]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/cmdsmartcard.c
projects / proxmark3-svn / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix CMD_PCF7931_BRUTEFORCE duplicate case value (#750)
[proxmark3-svn] / client / cmdsmartcard.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2018 iceman
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Proxmark3 RDV40 Smartcard module commands
9 //-----------------------------------------------------------------------------
10 #include "cmdsmartcard.h"
11
12 #include <ctype.h>
13
14 #include "ui.h"
15 #include "cmdparser.h"
16 #include "util.h"
17 #include "smartcard.h"
18 #include "comms.h"
19 #include "protocols.h"
20 #include "cmdhf.h" // CmdHFlist
21 #include "emv/apduinfo.h" // APDUcode description
22 #include "emv/emvcore.h" // decodeTVL
23
24
25 static int CmdHelp(const char *Cmd);
26
27 static int usage_sm_raw(void) {
28 PrintAndLogEx(NORMAL, "Usage: sc raw [h|r|c] d <0A 0B 0C ... hex>");
29 PrintAndLogEx(NORMAL, " h : this help");
30 PrintAndLogEx(NORMAL, " r : do not read response");
31 PrintAndLogEx(NORMAL, " a : active smartcard without select");
32 PrintAndLogEx(NORMAL, " s : active smartcard with select");
33 PrintAndLogEx(NORMAL, " t : executes TLV decoder if it possible");
34 PrintAndLogEx(NORMAL, " d <bytes> : bytes to send");
35 PrintAndLogEx(NORMAL, "");
36 PrintAndLogEx(NORMAL, "Examples:");
37 PrintAndLogEx(NORMAL, " sc raw d 00a404000e315041592e5359532e444446303100 - `1PAY.SYS.DDF01` PPSE directory");
38 PrintAndLogEx(NORMAL, " sc raw d 00a404000e325041592e5359532e444446303100 - `2PAY.SYS.DDF01` PPSE directory");
39 return 0;
40 }
41
42 static int usage_sm_reader(void) {
43 PrintAndLogEx(NORMAL, "Usage: sc reader [h|s]");
44 PrintAndLogEx(NORMAL, " h : this help");
45 PrintAndLogEx(NORMAL, " s : silent (no messages)");
46 PrintAndLogEx(NORMAL, "");
47 PrintAndLogEx(NORMAL, "Examples:");
48 PrintAndLogEx(NORMAL, " sc reader");
49 return 0;
50 }
51
52 static int usage_sm_info(void) {
53 PrintAndLogEx(NORMAL, "Usage: s info [h|s]");
54 PrintAndLogEx(NORMAL, " h : this help");
55 PrintAndLogEx(NORMAL, " s : silent (no messages)");
56 PrintAndLogEx(NORMAL, "");
57 PrintAndLogEx(NORMAL, "Examples:");
58 PrintAndLogEx(NORMAL, " sc info");
59 return 0;
60 }
61
62 static int usage_sm_upgrade(void) {
63 PrintAndLogEx(NORMAL, "Upgrade firmware");
64 PrintAndLogEx(NORMAL, "Usage: sc upgrade f <file name>");
65 PrintAndLogEx(NORMAL, " h : this help");
66 PrintAndLogEx(NORMAL, " f <filename> : firmware file name");
67 PrintAndLogEx(NORMAL, "");
68 PrintAndLogEx(NORMAL, "Examples:");
69 PrintAndLogEx(NORMAL, " sc upgrade f myfile");
70 return 0;
71 }
72
73 static int usage_sm_setclock(void) {
74 PrintAndLogEx(NORMAL, "Usage: sc setclock [h] c <clockspeed>");
75 PrintAndLogEx(NORMAL, " h : this help");
76 PrintAndLogEx(NORMAL, " c <> : clockspeed (0 = 16mhz, 1=8mhz, 2=4mhz) ");
77 PrintAndLogEx(NORMAL, "");
78 PrintAndLogEx(NORMAL, "Examples:");
79 PrintAndLogEx(NORMAL, " sc setclock c 2");
80 return 0;
81 }
82
83 static int usage_sm_brute(void) {
84 PrintAndLogEx(NORMAL, "Tries to bruteforce SFI, ");
85 PrintAndLogEx(NORMAL, "Usage: sc brute [h]");
86 PrintAndLogEx(NORMAL, " h : this help");
87 PrintAndLogEx(NORMAL, "");
88 PrintAndLogEx(NORMAL, "Examples:");
89 PrintAndLogEx(NORMAL, " sc brute");
90 return 0;
91 }
92
93 static bool smart_select(bool silent) {
94 UsbCommand c = {CMD_SMART_ATR, {0, 0, 0}};
95 clearCommandBuffer();
96 SendCommand(&c);
97 UsbCommand resp;
98 if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
99 if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
100 return false;
101 }
102
103 uint8_t isok = resp.arg[0] & 0xFF;
104 if (!isok) {
105 if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
106 return false;
107 }
108
109 if (!silent) {
110 smart_card_atr_t card;
111 memcpy(&card, (smart_card_atr_t *)resp.d.asBytes, sizeof(smart_card_atr_t));
112
113 PrintAndLogEx(INFO, "ISO7816-3 ATR : %s", sprint_hex(card.atr, card.atr_len));
114 }
115
116 return true;
117 }
118
119 static int smart_wait(uint8_t *data) {
120 UsbCommand resp;
121 if (!WaitForResponseTimeout(CMD_ACK, &resp, 2500)) {
122 PrintAndLogEx(WARNING, "smart card response failed");
123 return -1;
124 }
125
126 uint32_t len = resp.arg[0];
127 if ( !len ) {
128 PrintAndLogEx(WARNING, "smart card response failed");
129 return -2;
130 }
131 memcpy(data, resp.d.asBytes, len);
132 PrintAndLogEx(SUCCESS, " %d | %s", len, sprint_hex_inrow_ex(data, len, 32));
133
134 if (len >= 2) {
135 PrintAndLogEx(SUCCESS, "%02X%02X | %s", data[len - 2], data[len - 1], GetAPDUCodeDescription(data[len - 2], data[len - 1]));
136 }
137 return len;
138 }
139
140 static int smart_response(uint8_t *data) {
141
142 int len = -1;
143 int datalen = smart_wait(data);
144
145 if ( data[datalen - 2] == 0x61 || data[datalen - 2] == 0x9F ) {
146 len = data[datalen - 1];
147 }
148
149 if (len == -1 ) {
150 goto out;
151 }
152
153 PrintAndLogEx(INFO, "Requesting response. len=0x%x", len);
154 uint8_t getstatus[] = {ISO7816_GETSTATUS, 0x00, 0x00, len};
155 UsbCommand cStatus = {CMD_SMART_RAW, {SC_RAW, sizeof(getstatus), 0}};
156 memcpy(cStatus.d.asBytes, getstatus, sizeof(getstatus) );
157 clearCommandBuffer();
158 SendCommand(&cStatus);
159
160 datalen = smart_wait(data);
161 out:
162
163 return datalen;
164 }
165
166 int CmdSmartRaw(const char *Cmd) {
167
168 int hexlen = 0;
169 bool active = false;
170 bool active_select = false;
171 uint8_t cmdp = 0;
172 bool errors = false, reply = true, decodeTLV = false, breakloop = false;
173 uint8_t data[USB_CMD_DATA_SIZE] = {0x00};
174
175 while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
176 switch (tolower(param_getchar(Cmd, cmdp))) {
177 case 'h': return usage_sm_raw();
178 case 'r':
179 reply = false;
180 cmdp++;
181 break;
182 case 'a':
183 active = true;
184 cmdp++;
185 break;
186 case 's':
187 active_select = true;
188 cmdp++;
189 break;
190 case 't':
191 decodeTLV = true;
192 cmdp++;
193 break;
194 case 'd': {
195 switch (param_gethex_to_eol(Cmd, cmdp+1, data, sizeof(data), &hexlen)) {
196 case 1:
197 PrintAndLogEx(WARNING, "Invalid HEX value.");
198 return 1;
199 case 2:
200 PrintAndLogEx(WARNING, "Too many bytes. Max %d bytes", sizeof(data));
201 return 1;
202 case 3:
203 PrintAndLogEx(WARNING, "Hex must have even number of digits.");
204 return 1;
205 }
206 cmdp++;
207 breakloop = true;
208 break;
209 }
210 default:
211 PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
212 errors = true;
213 break;
214 }
215
216 if ( breakloop )
217 break;
218 }
219
220 //Validations
221 if (errors || cmdp == 0 ) return usage_sm_raw();
222
223 // arg0 = RFU flags
224 // arg1 = length
225 UsbCommand c = {CMD_SMART_RAW, {0, hexlen, 0}};
226
227 if (active || active_select) {
228 c.arg[0] |= SC_CONNECT;
229 if (active_select)
230 c.arg[0] |= SC_SELECT;
231 }
232
233 if (hexlen > 0) {
234 c.arg[0] |= SC_RAW;
235 }
236
237 memcpy(c.d.asBytes, data, hexlen );
238 clearCommandBuffer();
239 SendCommand(&c);
240
241 // reading response from smart card
242 if ( reply ) {
243
244 uint8_t* buf = calloc(USB_CMD_DATA_SIZE, sizeof(uint8_t));
245 if ( !buf )
246 return 1;
247
248 int len = smart_response(buf);
249 if ( len < 0 ) {
250 free(buf);
251 return 2;
252 }
253
254 if ( buf[0] == 0x6C ) {
255 data[4] = buf[1];
256
257 memcpy(c.d.asBytes, data, sizeof(data) );
258 clearCommandBuffer();
259 SendCommand(&c);
260 len = smart_response(buf);
261
262 data[4] = 0;
263 }
264
265 if (decodeTLV && len > 4)
266 TLVPrintFromBuffer(buf+1, len-3);
267
268 free(buf);
269 }
270 return 0;
271 }
272
273 int ExchangeAPDUSC(uint8_t *datain, int datainlen, bool activateCard, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
274 *dataoutlen = 0;
275
276 if (activateCard)
277 smart_select(false);
278 printf("* APDU SC\n");
279
280 UsbCommand c = {CMD_SMART_RAW, {SC_RAW | SC_CONNECT, datainlen, 0}};
281 if (activateCard) {
282 c.arg[0] |= SC_SELECT;
283 }
284 memcpy(c.d.asBytes, datain, datainlen);
285 clearCommandBuffer();
286 SendCommand(&c);
287
288 int len = smart_response(dataout);
289
290 if ( len < 0 ) {
291 return 2;
292 }
293
294 *dataoutlen = len;
295
296 return 0;
297 }
298
299
300 int CmdSmartUpgrade(const char *Cmd) {
301
302 PrintAndLogEx(WARNING, "WARNING - Smartcard socket firmware upgrade.");
303 PrintAndLogEx(WARNING, "A dangerous command, do wrong and you will brick the smart card socket");
304
305 FILE *f;
306 char filename[FILE_PATH_SIZE] = {0};
307 uint8_t cmdp = 0;
308 bool errors = false;
309
310 while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
311 switch (tolower(param_getchar(Cmd, cmdp))) {
312 case 'f':
313 //File handling and reading
314 if ( param_getstr(Cmd, cmdp+1, filename, FILE_PATH_SIZE) >= FILE_PATH_SIZE ) {
315 PrintAndLogEx(FAILED, "Filename too long");
316 errors = true;
317 break;
318 }
319 cmdp += 2;
320 break;
321 case 'h':
322 return usage_sm_upgrade();
323 default:
324 PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
325 errors = true;
326 break;
327 }
328 }
329
330 //Validations
331 if (errors || cmdp == 0 ) return usage_sm_upgrade();
332
333 // load file
334 f = fopen(filename, "rb");
335 if ( !f ){
336 PrintAndLogEx(FAILED, "File: %s: not found or locked.", filename);
337 return 1;
338 }
339
340 // get filesize in order to malloc memory
341 fseek(f, 0, SEEK_END);
342 long fsize = ftell(f);
343 fseek(f, 0, SEEK_SET);
344
345 if (fsize < 0) {
346 PrintAndLogEx(WARNING, "error, when getting filesize");
347 fclose(f);
348 return 1;
349 }
350
351 uint8_t *dump = calloc(fsize, sizeof(uint8_t));
352 if (!dump) {
353 PrintAndLogEx(WARNING, "error, cannot allocate memory ");
354 fclose(f);
355 return 1;
356 }
357
358 size_t bytes_read = fread(dump, 1, fsize, f);
359 if (f)
360 fclose(f);
361
362 PrintAndLogEx(SUCCESS, "Smartcard socket firmware uploading to PM3");
363 //Send to device
364 uint32_t index = 0;
365 uint32_t bytes_sent = 0;
366 uint32_t bytes_remaining = bytes_read;
367
368 while (bytes_remaining > 0){
369 uint32_t bytes_in_packet = MIN(USB_CMD_DATA_SIZE, bytes_remaining);
370 UsbCommand c = {CMD_SMART_UPLOAD, {index + bytes_sent, bytes_in_packet, 0}};
371
372 // Fill usb bytes with 0xFF
373 memset(c.d.asBytes, 0xFF, USB_CMD_DATA_SIZE);
374 memcpy(c.d.asBytes, dump + bytes_sent, bytes_in_packet);
375 clearCommandBuffer();
376 SendCommand(&c);
377 if ( !WaitForResponseTimeout(CMD_ACK, NULL, 2000) ) {
378 PrintAndLogEx(WARNING, "timeout while waiting for reply.");
379 free(dump);
380 return 1;
381 }
382
383 bytes_remaining -= bytes_in_packet;
384 bytes_sent += bytes_in_packet;
385 printf("."); fflush(stdout);
386 }
387 free(dump);
388 printf("\n");
389 PrintAndLogEx(SUCCESS, "Smartcard socket firmware updating, don\'t turn off your PM3!");
390
391 // trigger the firmware upgrade
392 UsbCommand c = {CMD_SMART_UPGRADE, {bytes_read, 0, 0}};
393 clearCommandBuffer();
394 SendCommand(&c);
395 UsbCommand resp;
396 if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
397 PrintAndLogEx(WARNING, "timeout while waiting for reply.");
398 return 1;
399 }
400 if ( (resp.arg[0] & 0xFF ) )
401 PrintAndLogEx(SUCCESS, "Smartcard socket firmware upgraded successful");
402 else
403 PrintAndLogEx(FAILED, "Smartcard socket firmware updating failed");
404 return 0;
405 }
406
407 int CmdSmartInfo(const char *Cmd){
408 uint8_t cmdp = 0;
409 bool errors = false, silent = false;
410
411 while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
412 switch (tolower(param_getchar(Cmd, cmdp))) {
413 case 'h': return usage_sm_info();
414 case 's':
415 silent = true;
416 break;
417 default:
418 PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
419 errors = true;
420 break;
421 }
422 cmdp++;
423 }
424
425 //Validations
426 if (errors ) return usage_sm_info();
427
428 UsbCommand c = {CMD_SMART_ATR, {0, 0, 0}};
429 clearCommandBuffer();
430 SendCommand(&c);
431 UsbCommand resp;
432 if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
433 if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
434 return 1;
435 }
436
437 uint8_t isok = resp.arg[0] & 0xFF;
438 if (!isok) {
439 if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
440 return 1;
441 }
442
443 smart_card_atr_t card;
444 memcpy(&card, (smart_card_atr_t *)resp.d.asBytes, sizeof(smart_card_atr_t));
445
446 // print header
447 PrintAndLogEx(INFO, "\n--- Smartcard Information ---------");
448 PrintAndLogEx(INFO, "-------------------------------------------------------------");
449 PrintAndLogEx(INFO, "ISO76183 ATR : %s", sprint_hex(card.atr, card.atr_len));
450 PrintAndLogEx(INFO, "look up ATR");
451 PrintAndLogEx(INFO, "http://smartcard-atr.appspot.com/parse?ATR=%s", sprint_hex_inrow(card.atr, card.atr_len) );
452 return 0;
453 }
454
455 int CmdSmartReader(const char *Cmd){
456 uint8_t cmdp = 0;
457 bool errors = false, silent = false;
458
459 while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
460 switch (tolower(param_getchar(Cmd, cmdp))) {
461 case 'h': return usage_sm_reader();
462 case 's':
463 silent = true;
464 break;
465 default:
466 PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
467 errors = true;
468 break;
469 }
470 cmdp++;
471 }
472
473 //Validations
474 if (errors ) return usage_sm_reader();
475
476 UsbCommand c = {CMD_SMART_ATR, {0, 0, 0}};
477 clearCommandBuffer();
478 SendCommand(&c);
479 UsbCommand resp;
480 if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
481 if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
482 return 1;
483 }
484
485 uint8_t isok = resp.arg[0] & 0xFF;
486 if (!isok) {
487 if (!silent) PrintAndLogEx(WARNING, "smart card select failed");
488 return 1;
489 }
490 smart_card_atr_t card;
491 memcpy(&card, (smart_card_atr_t *)resp.d.asBytes, sizeof(smart_card_atr_t));
492
493 PrintAndLogEx(INFO, "ISO7816-3 ATR : %s", sprint_hex(card.atr, card.atr_len));
494 return 0;
495 }
496
497 int CmdSmartSetClock(const char *Cmd){
498 uint8_t cmdp = 0;
499 bool errors = false;
500 uint8_t clock = 0;
501 while (param_getchar(Cmd, cmdp) != 0x00 && !errors) {
502 switch (tolower(param_getchar(Cmd, cmdp))) {
503 case 'h': return usage_sm_setclock();
504 case 'c':
505 clock = param_get8ex(Cmd, cmdp+1, 2, 10);
506 if ( clock > 2)
507 errors = true;
508
509 cmdp += 2;
510 break;
511 default:
512 PrintAndLogEx(WARNING, "Unknown parameter '%c'", param_getchar(Cmd, cmdp));
513 errors = true;
514 break;
515 }
516 }
517
518 //Validations
519 if (errors || cmdp == 0) return usage_sm_setclock();
520
521 UsbCommand c = {CMD_SMART_SETCLOCK, {clock, 0, 0}};
522 clearCommandBuffer();
523 SendCommand(&c);
524 UsbCommand resp;
525 if ( !WaitForResponseTimeout(CMD_ACK, &resp, 2500) ) {
526 PrintAndLogEx(WARNING, "smart card select failed");
527 return 1;
528 }
529
530 uint8_t isok = resp.arg[0] & 0xFF;
531 if (!isok) {
532 PrintAndLogEx(WARNING, "smart card set clock failed");
533 return 1;
534 }
535
536 switch (clock) {
537 case 0:
538 PrintAndLogEx(SUCCESS, "Clock changed to 16mhz giving 10800 baudrate");
539 break;
540 case 1:
541 PrintAndLogEx(SUCCESS, "Clock changed to 8mhz giving 21600 baudrate");
542 break;
543 case 2:
544 PrintAndLogEx(SUCCESS, "Clock changed to 4mhz giving 86400 baudrate");
545 break;
546 default:
547 break;
548 }
549 return 0;
550 }
551
552 int CmdSmartList(const char *Cmd) {
553 CmdHFList("7816");
554 return 0;
555 }
556
557 int CmdSmartBruteforceSFI(const char *Cmd) {
558
559 char ctmp = tolower(param_getchar(Cmd, 0));
560 if (ctmp == 'h') return usage_sm_brute();
561
562 uint8_t data[5] = {0x00, 0xB2, 0x00, 0x00, 0x00};
563
564 PrintAndLogEx(INFO, "Selecting card");
565 if ( !smart_select(false) ) {
566 return 1;
567 }
568
569 PrintAndLogEx(INFO, "Selecting PPSE aid");
570 CmdSmartRaw("d 00a404000e325041592e5359532e444446303100");
571 CmdSmartRaw("d 00a4040007a000000004101000");
572
573 PrintAndLogEx(INFO, "starting");
574
575 UsbCommand c = {CMD_SMART_RAW, {SC_RAW, sizeof(data), 0}};
576 uint8_t* buf = malloc(USB_CMD_DATA_SIZE);
577 if ( !buf )
578 return 1;
579
580 for (uint8_t i=1; i < 4; i++) {
581 for (int p1=1; p1 < 5; p1++) {
582
583 data[2] = p1;
584 data[3] = (i << 3) + 4;
585
586 memcpy(c.d.asBytes, data, sizeof(data) );
587 clearCommandBuffer();
588 SendCommand(&c);
589
590 smart_response(buf);
591
592 // if 0x6C
593 if ( buf[0] == 0x6C ) {
594 data[4] = buf[1];
595
596 memcpy(c.d.asBytes, data, sizeof(data) );
597 clearCommandBuffer();
598 SendCommand(&c);
599 uint8_t len = smart_response(buf);
600
601 // TLV decoder
602 if (len > 4)
603 TLVPrintFromBuffer(buf+1, len-3);
604
605 data[4] = 0;
606 }
607 memset(buf, 0x00, USB_CMD_DATA_SIZE);
608 }
609 }
610 free(buf);
611 return 0;
612 }
613
614 static command_t CommandTable[] = {
615 {"help", CmdHelp, 1, "This help"},
616 {"list", CmdSmartList, 0, "List ISO 7816 history"},
617 {"info", CmdSmartInfo, 1, "Tag information"},
618 {"reader", CmdSmartReader, 1, "Act like an IS07816 reader"},
619 {"raw", CmdSmartRaw, 1, "Send raw hex data to tag"},
620 {"upgrade", CmdSmartUpgrade, 1, "Upgrade firmware"},
621 {"setclock", CmdSmartSetClock, 1, "Set clock speed"},
622 {"brute", CmdSmartBruteforceSFI, 1, "Bruteforce SFI"},
623 {NULL, NULL, 0, NULL}
624 };
625
626 int CmdSmartcard(const char *Cmd) {
627 clearCommandBuffer();
628 CmdsParse(CommandTable, Cmd);
629 return 0;
630 }
631
632 int CmdHelp(const char *Cmd) {
633 CmdsHelp(CommandTable);
634 return 0;
635 }
Proxmark3 GIT tracking
Impressum, Datenschutz