1 #include "mifaredesfire.h"
3 #define MAX_APPLICATION_COUNT 28
4 #define MAX_FILE_COUNT 16
5 #define MAX_FRAME_SIZE 60
6 #define NOT_YET_AUTHENTICATED 255
7 #define FRAME_PAYLOAD_SIZE (MAX_FRAME_SIZE - 5)
9 //static uint8_t __msg[MAX_FRAME_SIZE] = { 0x0A, 0x00, 0x00, /* ..., */ 0x00 };
10 /* PCB CID CMD PAYLOAD */
11 //static uint8_t __res[MAX_FRAME_SIZE];
13 void MifareDesfireGetInformation(){
17 uint8_t resp
[RECV_RES_SIZE
];
18 uint8_t dataout
[RECV_CMD_SIZE
];
19 byte_t buf
[RECV_RES_SIZE
];
21 memset(resp
,0,sizeof(resp
));
22 memset(dataout
,0, sizeof(dataout
));
23 memset(buf
,0,sizeof(buf
));
32 PCB == 0x0A because sending CID byte.
33 CID == 0x00 first card?
36 uint8_t cmd1
[] = {0x0a,0x00,GET_VERSION
, 0x00, 0x00 };
37 uint8_t cmd2
[] = {0x0a,0x00,GET_KEY_VERSION
, 0x00, 0x00, 0x00 };
40 iso14a_set_tracing(TRUE
);
41 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
43 // card select - information
44 iso14a_card_select_t
*card
= (iso14a_card_select_t
*)buf
;
45 byte_t isOK
= iso14443a_select_card(NULL
, card
, NULL
);
47 if (MF_DBGLEVEL
>= 1) {
48 Dbprintf("Can't select card");
55 memcpy(dataout
,card
->uid
,7);
62 AppendCrc14443a(cmd1
, 3);
63 ReaderTransmit(cmd1
, sizeof(cmd1
), NULL
);
64 len
= ReaderReceive(resp
);
65 if ( resp
[2] != ADDITIONAL_FRAME
) {
66 print_result("ERROR <--: ", resp
, len
);
71 memcpy(dataout
+7,resp
+3,7);
75 cmd1
[2] = ADDITIONAL_FRAME
;
76 AppendCrc14443a(cmd1
, 3);
77 ReaderTransmit(cmd1
, sizeof(cmd1
), NULL
);
78 len
= ReaderReceive(resp
);
80 if ( resp
[2] != ADDITIONAL_FRAME
) {
81 print_result("ERROR <--: ", resp
, len
);
85 memcpy(dataout
+7+7,resp
+3,7);
89 AppendCrc14443a(cmd1
, 3);
90 ReaderTransmit(cmd1
, sizeof(cmd1
), NULL
);
91 len
= ReaderReceive(resp
);
92 if ( resp
[2] != OPERATION_OK
) {
93 print_result("ERROR <--: ", resp
, len
);
98 memcpy(dataout
+7+7+7,resp
+3,14);
100 // GET MASTER KEYSETTINGS
101 cmd1
[2] = GET_KEY_SETTINGS
;
102 AppendCrc14443a(cmd1
, 3);
103 ReaderTransmit(cmd1
, sizeof(cmd1
), NULL
);
104 len
= ReaderReceive(resp
);
106 memcpy(dataout
+7+7+7+14,resp
+3,2);
110 // GET MASTER KEY VERSION
111 AppendCrc14443a(cmd2
, 4);
112 ReaderTransmit(cmd2
, sizeof(cmd2
), NULL
);
113 len
= ReaderReceive(resp
);
115 memcpy(dataout
+7+7+7+14+2,resp
+3,1);
119 cmd1
[2] = GET_FREE_MEMORY
;
120 AppendCrc14443a(cmd1
, 3);
121 ReaderTransmit(cmd1
, sizeof(cmd1
), NULL
);
122 len
= ReaderReceive(resp
);
124 memcpy(dataout
+7+7+7+14+2+1,resp
+3,3);
127 cmd_send(CMD_ACK
,1,0,0,dataout
,sizeof(dataout
));
131 void MifareDES_Auth1(uint8_t mode
, uint8_t algo
, uint8_t keyno
, uint8_t *datain
){
133 uint8_t null_key_data
[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
134 uint8_t new_key_data
[8] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 };
137 MifareDESFireKey default_key
= mifare_desfire_des_key_new_with_version (null_key_data
);
139 res
= mifare_desfire_select_application (tags
[i
], aid
);
141 freefare_perror (tags
[i
], "mifare_desfire_select_application");
142 error
= EXIT_FAILURE
;
147 // pcb cid cmd key crc1 cr2
148 //uint8_t cmd2[] = {0x02,0x00,GET_KEY_VERSION, 0x00, 0x00, 0x00 };
150 //uint8_t* bigbuffer = mifare_get_bigbufptr();
156 // första byten håller keylength.
157 uint8_t keylen
= datain
[0];
158 memcpy(key
, datain
+1, keylen
);
160 if (MF_DBGLEVEL
>= 1) {
162 Dbprintf("MODE: %d", mode
);
163 Dbprintf("ALGO: %d", algo
);
164 Dbprintf("KEYNO: %d", keyno
);
165 Dbprintf("KEYLEN: %d", keylen
);
167 print_result("KEY", key
, keylen
);
170 // card select - information
171 byte_t buf
[USB_CMD_DATA_SIZE
];
172 iso14a_card_select_t
*card
= (iso14a_card_select_t
*)buf
;
174 // test of DES on ARM side.
185 memset(tmpData, 0 ,8);
186 memset(tmpPlain,0 ,8);
187 memcpy(key, datain, 8);
188 memcpy(plain, datain+30, 16);
190 for(uint8_t i=0; i< sizeof(plain); i=i+8 ){
192 memcpy(tmpPlain, plain+i, 8);
193 des_enc( &tmpData, &tmpPlain, &key);
194 memcpy(encData+i, tmpData, 8);
199 iso14a_clear_trace();
201 iso14a_set_tracing(TRUE
);
203 // power up the field
204 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
207 isOK
= iso14443a_select_card(resp
, card
, NULL
);
209 if (MF_DBGLEVEL
>= 1) {
210 Dbprintf("CAN'T SELECT CARD, SOMETHING WENT WRONG BEFORE AUTH");
220 // 3 olika sätt att authenticera. AUTH (CRC16) , AUTH_ISO (CRC32) , AUTH_AES (CRC32)
221 // 4 olika crypto algo DES, 3DES, 3K3DES, AES
222 // 3 olika kommunikations sätt, PLAIN,MAC,CRYPTO
227 // if ( SendDesfireCommand(AUTHENTICATE, &keyno, resp) > 0 ){
228 // // fick nonce från kortet
232 //SendDesfireCommand(AUTHENTICATE_ISO, &keyno, resp);
236 if ( AesCtxIni(&ctx
, IV
, key
, KEY128
, CBC
) < 0 ){
237 if (MF_DBGLEVEL
>= 1) {
238 Dbprintf("AES context failed to init");
246 real_cmd
[2] = AUTHENTICATE_AES
;
249 AppendCrc14443a(real_cmd
, 2);
250 ReaderTransmit(real_cmd
, sizeof(real_cmd
), NULL
);
252 int len
= ReaderReceive(resp
);
258 print_result("RX:", resp
, len
);
260 enum DESFIRE_STATUS status
= resp
[1];
261 if ( status
!= ADDITIONAL_FRAME
) {
273 memset(nonce
, 0, 16);
274 memcpy( encRndB
, resp
+2, 16);
276 // dekryptera tagnonce.
277 AesDecrypt(&ctx
, encRndB
, decRndB
, 16);
281 memcpy(both
, nonce
,16);
282 memcpy(both
+16, decRndB
,16 );
284 AesEncrypt(&ctx
, both
, encBoth
, 32 );
286 uint8_t real_cmd_A
[36];
287 real_cmd_A
[0] = 0x03;
288 real_cmd_A
[1] = ADDITIONAL_FRAME
;
290 memcpy(real_cmd_A
+2, encBoth
, sizeof(encBoth
) );
291 AppendCrc14443a(real_cmd_A
, sizeof(real_cmd_A
));
292 ReaderTransmit(real_cmd_A
, sizeof(real_cmd_A
), NULL
);
294 len
= ReaderReceive(resp
);
296 print_result("Auth1a ", resp
, 36);
299 if ( status
!= OPERATION_OK
) {
300 Dbprintf("Cmd Error: %02x Len: %d", status
,len
);
314 // desfire_cmd = enum DESFIRE_CMD in desfire.h
316 // dataout = point to array for response data.
317 int SendDesfireCommand(enum DESFIRE_CMD desfire_cmd
,uint8_t *dataout
, uint8_t fromscratch
){
324 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
326 // power up the field
327 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
329 iso14443a_select_card(NULL
, NULL
, NULL
);
332 // 3 olika ISO sätt att skicka data till DESFIRE (direkt, inkapslat, inkapslat ISO)
335 real_cmd
[1] = desfire_cmd
;
336 AppendCrc14443a(real_cmd
, 2);
337 ReaderTransmit(real_cmd
, sizeof(real_cmd
), NULL
);
338 len
= ReaderReceive(resp
);
340 return -1; //DATA LINK ERROR
343 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
346 enum DESFIRE_STATUS status
= resp
[1];
347 //1 bytes iso, 1 byte status, in the end: 2 bytes crc
348 if ( status
== OPERATION_OK
|| status
== ADDITIONAL_FRAME
) {
349 memcpy(dataout
, resp
+2, 2);
353 Dbprintf("unexpected desfire response: %X (to %X)", status
, desfire_cmd
);
358 // crc_update(&desfire_crc32, 0, 1); /* CMD_WRITE */
359 // crc_update(&desfire_crc32, addr, addr_sz);
360 // crc_update(&desfire_crc32, byte, 8);
361 // uint32_t crc = crc_finish(&desfire_crc32);
366 //uint8_t versionCmd1[] = {0x02, 0x60};
367 //uint8_t versionCmd2[] = {0x03, 0xaf};
368 //uint8_t versionCmd3[] = {0x02, 0xaf};
370 // AUTH 1 - CMD: 0x02, 0x0A, 0x00 = Auth
371 // 0x02 = status byte för simpla svar?!?
374 //uint8_t initAuthCmdDES[] = {0x02, 0x0a, 0x00}; // DES
375 //uint8_t initAuthCmd3DES[] = {0x02, 0x1a, 0x00}; // 3DES
376 //uint8_t initAuthCmdAES[] = {0x02, 0xaa, 0x00}; // AES
377 // auth 1 - answer command
378 // 0x03 = status byte för komplexa typer?
379 // 0xaf = additional frame
380 // LEN = 1+1+32+2 = 36
381 //uint8_t answerAuthCmd[34] = {0x03, 0xaf};
384 //AppendCrc14443a(versionCmd1,sizeof(versionCmd1));
388 /*ReaderTransmit(versionCmd1,sizeof(versionCmd1)+2, NULL);
389 len = ReaderReceive(buffer);
390 print_result("Get Version 3", buffer, 9);
393 // for( int i = 0; i < 8; i++){
394 // // Auth 1 - Request authentication
395 // ReaderTransmit(initAuthCmdAES,sizeof(initAuthCmdAES)+2, NULL);
396 // //len = ReaderReceive(buffer);
398 // // 0xAE = authentication error
399 // if (buffer[1] == 0xae) {
400 // Dbprintf("Cmd Error: %02x", buffer[1]);
406 // memcpy(encRndB, buffer+2, 16);
408 // // dekryptera svaret från tag.
409 // AesDecrypt(&ctx, encRndB, decRndB, 16);
412 // memcpy(RndARndB, RndA,16);
413 // memcpy(RndARndB+16, decRndB ,16 );
415 // AesEncrypt(&ctx, RndARndB, encRndARndB, 32 );
417 // memcpy(answerAuthCmd+2, encRndARndB, 32);
418 // AppendCrc14443a(answerAuthCmd,sizeof(answerAuthCmd));
420 // ReaderTransmit(answerAuthCmd,sizeof(answerAuthCmd)+2, NULL);
422 // len = ReaderReceive(buffer);
424 // print_result("Auth1a ", buffer, 8);
425 // Dbprintf("Rx len: %02x", len);
427 // if (buffer[1] == 0xCA) {
428 // Dbprintf("Cmd Error: %02x Len: %d", buffer[1],len);
429 // cmd_send(CMD_ACK,0,0,0,0,0);
431 // AesCtxIni(&ctx, iv, key, KEY128, CBC);
435 //des_dec(decRndB, encRndB, key);
439 DES_ede2_cbc_encrypt(e_RndB,RndB,sizeof(e_RndB),&ks1,&ks2,&iv,0);
440 memcpy(RndARndB,RndA,8);
441 memcpy(RndARndB+8,RndB,8);
442 PrintAndLog(" RA+B:%s",sprint_hex(RndARndB, 16));
443 DES_ede2_cbc_encrypt(RndARndB,RndARndB,sizeof(RndARndB),&ks1,&ks2,&e_RndB,1);
444 PrintAndLog("enc(RA+B):%s",sprint_hex(RndARndB, 16));
448 int mifare_des_auth2(uint32_t uid
, uint8_t *key
, uint8_t *blockData
){
450 uint8_t* buffer
= mifare_get_bigbufptr();
454 memcpy(dcmd
+1,key
,16);
455 AppendCrc14443a(dcmd
, 17);
458 ReaderTransmit(dcmd
, sizeof(dcmd
), NULL
);
459 int len
= ReaderReceive(buffer
);
461 if (MF_DBGLEVEL
>= 1) Dbprintf("Authentication failed. Card timeout.");
462 len
= ReaderReceive(buffer
);
466 if (MF_DBGLEVEL
>= 1) {
467 Dbprintf("NAK - Authentication failed.");
468 Dbprintf("Cmd Error: %02x", buffer
[0]);
474 if (MF_DBGLEVEL
>= 1) {
475 Dbprintf("Auth2 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
476 buffer
[0],buffer
[1],buffer
[2],buffer
[3],buffer
[4],
477 buffer
[5],buffer
[6],buffer
[7],buffer
[8],buffer
[9],
485 void MifareDES_Auth2(uint32_t arg0
, uint8_t *datain
){
488 uint32_t cuid
= arg0
;
492 byte_t dataoutbuf
[16];
495 memcpy(key
, datain
, 16);
501 if(mifare_des_auth2(cuid
, key
, dataoutbuf
)){
502 if (MF_DBGLEVEL
>= 1) Dbprintf("Authentication part2: Fail...");
505 if (MF_DBGLEVEL
>= 2) DbpString("AUTH 2 FINISHED");
508 cmd_send(CMD_ACK
,isOK
,0,0,dataoutbuf
,11);
512 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
517 uint8_t* CreateAPDU( uint8_t *datain
, size_t len
){
519 len
= MIN(len
, USB_CMD_DATA_SIZE
);
522 uint8_t *cmd
= tmpcmd
;
527 memcpy(cmd
, datain
,len
);
528 AppendCrc14443a(cmd
, len
+2);
534 uint8_t resp
[RECV_RES_SIZE
];
535 byte_t buf
[RECV_RES_SIZE
];
537 memset(resp
,0,sizeof(resp
));
538 memset(buf
,0,sizeof(buf
));
540 iso14a_clear_trace();
541 iso14a_set_tracing(TRUE
);
542 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN
);
544 // card select - information
545 iso14a_card_select_t
*card
= (iso14a_card_select_t
*)buf
;
546 byte_t isOK
= iso14443a_select_card(NULL
, card
, NULL
);
548 if (MF_DBGLEVEL
>= 1) {
549 Dbprintf("Can't select card");
557 // Deselect card by sending a s-block. the crc is precalced for speed
558 uint8_t cmd
[] = {0xc2,0xe0,0xb4};
559 ReaderTransmit(cmd
, sizeof(cmd
), NULL
);
560 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);
565 cmd_send(CMD_ACK
,0,0,0,0,0);
566 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF
);