);
287 bool decodeTLV = arg_get_lit(3);
288 CLIGetStrWithReturn(4, data, &datalen);
289 CLIParserFree();
290
291 if (datalen != 2) {
292 PrintAndLog("ERROR: Command needs to have 2 bytes of data");
293 return 1;
294 }
295
296 SetAPDULogging(APDULogging);
297
298 // exec
299 uint8_t buf[APDU_RES_LEN] = {0};
300 size_t len = 0;
301 uint16_t sw = 0;
302 int res = EMVReadRecord(leaveSignalON, data[0], data[1], buf, sizeof(buf), &len, &sw, NULL);
303
304 if (sw)
305 PrintAndLog("APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff));
306
307 if (res)
308 return res;
309
310
311 if (decodeTLV)
312 TLVPrintFromBuffer(buf, len);
313
314 return 0;
315 }
316
317 int CmdHFEMVAC(const char *cmd) {
318 uint8_t data[APDU_RES_LEN] = {0};
319 int datalen = 0;
320
321 CLIParserInit("hf 14a genac",
322 "Generate Application Cryptogram command. It returns data in TLV format .\nNeeds a EMV applet to be selected and GPO to be executed.",
323 "Usage:\n\thf emv genac -k 0102-> execute GPO with 2-byte CDOLdata and keep field ON after command\n\thf emv genac -t 01020304 -> execute GPO with 4-byte CDOL data, show result in TLV\n");
324
325 void* argtable[] = {
326 arg_param_begin,
327 arg_lit0("kK", "keep", "keep field ON for next command"),
328 arg_lit0("aA", "apdu", "show APDU reqests and responses"),
329 arg_lit0("tT", "tlv", "TLV decode results of selected applets"),
330 arg_str1(NULL, NULL, "<HEX CDOLdata>", NULL),
331 arg_param_end
332 };
333 CLIExecWithReturn(cmd, argtable, false);
334
335 bool leaveSignalON = arg_get_lit(1);
336 bool APDULogging = arg_get_lit(2);
337 bool decodeTLV = arg_get_lit(3);
338 CLIGetStrWithReturn(4, data, &datalen);
339 CLIParserFree();
340
341 SetAPDULogging(APDULogging);
342
343 // Init TLV tree
344 const char *alr = "Root terminal TLV tree";
345 struct tlvdb *tlvRoot = tlvdb_fixed(1, strlen(alr), (const unsigned char *)alr);
346
347 // calc CDOL
348 struct tlv *cdol_data_tlv = NULL;
349 // struct tlv *cdol_data_tlv = dol_process(tlvdb_get(tlvRoot, 0x8c, NULL), tlvRoot, 0x01); // 0x01 - dummy tag
350 struct tlv data_tlv = {
351 .tag = 0x01,
352 .len = datalen,
353 .value = (uint8_t *)data,
354 };
355 cdol_data_tlv = &data_tlv;
356 PrintAndLog("CDOL data[%d]: %s", cdol_data_tlv->len, sprint_hex(cdol_data_tlv->value, cdol_data_tlv->len));
357
358 // exec
359 uint8_t buf[APDU_RES_LEN] = {0};
360 size_t len = 0;
361 uint16_t sw = 0;
362 // EMVAC_TC + EMVAC_CDAREQ --- to get SDAD
363 // res = EMVAC(true, (TrType == TT_CDA) ? EMVAC_TC + EMVAC_CDAREQ : EMVAC_TC, (uint8_t *)cdol_data_tlv->value, cdol_data_tlv->len, buf, sizeof(buf), &len, &sw, tlvRoot);
364 int res = EMVAC(leaveSignalON, EMVAC_TC, (uint8_t *)cdol_data_tlv->value, cdol_data_tlv->len, buf, sizeof(buf), &len, &sw, tlvRoot);
365
366 // free(cdol_data_tlv);
367 tlvdb_free(tlvRoot);
368
369 if (sw)
370 PrintAndLog("APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff));
371
372 if (res)
373 return res;
374
375 if (decodeTLV)
376 TLVPrintFromBuffer(buf, len);
377
378 return 0;
379 }
380
381 int CmdHFEMVGenerateChallenge(const char *cmd) {
382
383 CLIParserInit("hf 14a challenge",
384 "Executes Generate Challenge command. It returns 4 or 8-byte random number from card:\n",
385 "Usage:\n\thf emv challenge -> get challenge\n\thf emv challenge -k -> get challenge, keep fileld ON\n");
386
387 void* argtable[] = {
388 arg_param_begin,
389 arg_lit0("kK", "keep", "keep field ON for next command"),
390 arg_lit0("aA", "apdu", "show APDU reqests and responses"),
391 arg_param_end
392 };
393 CLIExecWithReturn(cmd, argtable, true);
394
395 bool leaveSignalON = arg_get_lit(1);
396 bool APDULogging = arg_get_lit(2);
397 CLIParserFree();
398
399 SetAPDULogging(APDULogging);
400
401 // exec
402 uint8_t buf[APDU_RES_LEN] = {0};
403 size_t len = 0;
404 uint16_t sw = 0;
405 int res = EMVGenerateChallenge(leaveSignalON, buf, sizeof(buf), &len, &sw, NULL);
406
407 if (sw)
408 PrintAndLog("APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff));
409
410 if (res)
411 return res;
412
413 PrintAndLog("Challenge: %s", sprint_hex(buf, len));
414
415 if (len != 4 && len != 8)
416 PrintAndLog("WARNING: length of challenge must be 4 or 8, but it %d", len);
417
418 return 0;
419 }
420
421 int CmdHFEMVInternalAuthenticate(const char *cmd) {
422 uint8_t data[APDU_RES_LEN] = {0};
423 int datalen = 0;
424
425 CLIParserInit("hf 14a intauth",
426 "Generate Internal Authenticate command. Usually needs 4-byte random number. It returns data in TLV format .\nNeeds a EMV applet to be selected and GPO to be executed.",
427 "Usage:\n\thf emv intauth -k 01020304 -> execute Internal Authenticate with 4-byte DDOLdata and keep field ON after command\n"
428 "\thf emv intauth -t 01020304 -> execute Internal Authenticate with 4-byte DDOL data, show result in TLV\n");
429
430 void* argtable[] = {
431 arg_param_begin,
432 arg_lit0("kK", "keep", "keep field ON for next command"),
433 arg_lit0("aA", "apdu", "show APDU reqests and responses"),
434 arg_lit0("tT", "tlv", "TLV decode results of selected applets"),
435 arg_str1(NULL, NULL, "<HEX DDOLdata>", NULL),
436 arg_param_end
437 };
438 CLIExecWithReturn(cmd, argtable, false);
439
440 bool leaveSignalON = arg_get_lit(1);
441 bool APDULogging = arg_get_lit(2);
442 bool decodeTLV = arg_get_lit(3);
443 CLIGetStrWithReturn(4, data, &datalen);
444 CLIParserFree();
445
446 SetAPDULogging(APDULogging);
447
448 // DDOL
449 PrintAndLog("DDOL data[%d]: %s", datalen, sprint_hex(data, datalen));
450
451 // exec
452 uint8_t buf[APDU_RES_LEN] = {0};
453 size_t len = 0;
454 uint16_t sw = 0;
455 int res = EMVInternalAuthenticate(leaveSignalON, data, datalen, buf, sizeof(buf), &len, &sw, NULL);
456
457 if (sw)
458 PrintAndLog("APDU response status: %04x - %s", sw, GetAPDUCodeDescription(sw >> 8, sw & 0xff));
459
460 if (res)
461 return res;
462
463 if (decodeTLV)
464 TLVPrintFromBuffer(buf, len);
465
466 return 0;
467 }
468
469 int UsageCmdHFEMVExec(void) {
470 PrintAndLog("HELP : Executes EMV contactless transaction:\n");
471 PrintAndLog("Usage: hf emv exec [-s][-a][-t][-f][-v][-c][-x][-g]\n");
472 PrintAndLog(" Options:");
473 PrintAndLog(" -s : select card");
474 PrintAndLog(" -a : show APDU reqests and responses\n");
475 PrintAndLog(" -t : TLV decode results\n");
476 PrintAndLog(" -f : force search AID. Search AID instead of execute PPSE.\n");
477 PrintAndLog(" -v : transaction type - qVSDC or M/Chip.\n");
478 PrintAndLog(" -c : transaction type - qVSDC or M/Chip plus CDA (SDAD generation).\n");
479 PrintAndLog(" -x : transaction type - VSDC. For test only. Not a standart behavior.\n");
480 PrintAndLog(" -g : VISA. generate AC from GPO\n");
481 PrintAndLog("By default : transaction type - MSD.\n");
482 PrintAndLog("Samples:");
483 PrintAndLog(" hf emv exec -s -a -t -> execute MSD transaction");
484 PrintAndLog(" hf emv exec -s -a -t -c -> execute CDA transaction");
485 return 0;
486 }
487
488 #define dreturn(n) {free(pdol_data_tlv);tlvdb_free(tlvSelect);tlvdb_free(tlvRoot);DropField();return n;}
489
490 int CmdHFEMVExec(const char *cmd) {
491 bool activateField = false;
492 bool showAPDU = false;
493 bool decodeTLV = false;
494 bool forceSearch = false;
495 enum TransactionType TrType = TT_MSD;
496 bool GenACGPO = false;
497
498 uint8_t buf[APDU_RES_LEN] = {0};
499 size_t len = 0;
500 uint16_t sw = 0;
501 uint8_t AID[APDU_AID_LEN] = {0};
502 size_t AIDlen = 0;
503 uint8_t ODAiList[4096];
504 size_t ODAiListLen = 0;
505
506 int res;
507
508 struct tlvdb *tlvSelect = NULL;
509 struct tlvdb *tlvRoot = NULL;
510 struct tlv *pdol_data_tlv = NULL;
511
512 if (strlen(cmd) < 1) {
513 UsageCmdHFEMVExec();
514 return 0;
515 }
516
517 int cmdp = 0;
518 while(param_getchar(cmd, cmdp) != 0x00) {
519 char c = param_getchar(cmd, cmdp);
520 if ((c == '-') && (param_getlength(cmd, cmdp) == 2))
521 switch (param_getchar_indx(cmd, 1, cmdp)) {
522 case 'h':
523 case 'H':
524 UsageCmdHFEMVExec();
525 return 0;
526 case 's':
527 case 'S':
528 activateField = true;
529 break;
530 case 'a':
531 case 'A':
532 showAPDU = true;
533 break;
534 case 't':
535 case 'T':
536 decodeTLV = true;
537 break;
538 case 'f':
539 case 'F':
540 forceSearch = true;
541 break;
542 case 'x':
543 case 'X':
544 TrType = TT_VSDC;
545 break;
546 case 'v':
547 case 'V':
548 TrType = TT_QVSDCMCHIP;
549 break;
550 case 'c':
551 case 'C':
552 TrType = TT_CDA;
553 break;
554 case 'g':
555 case 'G':
556 GenACGPO = true;
557 break;
558 default:
559 PrintAndLog("Unknown parameter '%c'", param_getchar_indx(cmd, 1, cmdp));
560 return 1;
561 }
562 cmdp++;
563 }
564
565
566 // init applets list tree
567 const char *al = "Applets list";
568 tlvSelect = tlvdb_fixed(1, strlen(al), (const unsigned char *)al);
569
570 // Application Selection
571 // https://www.openscdp.org/scripts/tutorial/emv/applicationselection.html
572 if (!forceSearch) {
573 // PPSE
574 PrintAndLog("\n* PPSE.");
575 SetAPDULogging(showAPDU);
576 res = EMVSearchPSE(activateField, true, decodeTLV, tlvSelect);
577
578 // check PPSE and select application id
579 if (!res) {
580 TLVPrintAIDlistFromSelectTLV(tlvSelect);
581 EMVSelectApplication(tlvSelect, AID, &AIDlen);
582 }
583 }
584
585 // Search
586 if (!AIDlen) {
587 PrintAndLog("\n* Search AID in list.");
588 SetAPDULogging(false);
589 if (EMVSearch(activateField, true, decodeTLV, tlvSelect)) {
590 dreturn(2);
591 }
592
593 // check search and select application id
594 TLVPrintAIDlistFromSelectTLV(tlvSelect);
595 EMVSelectApplication(tlvSelect, AID, &AIDlen);
596 }
597
598 // Init TLV tree
599 const char *alr = "Root terminal TLV tree";
600 tlvRoot = tlvdb_fixed(1, strlen(alr), (const unsigned char *)alr);
601
602 // check if we found EMV application on card
603 if (!AIDlen) {
604 PrintAndLog("Can't select AID. EMV AID not found");
605 dreturn(2);
606 }
607
608 // Select
609 PrintAndLog("\n* Selecting AID:%s", sprint_hex_inrow(AID, AIDlen));
610 SetAPDULogging(showAPDU);
611 res = EMVSelect(false, true, AID, AIDlen, buf, sizeof(buf), &len, &sw, tlvRoot);
612
613 if (res) {
614 PrintAndLog("Can't select AID (%d). Exit...", res);
615 dreturn(3);
616 }
617
618 if (decodeTLV)
619 TLVPrintFromBuffer(buf, len);
620 PrintAndLog("* Selected.");
621
622 PrintAndLog("\n* Init transaction parameters.");
623
624 //9F66:(Terminal Transaction Qualifiers (TTQ)) len:4
625 char *qVSDC = "\x26\x00\x00\x00";
626 if (GenACGPO) {
627 qVSDC = "\x26\x80\x00\x00";
628 }
629 switch(TrType) {
630 case TT_MSD:
631 TLV_ADD(0x9F66, "\x86\x00\x00\x00"); // MSD
632 break;
633 // not standard for contactless. just for test.
634 case TT_VSDC:
635 TLV_ADD(0x9F66, "\x46\x00\x00\x00"); // VSDC
636 break;
637 case TT_QVSDCMCHIP:
638 TLV_ADD(0x9F66, qVSDC); // qVSDC
639 break;
640 case TT_CDA:
641 TLV_ADD(0x9F66, qVSDC); // qVSDC (VISA CDA not enabled)
642 break;
643 default:
644 TLV_ADD(0x9F66, "\x26\x00\x00\x00"); // qVSDC
645 break;
646 }
647
648 //9F02:(Amount, authorized (Numeric)) len:6
649 TLV_ADD(0x9F02, "\x00\x00\x00\x00\x01\x00");
650 //9F1A:(Terminal Country Code) len:2
651 TLV_ADD(0x9F1A, "ru");
652 //5F2A:(Transaction Currency Code) len:2
653 // USD 840, EUR 978, RUR 810, RUB 643, RUR 810(old), UAH 980, AZN 031, n/a 999
654 TLV_ADD(0x5F2A, "\x09\x80");
655 //9A:(Transaction Date) len:3
656 TLV_ADD(0x9A, "\x00\x00\x00");
657 //9C:(Transaction Type) len:1 | 00 => Goods and service #01 => Cash
658 TLV_ADD(0x9C, "\x00");
659 // 9F37 Unpredictable Number len:4
660 TLV_ADD(0x9F37, "\x01\x02\x03\x04");
661 // 9F6A Unpredictable Number (MSD for UDOL) len:4
662 TLV_ADD(0x9F6A, "\x01\x02\x03\x04");
663
664 TLVPrintFromTLV(tlvRoot); // TODO delete!!!
665
666 PrintAndLog("\n* Calc PDOL.");
667 pdol_data_tlv = dol_process(tlvdb_get(tlvRoot, 0x9f38, NULL), tlvRoot, 0x83);
668 if (!pdol_data_tlv){
669 PrintAndLog("ERROR: can't create PDOL TLV.");
670 dreturn(4);
671 }
672
673 size_t pdol_data_tlv_data_len;
674 unsigned char *pdol_data_tlv_data = tlv_encode(pdol_data_tlv, &pdol_data_tlv_data_len);
675 if (!pdol_data_tlv_data) {
676 PrintAndLog("ERROR: can't create PDOL data.");
677 dreturn(4);
678 }
679 PrintAndLog("PDOL data[%d]: %s", pdol_data_tlv_data_len, sprint_hex(pdol_data_tlv_data, pdol_data_tlv_data_len));
680
681 PrintAndLog("\n* GPO.");
682 res = EMVGPO(true, pdol_data_tlv_data, pdol_data_tlv_data_len, buf, sizeof(buf), &len, &sw, tlvRoot);
683
684 free(pdol_data_tlv_data);
685 //free(pdol_data_tlv); --- free on exit.
686
687 if (res) {
688 PrintAndLog("GPO error(%d): %4x. Exit...", res, sw);
689 dreturn(5);
690 }
691
692 // process response template format 1 [id:80 2b AIP + x4b AFL] and format 2 [id:77 TLV]
693 if (buf[0] == 0x80) {
694 if (decodeTLV){
695 PrintAndLog("GPO response format1:");
696 TLVPrintFromBuffer(buf, len);
697 }
698
699 if (len < 4 || (len - 4) % 4) {
700 PrintAndLog("ERROR: GPO response format1 parsing error. length=%d", len);
701 } else {
702 // AIP
703 struct tlvdb * f1AIP = tlvdb_fixed(0x82, 2, buf + 2);
704 tlvdb_add(tlvRoot, f1AIP);
705 if (decodeTLV){
706 PrintAndLog("\n* * Decode response format 1 (0x80) AIP and AFL:");
707 TLVPrintFromTLV(f1AIP);
708 }
709
710 // AFL
711 struct tlvdb * f1AFL = tlvdb_fixed(0x94, len - 4, buf + 2 + 2);
712 tlvdb_add(tlvRoot, f1AFL);
713 if (decodeTLV)
714 TLVPrintFromTLV(f1AFL);
715 }
716 } else {
717 if (decodeTLV)
718 TLVPrintFromBuffer(buf, len);
719 }
720
721 // extract PAN from track2
722 {
723 const struct tlv *track2 = tlvdb_get(tlvRoot, 0x57, NULL);
724 if (!tlvdb_get(tlvRoot, 0x5a, NULL) && track2 && track2->len >= 8) {
725 struct tlvdb *pan = GetPANFromTrack2(track2);
726 if (pan) {
727 tlvdb_add(tlvRoot, pan);
728
729 const struct tlv *pantlv = tlvdb_get(tlvRoot, 0x5a, NULL);
730 PrintAndLog("\n* * Extracted PAN from track2: %s", sprint_hex(pantlv->value, pantlv->len));
731 } else {
732 PrintAndLog("\n* * WARNING: Can't extract PAN from track2.");
733 }
734 }
735 }
736
737 PrintAndLog("\n* Read records from AFL.");
738 const struct tlv *AFL = tlvdb_get(tlvRoot, 0x94, NULL);
739 if (!AFL || !AFL->len) {
740 PrintAndLog("WARNING: AFL not found.");
741 }
742
743 while(AFL && AFL->len) {
744 if (AFL->len % 4) {
745 PrintAndLog("ERROR: Wrong AFL length: %d", AFL->len);
746 break;
747 }
748
749 for (int i = 0; i < AFL->len / 4; i++) {
750 uint8_t SFI = AFL->value[i * 4 + 0] >> 3;
751 uint8_t SFIstart = AFL->value[i * 4 + 1];
752 uint8_t SFIend = AFL->value[i * 4 + 2];
753 uint8_t SFIoffline = AFL->value[i * 4 + 3];
754
755 PrintAndLog("* * SFI[%02x] start:%02x end:%02x offline:%02x", SFI, SFIstart, SFIend, SFIoffline);
756 if (SFI == 0 || SFI == 31 || SFIstart == 0 || SFIstart > SFIend) {
757 PrintAndLog("SFI ERROR! Skipped...");
758 continue;
759 }
760
761 for(int n = SFIstart; n <= SFIend; n++) {
762 PrintAndLog("* * * SFI[%02x] %d", SFI, n);
763
764 res = EMVReadRecord(true, SFI, n, buf, sizeof(buf), &len, &sw, tlvRoot);
765 if (res) {
766 PrintAndLog("ERROR SFI[%02x]. APDU error %4x", SFI, sw);
767 continue;
768 }
769
770 if (decodeTLV) {
771 TLVPrintFromBuffer(buf, len);
772 PrintAndLog("");
773 }
774
775 // Build Input list for Offline Data Authentication
776 // EMV 4.3 book3 10.3, page 96
777 if (SFIoffline) {
778 if (SFI < 11) {
779 const unsigned char *abuf = buf;
780 size_t elmlen = len;
781 struct tlv e;
782 if (tlv_parse_tl(&abuf, &elmlen, &e)) {
783 memcpy(&ODAiList[ODAiListLen], &buf[len - elmlen], elmlen);
784 ODAiListLen += elmlen;
785 } else {
786 PrintAndLog("ERROR SFI[%02x]. Creating input list for Offline Data Authentication error.", SFI);
787 }
788 } else {
789 memcpy(&ODAiList[ODAiListLen], buf, len);
790 ODAiListLen += len;
791 }
792 }
793 }
794 }
795
796 break;
797 }
798
799 // copy Input list for Offline Data Authentication
800 if (ODAiListLen) {
801 struct tlvdb *oda = tlvdb_fixed(0x21, ODAiListLen, ODAiList); // not a standard tag
802 tlvdb_add(tlvRoot, oda);
803 PrintAndLog("* Input list for Offline Data Authentication added to TLV. len=%d \n", ODAiListLen);
804 }
805
806 // get AIP
807 const struct tlv *AIPtlv = tlvdb_get(tlvRoot, 0x82, NULL);
808 uint16_t AIP = AIPtlv->value[0] + AIPtlv->value[1] * 0x100;
809 PrintAndLog("* * AIP=%04x", AIP);
810
811 // SDA
812 if (AIP & 0x0040) {
813 PrintAndLog("\n* SDA");
814 trSDA(tlvRoot);
815 }
816
817 // DDA
818 if (AIP & 0x0020) {
819 PrintAndLog("\n* DDA");
820 trDDA(decodeTLV, tlvRoot);
821 }
822
823 // transaction check
824
825 // qVSDC
826 if (TrType == TT_QVSDCMCHIP|| TrType == TT_CDA){
827 // 9F26: Application Cryptogram
828 const struct tlv *AC = tlvdb_get(tlvRoot, 0x9F26, NULL);
829 if (AC) {
830 PrintAndLog("\n--> qVSDC transaction.");
831 PrintAndLog("* AC path");
832
833 // 9F36: Application Transaction Counter (ATC)
834 const struct tlv *ATC = tlvdb_get(tlvRoot, 0x9F36, NULL);
835 if (ATC) {
836
837 // 9F10: Issuer Application Data - optional
838 const struct tlv *IAD = tlvdb_get(tlvRoot, 0x9F10, NULL);
839
840 // print AC data
841 PrintAndLog("ATC: %s", sprint_hex(ATC->value, ATC->len));
842 PrintAndLog("AC: %s", sprint_hex(AC->value, AC->len));
843 if (IAD){
844 PrintAndLog("IAD: %s", sprint_hex(IAD->value, IAD->len));
845
846 if (IAD->len >= IAD->value[0] + 1) {
847 PrintAndLog("\tKey index: 0x%02x", IAD->value[1]);
848 PrintAndLog("\tCrypto ver: 0x%02x(%03d)", IAD->value[2], IAD->value[2]);
849 PrintAndLog("\tCVR:", sprint_hex(&IAD->value[3], IAD->value[0] - 2));
850 struct tlvdb * cvr = tlvdb_fixed(0x20, IAD->value[0] - 2, &IAD->value[3]);
851 TLVPrintFromTLVLev(cvr, 1);
852 }
853 } else {
854 PrintAndLog("WARNING: IAD not found.");
855 }
856
857 } else {
858 PrintAndLog("ERROR AC: Application Transaction Counter (ATC) not found.");
859 }
860 }
861 }
862
863 // Mastercard M/CHIP
864 if (GetCardPSVendor(AID, AIDlen) == CV_MASTERCARD && (TrType == TT_QVSDCMCHIP || TrType == TT_CDA)){
865 const struct tlv *CDOL1 = tlvdb_get(tlvRoot, 0x8c, NULL);
866 if (CDOL1 && GetCardPSVendor(AID, AIDlen) == CV_MASTERCARD) { // and m/chip transaction flag
867 PrintAndLog("\n--> Mastercard M/Chip transaction.");
868
869 PrintAndLog("* * Generate challenge");
870 res = EMVGenerateChallenge(true, buf, sizeof(buf), &len, &sw, tlvRoot);
871 if (res) {
872 PrintAndLog("ERROR GetChallenge. APDU error %4x", sw);
873 dreturn(6);
874 }
875 if (len < 4) {
876 PrintAndLog("ERROR GetChallenge. Wrong challenge length %d", len);
877 dreturn(6);
878 }
879
880 // ICC Dynamic Number
881 struct tlvdb * ICCDynN = tlvdb_fixed(0x9f4c, len, buf);
882 tlvdb_add(tlvRoot, ICCDynN);
883 if (decodeTLV){
884 PrintAndLog("\n* * ICC Dynamic Number:");
885 TLVPrintFromTLV(ICCDynN);
886 }
887
888 PrintAndLog("* * Calc CDOL1");
889 struct tlv *cdol_data_tlv = dol_process(tlvdb_get(tlvRoot, 0x8c, NULL), tlvRoot, 0x01); // 0x01 - dummy tag
890 if (!cdol_data_tlv){
891 PrintAndLog("ERROR: can't create CDOL1 TLV.");
892 dreturn(6);
893 }
894 PrintAndLog("CDOL1 data[%d]: %s", cdol_data_tlv->len, sprint_hex(cdol_data_tlv->value, cdol_data_tlv->len));
895
896 PrintAndLog("* * AC1");
897 // EMVAC_TC + EMVAC_CDAREQ --- to get SDAD
898 res = EMVAC(true, (TrType == TT_CDA) ? EMVAC_TC + EMVAC_CDAREQ : EMVAC_TC, (uint8_t *)cdol_data_tlv->value, cdol_data_tlv->len, buf, sizeof(buf), &len, &sw, tlvRoot);
899
900 if (res) {
901 PrintAndLog("AC1 error(%d): %4x. Exit...", res, sw);
902 dreturn(7);
903 }
904
905 if (decodeTLV)
906 TLVPrintFromBuffer(buf, len);
907
908 // CDA
909 PrintAndLog("\n* CDA:");
910 struct tlvdb *ac_tlv = tlvdb_parse_multi(buf, len);
911 res = trCDA(tlvRoot, ac_tlv, pdol_data_tlv, cdol_data_tlv);
912 if (res) {
913 PrintAndLog("CDA error (%d)", res);
914 }
915 free(ac_tlv);
916 free(cdol_data_tlv);
917
918 PrintAndLog("\n* M/Chip transaction result:");
919 // 9F27: Cryptogram Information Data (CID)
920 const struct tlv *CID = tlvdb_get(tlvRoot, 0x9F27, NULL);
921 if (CID) {
922 emv_tag_dump(CID, stdout, 0);
923 PrintAndLog("------------------------------");
924 if (CID->len > 0) {
925 switch(CID->value[0] & EMVAC_AC_MASK){
926 case EMVAC_AAC:
927 PrintAndLog("Transaction DECLINED.");
928 break;
929 case EMVAC_TC:
930 PrintAndLog("Transaction approved OFFLINE.");
931 break;
932 case EMVAC_ARQC:
933 PrintAndLog("Transaction approved ONLINE.");
934 break;
935 default:
936 PrintAndLog("ERROR: CID transaction code error %2x", CID->value[0] & EMVAC_AC_MASK);
937 break;
938 }
939 } else {
940 PrintAndLog("ERROR: Wrong CID length %d", CID->len);
941 }
942 } else {
943 PrintAndLog("ERROR: CID(9F27) not found.");
944 }
945
946 }
947 }
948
949 // MSD
950 if (AIP & 0x8000 && TrType == TT_MSD) {
951 PrintAndLog("\n--> MSD transaction.");
952
953 PrintAndLog("* MSD dCVV path. Check dCVV");
954
955 const struct tlv *track2 = tlvdb_get(tlvRoot, 0x57, NULL);
956 if (track2) {
957 PrintAndLog("Track2: %s", sprint_hex(track2->value, track2->len));
958
959 struct tlvdb *dCVV = GetdCVVRawFromTrack2(track2);
960 PrintAndLog("dCVV raw data:");
961 TLVPrintFromTLV(dCVV);
962
963 if (GetCardPSVendor(AID, AIDlen) == CV_MASTERCARD) {
964 PrintAndLog("\n* Mastercard calculate UDOL");
965
966 // UDOL (9F69)
967 const struct tlv *UDOL = tlvdb_get(tlvRoot, 0x9F69, NULL);
968 // UDOL(9F69) default: 9F6A (Unpredictable number) 4 bytes
969 const struct tlv defUDOL = {
970 .tag = 0x01,
971 .len = 3,
972 .value = (uint8_t *)"\x9f\x6a\x04",
973 };
974 if (!UDOL)
975 PrintAndLog("Use default UDOL.");
976
977 struct tlv *udol_data_tlv = dol_process(UDOL ? UDOL : &defUDOL, tlvRoot, 0x01); // 0x01 - dummy tag
978 if (!udol_data_tlv){
979 PrintAndLog("ERROR: can't create UDOL TLV.");
980 dreturn(8);
981 }
982
983 PrintAndLog("UDOL data[%d]: %s", udol_data_tlv->len, sprint_hex(udol_data_tlv->value, udol_data_tlv->len));
984
985 PrintAndLog("\n* Mastercard compute cryptographic checksum(UDOL)");
986
987 res = MSCComputeCryptoChecksum(true, (uint8_t *)udol_data_tlv->value, udol_data_tlv->len, buf, sizeof(buf), &len, &sw, tlvRoot);
988 if (res) {
989 PrintAndLog("ERROR Compute Crypto Checksum. APDU error %4x", sw);
990 free(udol_data_tlv);
991 dreturn(9);
992 }
993
994 if (decodeTLV) {
995 TLVPrintFromBuffer(buf, len);
996 PrintAndLog("");
997 }
998 free(udol_data_tlv);
999
1000 }
1001 } else {
1002 PrintAndLog("ERROR MSD: Track2 data not found.");
1003 }
1004 }
1005
1006 // DropField
1007 DropField();
1008
1009 // Destroy TLV's
1010 free(pdol_data_tlv);
1011 tlvdb_free(tlvSelect);
1012 tlvdb_free(tlvRoot);
1013
1014 PrintAndLog("\n* Transaction completed.");
1015
1016 return 0;
1017 }
1018
1019 int CmdHFEMVTest(const char *cmd) {
1020 return ExecuteCryptoTests(true);
1021 }
1022
1023 int CmdHelp(const char *Cmd);
1024 static command_t CommandTable[] = {
1025 {"help", CmdHelp, 1, "This help"},
1026 {"exec", CmdHFEMVExec, 0, "Executes EMV contactless transaction."},
1027 {"pse", CmdHFEMVPPSE, 0, "Execute PPSE. It selects 2PAY.SYS.DDF01 or 1PAY.SYS.DDF01 directory."},
1028 {"search", CmdHFEMVSearch, 0, "Try to select all applets from applets list and print installed applets."},
1029 {"select", CmdHFEMVSelect, 0, "Select applet."},
1030 {"gpo", CmdHFEMVGPO, 0, "Execute GetProcessingOptions."},
1031 {"readrec", CmdHFEMVReadRecord, 0, "Read files from card."},
1032 {"genac", CmdHFEMVAC, 0, "Generate ApplicationCryptogram."},
1033 {"challenge", CmdHFEMVGenerateChallenge, 0, "Generate challenge."},
1034 {"intauth", CmdHFEMVInternalAuthenticate, 0, "Internal authentication."},
1035 {"test", CmdHFEMVTest, 0, "Crypto logic test."},
1036 {NULL, NULL, 0, NULL}
1037 };
1038
1039 int CmdHFEMV(const char *Cmd) {
1040 CmdsParse(CommandTable, Cmd);
1041 return 0;
1042 }
1043
1044 int CmdHelp(const char *Cmd) {
1045 CmdsHelp(CommandTable);
1046 return 0;
1047 }
Impressum, Datenschutz