]> cvs.zerfleddert.de Git - proxmark3-svn/blob - armsrc/mifaredesfire.c
projects / proxmark3-svn / blob
? search:


ee7dc8f3836953e7108db29910e479f8fefd9917
[proxmark3-svn] / armsrc / mifaredesfire.c
1 #include "mifaredesfire.h"
2
3 #define MAX_APPLICATION_COUNT 28
4 #define MAX_FILE_COUNT 16
5 #define MAX_FRAME_SIZE 60
6 #define NOT_YET_AUTHENTICATED 255
7 #define FRAME_PAYLOAD_SIZE (MAX_FRAME_SIZE - 5)
8
9 // the block number for the ISO14443-4 PCB
10 uint8_t pcb_blocknum = 0;
11 // Deselect card by sending a s-block. the crc is precalced for speed
12 static uint8_t deselect_cmd[] = {0xc2,0xe0,0xb4};
13
14 //static uint8_t __msg[MAX_FRAME_SIZE] = { 0x0A, 0x00, 0x00, /* ..., */ 0x00 };
15 /* PCB CID CMD PAYLOAD */
16 //static uint8_t __res[MAX_FRAME_SIZE];
17
18 bool InitDesfireCard(){
19
20 // Make sure it is off.
21 // FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
22 // SpinDelay(300);
23
24 byte_t cardbuf[USB_CMD_DATA_SIZE];
25 memset(cardbuf,0,sizeof(cardbuf));
26
27 iso14a_set_tracing(TRUE);
28 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
29
30 iso14a_card_select_t *card = (iso14a_card_select_t*)cardbuf;
31 int len = iso14443a_select_card(NULL,card,NULL);
32
33 if (!len) {
34 if (MF_DBGLEVEL >= 1) {
35 Dbprintf("Can't select card");
36 }
37 OnError();
38 return false;
39 }
40 return true;
41 }
42
43 void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain){
44
45 /* ARG0 contains flags.
46 0x01 = init card.
47 0x02 =
48 0x03
49 */
50 uint8_t flags = arg0;
51 size_t datalen = arg1;
52 uint8_t resp[RECV_RES_SIZE];
53 memset(resp,0,sizeof(resp));
54
55 if (MF_DBGLEVEL >= 4) {
56 Dbprintf(" flags: %02X", flags);
57 Dbprintf(" len : %02X", datalen);
58 print_result("to send: ", datain, datalen);
59 }
60
61 if ( flags & 0x01 ){
62 if ( !InitDesfireCard() )
63 return;
64 }
65
66 int len = DesfireAPDU(datain, datalen, resp);
67 if ( !len ) {
68 if (MF_DBGLEVEL >= 4) {
69 print_result("ERR <--: ", resp, len);
70 }
71 OnError();
72 return;
73 }
74 cmd_send(CMD_ACK,1,0,0,resp,len);
75
76
77 OnSuccess();
78 }
79
80 void MifareDesfireGetInformation(){
81
82 int len = 0;
83 uint8_t resp[USB_CMD_DATA_SIZE];
84 uint8_t dataout[USB_CMD_DATA_SIZE];
85 byte_t cardbuf[USB_CMD_DATA_SIZE];
86
87 memset(resp,0,sizeof(resp));
88 memset(dataout,0, sizeof(dataout));
89 memset(cardbuf,0,sizeof(cardbuf));
90
91 /*
92 1 = PCB 1
93 2 = cid 2
94 3 = desfire command 3
95 4-5 = crc 4 key
96 5-6 crc
97 PCB == 0x0A because sending CID byte.
98 CID == 0x00 first card?
99 */
100 iso14a_clear_trace();
101 iso14a_set_tracing(TRUE);
102 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
103
104 // card select - information
105 iso14a_card_select_t *card = (iso14a_card_select_t*)cardbuf;
106 byte_t isOK = iso14443a_select_card(NULL, card, NULL);
107 if (isOK != 1) {
108 if (MF_DBGLEVEL >= 1) {
109 Dbprintf("Can't select card");
110 }
111 OnError();
112 return;
113 }
114
115 memcpy(dataout,card->uid,7);
116
117 LED_A_ON();
118 LED_B_OFF();
119 LED_C_OFF();
120
121 uint8_t cmd[] = {GET_VERSION};
122 size_t cmd_len = sizeof(cmd);
123
124 len = DesfireAPDU(cmd, cmd_len, resp);
125 if ( !len ) {
126 print_result("ERROR <--: ", resp, len);
127 OnError();
128 return;
129 }
130
131 LED_A_OFF();
132 LED_B_ON();
133 memcpy(dataout+7,resp+3,7);
134
135 // ADDITION_FRAME 1
136 cmd[0] = ADDITIONAL_FRAME;
137 len = DesfireAPDU(cmd, cmd_len, resp);
138 if ( !len ) {
139 print_result("ERROR <--: ", resp, len);
140 OnError();
141 return;
142 }
143
144 LED_B_OFF();
145 LED_C_ON();
146 memcpy(dataout+7+7,resp+3,7);
147
148 // ADDITION_FRAME 2
149 len = DesfireAPDU(cmd, cmd_len, resp);
150 if ( !len ) {
151 print_result("ERROR <--: ", resp, len);
152 OnError();
153 return;
154 }
155
156 memcpy(dataout+7+7+7,resp+3,14);
157
158 cmd_send(CMD_ACK,1,0,0,dataout,sizeof(dataout));
159
160 // reset the pcb_blocknum,
161 pcb_blocknum = 0;
162 OnSuccess();
163 }
164
165 void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain){
166
167 uint8_t null_key_data[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
168 //uint8_t new_key_data[8] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 };
169 int res = 0;
170
171 desfirekey_t default_key = Desfire_des_key_new_with_version (null_key_data);
172
173 // res = Desfire_select_application (tags[i], aid);
174 if (res < 0) {
175 print_result("default key: ", default_key->data, 24 );
176 return;
177 }
178
179 return;
180 // pcb cid cmd key crc1 cr2
181 //uint8_t cmd2[] = {0x02,0x00,GET_KEY_VERSION, 0x00, 0x00, 0x00 };
182
183 //uint8_t* bigbuffer = mifare_get_bigbufptr();
184 byte_t isOK = 1;
185 uint8_t resp[256];
186 uint8_t key[24];
187 uint8_t IV[16];
188
189 // första byten håller keylength.
190 uint8_t keylen = datain[0];
191 memcpy(key, datain+1, keylen);
192
193 if (MF_DBGLEVEL >= 1) {
194
195 Dbprintf("MODE: %d", mode);
196 Dbprintf("ALGO: %d", algo);
197 Dbprintf("KEYNO: %d", keyno);
198 Dbprintf("KEYLEN: %d", keylen);
199
200 print_result("KEY", key, keylen);
201 }
202
203 // card select - information
204 byte_t buf[USB_CMD_DATA_SIZE];
205 iso14a_card_select_t *card = (iso14a_card_select_t*)buf;
206
207 // test of DES on ARM side.
208 /*
209 if ( mode == 1){
210 uint8_t IV[8];
211 uint8_t plain[16];
212 uint8_t encData[16];
213
214 uint8_t tmpData[8];
215 uint8_t tmpPlain[8];
216
217 memset(IV, 0, 8);
218 memset(tmpData, 0 ,8);
219 memset(tmpPlain,0 ,8);
220 memcpy(key, datain, 8);
221 memcpy(plain, datain+30, 16);
222
223 for(uint8_t i=0; i< sizeof(plain); i=i+8 ){
224
225 memcpy(tmpPlain, plain+i, 8);
226 des_enc( &tmpData, &tmpPlain, &key);
227 memcpy(encData+i, tmpData, 8);
228 }
229 }
230 */
231
232 iso14a_clear_trace();
233
234 iso14a_set_tracing(TRUE);
235
236 // power up the field
237 iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
238
239 // select the card
240 isOK = iso14443a_select_card(resp, card, NULL);
241 if (isOK != 1) {
242 if (MF_DBGLEVEL >= 1) {
243 Dbprintf("CAN'T SELECT CARD, SOMETHING WENT WRONG BEFORE AUTH");
244 }
245 OnError();
246 return;
247 }
248
249 LED_A_ON();
250 LED_B_OFF();
251 LED_C_OFF();
252
253 // 3 olika sätt att authenticera. AUTH (CRC16) , AUTH_ISO (CRC32) , AUTH_AES (CRC32)
254 // 4 olika crypto algo DES, 3DES, 3K3DES, AES
255 // 3 olika kommunikations sätt, PLAIN,MAC,CRYPTO
256
257 // des, nyckel 0,
258 switch (mode){
259 case 1:
260 // if ( SendDesfireCommand(AUTHENTICATE, &keyno, resp) > 0 ){
261 // // fick nonce från kortet
262 // }
263 break;
264 case 2:
265 //SendDesfireCommand(AUTHENTICATE_ISO, &keyno, resp);
266 break;
267 case 3:{
268 AesCtx ctx;
269 if ( AesCtxIni(&ctx, IV, key, KEY128, CBC) < 0 ){
270 if (MF_DBGLEVEL >= 1) {
271 Dbprintf("AES context failed to init");
272 }
273 OnError();
274 return;
275 }
276 uint8_t real_cmd[6];
277 real_cmd[0] = 0x90;
278 real_cmd[1] = 0x02;
279 real_cmd[2] = AUTHENTICATE_AES;
280 real_cmd[3] = keyno;
281
282 AppendCrc14443a(real_cmd, 2);
283 ReaderTransmit(real_cmd, sizeof(real_cmd), NULL);
284
285 int len = ReaderReceive(resp);
286 if(!len) {
287 OnError();
288 return;
289 }
290
291 print_result("RX:", resp, len);
292
293 enum DESFIRE_STATUS status = resp[1];
294 if ( status != ADDITIONAL_FRAME) {
295 OnError();
296 return;
297 }
298
299 // tags enc nonce
300 uint8_t encRndB[16];
301 uint8_t decRndB[16];
302 uint8_t nonce[16];
303 uint8_t both[32];
304 uint8_t encBoth[32];
305
306 memset(nonce, 0, 16);
307 memcpy( encRndB, resp+2, 16);
308
309 // dekryptera tagnonce.
310 AesDecrypt(&ctx, encRndB, decRndB, 16);
311
312 rol(decRndB,16);
313
314 memcpy(both, nonce,16);
315 memcpy(both+16, decRndB ,16 );
316
317 AesEncrypt(&ctx, both, encBoth, 32 );
318
319 uint8_t real_cmd_A[36];
320 real_cmd_A[0] = 0x03;
321 real_cmd_A[1] = ADDITIONAL_FRAME;
322
323 memcpy(real_cmd_A+2, encBoth, sizeof(encBoth) );
324 AppendCrc14443a(real_cmd_A, sizeof(real_cmd_A));
325 ReaderTransmit(real_cmd_A, sizeof(real_cmd_A), NULL);
326
327 len = ReaderReceive(resp);
328
329 print_result("Auth1a ", resp, 36);
330
331 status = resp[1];
332 if ( status != OPERATION_OK) {
333 Dbprintf("Cmd Error: %02x Len: %d", status,len);
334 OnError();
335 return;
336 }
337
338 break;
339 }
340
341 }
342
343 OnSuccess(resp);
344 }
345
346 // 3 olika ISO sätt att skicka data till DESFIRE (direkt, inkapslat, inkapslat ISO)
347 // cmd = cmd bytes to send
348 // cmd_len = length of cmd
349 // dataout = pointer to response data array
350 int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout){
351
352 uint32_t status = 0;
353 size_t wrappedLen = 0;
354 uint8_t wCmd[USB_CMD_DATA_SIZE];
355
356 wrappedLen = CreateAPDU( cmd, cmd_len, wCmd);
357
358 if (MF_DBGLEVEL >= 4) {
359 print_result("WCMD <--: ", wCmd, wrappedLen);
360 }
361 ReaderTransmit( wCmd, wrappedLen, NULL);
362
363 status = ReaderReceive(dataout);
364
365 if(!status){
366 return FALSE; //DATA LINK ERROR
367 }
368 // if we received an I- or R(ACK)-Block with a block number equal to the
369 // current block number, toggle the current block number
370 else if (status >= 4 // PCB+CID+CRC = 4 bytes
371 && ((dataout[0] & 0xC0) == 0 // I-Block
372 || (dataout[0] & 0xD0) == 0x80) // R-Block with ACK bit set to 0
373 && (dataout[0] & 0x01) == pcb_blocknum) // equal block numbers
374 {
375 pcb_blocknum ^= 1; //toggle next block
376 }
377 return status;
378 }
379
380 // CreateAPDU
381 size_t CreateAPDU( uint8_t *datain, size_t len, uint8_t *dataout){
382
383 size_t cmdlen = MIN(len+4, USB_CMD_DATA_SIZE-1);
384
385 uint8_t cmd[cmdlen];
386 memset(cmd, 0, cmdlen);
387
388 cmd[0] = 0x0A; // 0x0A = skicka cid, 0x02 = ingen cid. Särskilda bitar //
389 cmd[0] |= pcb_blocknum; // OR the block number into the PCB
390 cmd[1] = 0x00; // CID: 0x00 //FIXME: allow multiple selected cards
391
392 memcpy(cmd+2, datain, len);
393 AppendCrc14443a(cmd, len+2);
394
395 memcpy(dataout, cmd, cmdlen);
396
397 return cmdlen;
398 }
399
400 // crc_update(&desfire_crc32, 0, 1); /* CMD_WRITE */
401 // crc_update(&desfire_crc32, addr, addr_sz);
402 // crc_update(&desfire_crc32, byte, 8);
403 // uint32_t crc = crc_finish(&desfire_crc32);
404
405
406 /* Version
407
408 //uint8_t versionCmd1[] = {0x02, 0x60};
409 //uint8_t versionCmd2[] = {0x03, 0xaf};
410 //uint8_t versionCmd3[] = {0x02, 0xaf};
411
412 // AUTH 1 - CMD: 0x02, 0x0A, 0x00 = Auth
413 // 0x02 = status byte för simpla svar?!?
414 // 0x0a = krypto typ
415 // 0x00 = key nr
416 //uint8_t initAuthCmdDES[] = {0x02, 0x0a, 0x00}; // DES
417 //uint8_t initAuthCmd3DES[] = {0x02, 0x1a, 0x00}; // 3DES
418 //uint8_t initAuthCmdAES[] = {0x02, 0xaa, 0x00}; // AES
419 // auth 1 - answer command
420 // 0x03 = status byte för komplexa typer?
421 // 0xaf = additional frame
422 // LEN = 1+1+32+2 = 36
423 //uint8_t answerAuthCmd[34] = {0x03, 0xaf};
424
425 // Lägg till CRC
426 //AppendCrc14443a(versionCmd1,sizeof(versionCmd1));
427 */
428
429 // Sending commands
430 /*ReaderTransmit(versionCmd1,sizeof(versionCmd1)+2, NULL);
431 len = ReaderReceive(buffer);
432 print_result("Get Version 3", buffer, 9);
433 */
434
435 // for( int i = 0; i < 8; i++){
436 // // Auth 1 - Request authentication
437 // ReaderTransmit(initAuthCmdAES,sizeof(initAuthCmdAES)+2, NULL);
438 // //len = ReaderReceive(buffer);
439
440 // // 0xAE = authentication error
441 // if (buffer[1] == 0xae) {
442 // Dbprintf("Cmd Error: %02x", buffer[1]);
443 // OnError();
444 // return;
445 // }
446
447 // // tags enc nonce
448 // memcpy(encRndB, buffer+2, 16);
449
450 // // dekryptera svaret från tag.
451 // AesDecrypt(&ctx, encRndB, decRndB, 16);
452
453 // rol8(decRndB,16);
454 // memcpy(RndARndB, RndA,16);
455 // memcpy(RndARndB+16, decRndB ,16 );
456
457 // AesEncrypt(&ctx, RndARndB, encRndARndB, 32 );
458
459 // memcpy(answerAuthCmd+2, encRndARndB, 32);
460 // AppendCrc14443a(answerAuthCmd,sizeof(answerAuthCmd));
461
462 // ReaderTransmit(answerAuthCmd,sizeof(answerAuthCmd)+2, NULL);
463
464 // len = ReaderReceive(buffer);
465
466 // print_result("Auth1a ", buffer, 8);
467 // Dbprintf("Rx len: %02x", len);
468
469 // if (buffer[1] == 0xCA) {
470 // Dbprintf("Cmd Error: %02x Len: %d", buffer[1],len);
471 // cmd_send(CMD_ACK,0,0,0,0,0);
472 // key[1] = i;
473 // AesCtxIni(&ctx, iv, key, KEY128, CBC);
474 // }
475 // }
476
477 //des_dec(decRndB, encRndB, key);
478
479 //Do crypto magic
480 /*
481 DES_ede2_cbc_encrypt(e_RndB,RndB,sizeof(e_RndB),&ks1,&ks2,&iv,0);
482 memcpy(RndARndB,RndA,8);
483 memcpy(RndARndB+8,RndB,8);
484 PrintAndLog(" RA+B:%s",sprint_hex(RndARndB, 16));
485 DES_ede2_cbc_encrypt(RndARndB,RndARndB,sizeof(RndARndB),&ks1,&ks2,&e_RndB,1);
486 PrintAndLog("enc(RA+B):%s",sprint_hex(RndARndB, 16));
487 */
488
489
490 int mifare_des_auth2(uint32_t uid, uint8_t *key, uint8_t *blockData){
491
492 uint8_t* buffer = mifare_get_bigbufptr();
493 uint8_t dcmd[19];
494
495 dcmd[0] = 0xAF;
496 memcpy(dcmd+1,key,16);
497 AppendCrc14443a(dcmd, 17);
498
499
500 ReaderTransmit(dcmd, sizeof(dcmd), NULL);
501 int len = ReaderReceive(buffer);
502 if(!len) {
503 if (MF_DBGLEVEL >= 1) Dbprintf("Authentication failed. Card timeout.");
504 len = ReaderReceive(buffer);
505 }
506
507 if(len==1) {
508 if (MF_DBGLEVEL >= 1) {
509 Dbprintf("NAK - Authentication failed.");
510 Dbprintf("Cmd Error: %02x", buffer[0]);
511 }
512 return 1;
513 }
514
515 if (len == 11){
516 if (MF_DBGLEVEL >= 1) {
517 Dbprintf("Auth2 Resp: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
518 buffer[0],buffer[1],buffer[2],buffer[3],buffer[4],
519 buffer[5],buffer[6],buffer[7],buffer[8],buffer[9],
520 buffer[10]);
521 }
522 return 0;
523 }
524 return 1;
525 }
526
527 void MifareDES_Auth2(uint32_t arg0, uint8_t *datain){
528
529 return;
530 uint32_t cuid = arg0;
531 uint8_t key[16];
532
533 byte_t isOK = 0;
534 byte_t dataoutbuf[16];
535
536 memset(key, 0, 16);
537 memcpy(key, datain, 16);
538
539 LED_A_ON();
540 LED_B_OFF();
541 LED_C_OFF();
542
543 if(mifare_des_auth2(cuid, key, dataoutbuf)){
544 if (MF_DBGLEVEL >= 1) Dbprintf("Authentication part2: Fail...");
545 }
546 isOK=1;
547 if (MF_DBGLEVEL >= 2) DbpString("AUTH 2 FINISHED");
548
549 LED_B_ON();
550 cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,11);
551 LED_B_OFF();
552
553 // Thats it...
554 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
555 LEDsoff();
556 }
557
558 void OnSuccess(){
559 // transmit a DESELECT COMMAND for Desfire.
560 ReaderTransmit(deselect_cmd, 3 , NULL);
561 // reset the pcb_blocknum,
562 pcb_blocknum = 0;
563 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
564 LEDsoff();
565 }
566
567 void OnError(){
568 cmd_send(CMD_ACK,0,0,0,0,0);
569 ReaderTransmit(deselect_cmd, 3 , NULL);
570 // reset the pcb_blocknum,
571 pcb_blocknum = 0;
572 FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
573 LEDsoff();
574 }
Proxmark3 GIT tracking
Impressum, Datenschutz