#include <stdio.h>\r
#include <stdlib.h>\r
#include <ctype.h>\r
-#include "proxmark3.h"\r
+#include "comms.h"\r
#include "cmdmain.h"\r
#include "cmdhfmfhard.h"\r
+#include "parity.h"\r
#include "util.h"\r
#include "util_posix.h"\r
#include "usb_cmd.h"\r
#include "mifare.h"\r
#include "mfkey.h"\r
#include "hardnested/hardnested_bf_core.h"\r
+#include "cliparser/cliparser.h"\r
+#include "cmdhf14a.h"\r
+#include <polarssl/aes.h>\r
\r
#define NESTED_SECTOR_RETRY 10 // how often we try mfested() until we give up\r
\r
if (transferToEml) {\r
uint8_t sectortrailer;\r
if (trgBlockNo < 32*4) { // 4 block sector\r
- sectortrailer = (trgBlockNo & 0x03) + 3;\r
+ sectortrailer = trgBlockNo | 0x03;\r
} else { // 16 block sector\r
- sectortrailer = (trgBlockNo & 0x0f) + 15;\r
+ sectortrailer = trgBlockNo | 0x0f;\r
}\r
mfEmlGetMem(keyBlock, sectortrailer, 1);\r
\r
blockNo = i * 4;\r
keyType = j;\r
num_to_bytes(e_sector[i].Key[j], 6, key);\r
- \r
keyFound = true;\r
break;\r
}\r
// Can't found a key....\r
if (!keyFound) {\r
PrintAndLog("Can't found any of the known keys.");\r
+ free(e_sector);\r
return 4;\r
}\r
PrintAndLog("--auto key. block no:%3d, key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
\r
// initialize storage for found keys\r
e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
- if (e_sector == NULL) return 1;\r
+ if (e_sector == NULL) {\r
+ free(keyBlock);\r
+ return 1;\r
+ }\r
for (uint8_t keyAB = 0; keyAB < 2; keyAB++) {\r
for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
e_sector[sectorNo].Key[keyAB] = 0xffffffffffff;\r
}\r
\r
// 1 - blocks count\r
- UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNo, 1, 0}};\r
- memcpy(c.d.asBytes, memBlock, 16);\r
- SendCommand(&c);\r
- return 0;\r
+ return mfEmlSetMem(memBlock, blockNo, 1);\r
}\r
\r
\r
//var\r
int res = 0;\r
int len = 0;\r
+ int parlen = 0;\r
int blockLen = 0;\r
int pckNum = 0;\r
int num = 0;\r
uint8_t *buf = NULL;\r
uint16_t bufsize = 0;\r
uint8_t *bufPtr = NULL;\r
+ uint8_t parity[16];\r
\r
char ctmp = param_getchar(Cmd, 0);\r
if ( ctmp == 'h' || ctmp == 'H' ) {\r
} else {\r
isTag = false;\r
}\r
+ parlen = (len - 1) / 8 + 1;\r
bufPtr += 2;\r
if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {\r
memcpy(uid, bufPtr + 2, 7);\r
if (wantDecrypt)\r
mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);\r
} else {\r
- PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));\r
+ oddparitybuf(bufPtr, len, parity);\r
+ PrintAndLog("%s(%d):%s [%s] c[%s]%c", \r
+ isTag ? "TAG":"RDR", \r
+ num, \r
+ sprint_hex(bufPtr, len), \r
+ printBitsPar(bufPtr + len, len), \r
+ printBitsPar(parity, len),\r
+ memcmp(bufPtr + len, parity, len / 8 + 1) ? '!' : ' ');\r
if (wantLogToFile)\r
AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
if (wantDecrypt)\r
- mfTraceDecode(bufPtr, len, wantSaveToEmlFile);\r
+ mfTraceDecode(bufPtr, len, bufPtr[len], wantSaveToEmlFile);\r
num++;\r
}\r
bufPtr += len;\r
- bufPtr += ((len-1)/8+1); // ignore parity\r
+ bufPtr += parlen; // ignore parity\r
}\r
pckNum = 0;\r
}\r
return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);\r
}\r
\r
+int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){\r
+ uint8_t iiv[16] = {0};\r
+ if (iv)\r
+ memcpy(iiv, iv, 16);\r
+ \r
+ aes_context aes;\r
+ aes_init(&aes);\r
+ if (aes_setkey_enc(&aes, key, 128))\r
+ return 1;\r
+ if (aes_crypt_cbc(&aes, AES_ENCRYPT, length, iiv, input, output))\r
+ return 2;\r
+ aes_free(&aes);\r
+\r
+ return 0;\r
+}\r
+\r
+int aes_decode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){\r
+ uint8_t iiv[16] = {0};\r
+ if (iv)\r
+ memcpy(iiv, iv, 16);\r
+ \r
+ aes_context aes;\r
+ aes_init(&aes);\r
+ if (aes_setkey_dec(&aes, key, 128))\r
+ return 1;\r
+ if (aes_crypt_cbc(&aes, AES_DECRYPT, length, iiv, input, output))\r
+ return 2;\r
+ aes_free(&aes);\r
+\r
+ return 0;\r
+}\r
+\r
+int CmdHF14AMfAuth4(const char *cmd) {\r
+ uint8_t keyn[20] = {0};\r
+ int keynlen = 0;\r
+ uint8_t key[16] = {0};\r
+ int keylen = 0;\r
+ uint8_t data[257] = {0};\r
+ int datalen = 0;\r
+ \r
+ uint8_t Rnd1[17] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00};\r
+ uint8_t Rnd2[17] = {0};\r
+ \r
+ \r
+ CLIParserInit("hf mf auth4", \r
+ "Executes AES authentication command in ISO14443-4", \r
+ "Usage:\n\thf mf auth4 4000 000102030405060708090a0b0c0d0e0f -> executes authentication\n"\r
+ "\thf mf auth4 9003 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> executes authentication\n");\r
+\r
+ void* argtable[] = {\r
+ arg_param_begin,\r
+ arg_str1(NULL, NULL, "<Key Num (HEX 2 bytes)>", NULL),\r
+ arg_str1(NULL, NULL, "<Key Value (HEX 16 bytes)>", NULL),\r
+ arg_param_end\r
+ };\r
+ CLIExecWithReturn(cmd, argtable, true);\r
+ \r
+ CLIGetStrWithReturn(1, keyn, &keynlen);\r
+ CLIGetStrWithReturn(2, key, &keylen);\r
+ CLIParserFree();\r
+ \r
+ if (keynlen != 2) {\r
+ PrintAndLog("ERROR: <Key Num> must be 2 bytes long instead of: %d", keynlen);\r
+ return 1;\r
+ }\r
+ \r
+ if (keylen != 16) {\r
+ PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);\r
+ return 1;\r
+ }\r
+\r
+ uint8_t cmd1[] = {0x70, keyn[1], keyn[0], 0x00};\r
+ int res = ExchangeRAW14a(cmd1, sizeof(cmd1), true, true, data, sizeof(data), &datalen);\r
+ if (res) {\r
+ PrintAndLog("ERROR exchande raw error: %d", res);\r
+ DropField();\r
+ return 2;\r
+ }\r
+ \r
+ PrintAndLog("<phase1: %s", sprint_hex(data, datalen));\r
+ \r
+ if (datalen < 1) {\r
+ PrintAndLog("ERROR: card response length: %d", datalen);\r
+ DropField();\r
+ return 3;\r
+ }\r
+ \r
+ if (data[0] != 0x90) {\r
+ PrintAndLog("ERROR: card response error: %02x", data[2]);\r
+ DropField();\r
+ return 3;\r
+ }\r
+\r
+ if (datalen != 19) { // code 1b + 16b + crc 2b\r
+ PrintAndLog("ERROR: card response must be 19 bytes long instead of: %d", datalen);\r
+ DropField();\r
+ return 3;\r
+ }\r
+ \r
+ aes_decode(NULL, key, &data[1], Rnd2, 16);\r
+ Rnd2[16] = Rnd2[0];\r
+ PrintAndLog("Rnd2: %s", sprint_hex(Rnd2, 16));\r
+\r
+ uint8_t cmd2[33] = {0};\r
+ cmd2[0] = 0x72;\r
+\r
+ uint8_t raw[32] = {0};\r
+ memmove(raw, Rnd1, 16);\r
+ memmove(&raw[16], &Rnd2[1], 16);\r
+\r
+ aes_encode(NULL, key, raw, &cmd2[1], 32);\r
+ PrintAndLog(">phase2: %s", sprint_hex(cmd2, 33));\r
+ \r
+ res = ExchangeRAW14a(cmd2, sizeof(cmd2), false, false, data, sizeof(data), &datalen);\r
+ if (res) {\r
+ PrintAndLog("ERROR exchande raw error: %d", res);\r
+ DropField();\r
+ return 4;\r
+ }\r
+ \r
+ PrintAndLog("<phase2: %s", sprint_hex(data, datalen));\r
+\r
+ aes_decode(NULL, key, &data[1], raw, 32);\r
+ PrintAndLog("res: %s", sprint_hex(raw, 32));\r
+ \r
+ PrintAndLog("Rnd1`: %s", sprint_hex(&raw[4], 16));\r
+ if (memcmp(&raw[4], &Rnd1[1], 16)) {\r
+ PrintAndLog("\nERROR: Authentication FAILED. rnd not equal");\r
+ PrintAndLog("rnd1 reader: %s", sprint_hex(&Rnd1[1], 16));\r
+ PrintAndLog("rnd1 card: %s", sprint_hex(&raw[4], 16));\r
+ DropField();\r
+ return 5;\r
+ }\r
+\r
+ DropField();\r
+ PrintAndLog("\nAuthentication OK");\r
+ \r
+ return 0;\r
+}\r
+\r
static command_t CommandTable[] =\r
{\r
{"help", CmdHelp, 1, "This help"},\r
{"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
{"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
{"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
+ {"auth4", CmdHF14AMfAuth4, 0, "ISO14443-4 AES authentication"},\r
{"chk", CmdHF14AMfChk, 0, "Test block keys"},\r
{"mifare", CmdHF14AMifare, 0, "Read parity error messages."},\r
{"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"},\r
\r
int CmdHFMF(const char *Cmd)\r
{\r
- // flush\r
- WaitForResponseTimeout(CMD_ACK,NULL,100);\r
-\r
- CmdsParse(CommandTable, Cmd);\r
- return 0;\r
+ (void)WaitForResponseTimeout(CMD_ACK,NULL,100);\r
+ CmdsParse(CommandTable, Cmd);\r
+ return 0;\r
}\r
\r
int CmdHelp(const char *Cmd)\r