+ // AFL
+ struct tlvdb * f1AFL = tlvdb_fixed(0x94, len - 4, buf + 2 + 2);
+ tlvdb_add(tlvRoot, f1AFL);
+ if (decodeTLV)
+ TLVPrintFromTLV(f1AFL);
+ }
+ } else {
+ if (decodeTLV)
+ TLVPrintFromBuffer(buf, len);
+ }
+}
+
+void ProcessACResponseFormat1(struct tlvdb *tlvRoot, uint8_t *buf, size_t len, bool decodeTLV) {
+ if (buf[0] == 0x80) {
+ if (decodeTLV){
+ PrintAndLog("GPO response format1:");
+ TLVPrintFromBuffer(buf, len);
+ }
+
+ uint8_t elmlen = len - 2; // wo 0x80XX
+
+ if (len < 4 + 2 || (elmlen - 2) % 4 || elmlen != buf[1]) {
+ PrintAndLogEx(ERR, "GPO response format1 parsing error. length=%d", len);
+ } else {
+ struct tlvdb *tlvElm = NULL;
+ if (decodeTLV)
+ PrintAndLog("\n------------ Format1 decoded ------------");
+
+ // CID (Cryptogram Information Data)
+ tlvdb_change_or_add_node_ex(tlvRoot, 0x9f27, 1, &buf[2], &tlvElm);
+ if (decodeTLV)
+ TLVPrintFromTLV(tlvElm);
+
+ // ATC (Application Transaction Counter)
+ tlvdb_change_or_add_node_ex(tlvRoot, 0x9f36, 2, &buf[3], &tlvElm);
+ if (decodeTLV)
+ TLVPrintFromTLV(tlvElm);
+
+ // AC (Application Cryptogram)
+ tlvdb_change_or_add_node_ex(tlvRoot, 0x9f26, MIN(8, elmlen - 3), &buf[5], &tlvElm);
+ if (decodeTLV)
+ TLVPrintFromTLV(tlvElm);
+
+ // IAD (Issuer Application Data) - optional
+ if (len > 11 + 2) {
+ tlvdb_change_or_add_node_ex(tlvRoot, 0x9f10, elmlen - 11, &buf[13], &tlvElm);
+ if (decodeTLV)
+ TLVPrintFromTLV(tlvElm);
+ }
+ }
+ } else {
+ if (decodeTLV)
+ TLVPrintFromBuffer(buf, len);
+ }
+}
+
+int CmdEMVExec(const char *cmd) {
+ uint8_t buf[APDU_RESPONSE_LEN] = {0};
+ size_t len = 0;
+ uint16_t sw = 0;
+ uint8_t AID[APDU_DATA_LEN] = {0};
+ size_t AIDlen = 0;
+ uint8_t ODAiList[4096];
+ size_t ODAiListLen = 0;
+
+ int res;
+
+ struct tlvdb *tlvSelect = NULL;
+ struct tlvdb *tlvRoot = NULL;
+ struct tlv *pdol_data_tlv = NULL;
+
+ CLIParserInit("emv exec",
+ "Executes EMV contactless transaction",
+ "Usage:\n"
+ "\temv exec -sat -> select card, execute MSD transaction, show APDU and TLV\n"
+ "\temv exec -satc -> select card, execute CDA transaction, show APDU and TLV\n");
+
+ void* argtable[] = {
+ arg_param_begin,
+ arg_lit0("sS", "select", "activate field and select card."),
+ arg_lit0("aA", "apdu", "show APDU reqests and responses."),
+ arg_lit0("tT", "tlv", "TLV decode results."),
+ arg_lit0("jJ", "jload", "Load transaction parameters from `emv/defparams.json` file."),
+ arg_lit0("fF", "forceaid", "Force search AID. Search AID instead of execute PPSE."),
+ arg_rem("By default:", "Transaction type - MSD"),
+ arg_lit0("vV", "qvsdc", "Transaction type - qVSDC or M/Chip."),
+ arg_lit0("cC", "qvsdccda", "Transaction type - qVSDC or M/Chip plus CDA (SDAD generation)."),
+ arg_lit0("xX", "vsdc", "Transaction type - VSDC. For test only. Not a standart behavior."),
+ arg_lit0("gG", "acgpo", "VISA. generate AC from GPO."),
+ arg_lit0("wW", "wired", "Send data via contact (iso7816) interface. Contactless interface set by default."),
+ arg_param_end
+ };
+ CLIExecWithReturn(cmd, argtable, true);
+
+ bool activateField = arg_get_lit(1);
+ bool showAPDU = arg_get_lit(2);
+ bool decodeTLV = arg_get_lit(3);
+ bool paramLoadJSON = arg_get_lit(4);
+ bool forceSearch = arg_get_lit(5);
+
+ enum TransactionType TrType = TT_MSD;
+ if (arg_get_lit(7))
+ TrType = TT_QVSDCMCHIP;
+ if (arg_get_lit(8))
+ TrType = TT_CDA;
+ if (arg_get_lit(9))
+ TrType = TT_VSDC;
+
+ bool GenACGPO = arg_get_lit(10);
+ EMVCommandChannel channel = ECC_CONTACTLESS;
+#ifdef WITH_SMARTCARD
+ if (arg_get_lit(11))
+ channel = ECC_CONTACT;
+#endif
+ PrintChannel(channel);
+ uint8_t psenum = (channel == ECC_CONTACT) ? 1 : 2;
+ char *PSE_or_PPSE = psenum == 1 ? "PSE" : "PPSE";
+
+ CLIParserFree();
+
+ SetAPDULogging(showAPDU);
+
+ // init applets list tree
+ const char *al = "Applets list";
+ tlvSelect = tlvdb_fixed(1, strlen(al), (const unsigned char *)al);
+
+ // Application Selection
+ // https://www.openscdp.org/scripts/tutorial/emv/applicationselection.html
+ if (!forceSearch) {
+ // PPSE / PSE
+ PrintAndLogEx(NORMAL, "\n* %s.", PSE_or_PPSE);
+ SetAPDULogging(showAPDU);
+ res = EMVSearchPSE(channel, activateField, true, psenum, decodeTLV, tlvSelect);
+
+ // check PPSE / PSE and select application id
+ if (!res) {
+ TLVPrintAIDlistFromSelectTLV(tlvSelect);
+ EMVSelectApplication(tlvSelect, AID, &AIDlen);
+ }
+ }
+
+ // Search
+ if (!AIDlen) {
+ PrintAndLogEx(NORMAL, "\n* Search AID in list.");
+ SetAPDULogging(false);
+ if (EMVSearch(channel, activateField, true, decodeTLV, tlvSelect)) {
+ dreturn(2);
+ }
+
+ // check search and select application id
+ TLVPrintAIDlistFromSelectTLV(tlvSelect);
+ EMVSelectApplication(tlvSelect, AID, &AIDlen);
+ }
+
+ // Init TLV tree
+ const char *alr = "Root terminal TLV tree";
+ tlvRoot = tlvdb_fixed(1, strlen(alr), (const unsigned char *)alr);
+
+ // check if we found EMV application on card
+ if (!AIDlen) {
+ PrintAndLogEx(WARNING, "Can't select AID. EMV AID not found");
+ dreturn(2);
+ }
+
+ // Select
+ PrintAndLogEx(NORMAL, "\n* Selecting AID:%s", sprint_hex_inrow(AID, AIDlen));
+ SetAPDULogging(showAPDU);
+ res = EMVSelect(channel, false, true, AID, AIDlen, buf, sizeof(buf), &len, &sw, tlvRoot);
+
+ if (res) {
+ PrintAndLogEx(WARNING, "Can't select AID (%d). Exit...", res);
+ dreturn(3);
+ }
+
+ if (decodeTLV)
+ TLVPrintFromBuffer(buf, len);
+ PrintAndLogEx(INFO, "* Selected.");
+
+ PrintAndLogEx(INFO, "\n* Init transaction parameters.");
+ InitTransactionParameters(tlvRoot, paramLoadJSON, TrType, GenACGPO);
+ TLVPrintFromTLV(tlvRoot); // TODO delete!!!
+
+ PrintAndLogEx(NORMAL, "\n* Calc PDOL.");
+ pdol_data_tlv = dol_process(tlvdb_get(tlvRoot, 0x9f38, NULL), tlvRoot, 0x83);
+ if (!pdol_data_tlv){
+ PrintAndLogEx(WARNING, "Error: can't create PDOL TLV.");
+ dreturn(4);
+ }
+
+ size_t pdol_data_tlv_data_len;
+ unsigned char *pdol_data_tlv_data = tlv_encode(pdol_data_tlv, &pdol_data_tlv_data_len);
+ if (!pdol_data_tlv_data) {
+ PrintAndLogEx(WARNING, "Error: can't create PDOL data.");
+ dreturn(4);
+ }
+ PrintAndLogEx(NORMAL, "PDOL data[%d]: %s", pdol_data_tlv_data_len, sprint_hex(pdol_data_tlv_data, pdol_data_tlv_data_len));
+
+ PrintAndLogEx(NORMAL, "\n* GPO.");
+ res = EMVGPO(channel, true, pdol_data_tlv_data, pdol_data_tlv_data_len, buf, sizeof(buf), &len, &sw, tlvRoot);
+
+ free(pdol_data_tlv_data);
+ //free(pdol_data_tlv); --- free on exit.
+
+ if (res) {
+ PrintAndLogEx(NORMAL, "GPO error(%d): %4x. Exit...", res, sw);
+ dreturn(5);
+ }
+
+ // process response template format 1 [id:80 2b AIP + x4b AFL] and format 2 [id:77 TLV]
+ ProcessGPOResponseFormat1(tlvRoot, buf, len, decodeTLV);
+
+ // extract PAN from track2
+ {
+ const struct tlv *track2 = tlvdb_get(tlvRoot, 0x57, NULL);
+ if (!tlvdb_get(tlvRoot, 0x5a, NULL) && track2 && track2->len >= 8) {
+ struct tlvdb *pan = GetPANFromTrack2(track2);
+ if (pan) {
+ tlvdb_add(tlvRoot, pan);
+
+ const struct tlv *pantlv = tlvdb_get(tlvRoot, 0x5a, NULL);
+ PrintAndLogEx(NORMAL, "\n* * Extracted PAN from track2: %s", sprint_hex(pantlv->value, pantlv->len));
+ } else {
+ PrintAndLogEx(NORMAL, "\n* * WARNING: Can't extract PAN from track2.");
+ }
+ }
+ }
+
+ PrintAndLogEx(NORMAL, "\n* Read records from AFL.");
+ const struct tlv *AFL = tlvdb_get(tlvRoot, 0x94, NULL);
+ if (!AFL || !AFL->len) {
+ PrintAndLogEx(WARNING, "AFL not found.");
+ }
+
+ while(AFL && AFL->len) {
+ if (AFL->len % 4) {
+ PrintAndLogEx(WARNING, "Error: Wrong AFL length: %d", AFL->len);
+ break;
+ }
+
+ for (int i = 0; i < AFL->len / 4; i++) {
+ uint8_t SFI = AFL->value[i * 4 + 0] >> 3;
+ uint8_t SFIstart = AFL->value[i * 4 + 1];
+ uint8_t SFIend = AFL->value[i * 4 + 2];
+ uint8_t SFIoffline = AFL->value[i * 4 + 3];
+
+ PrintAndLogEx(NORMAL, "* * SFI[%02x] start:%02x end:%02x offline count:%02x", SFI, SFIstart, SFIend, SFIoffline);
+ if (SFI == 0 || SFI == 31 || SFIstart == 0 || SFIstart > SFIend) {
+ PrintAndLogEx(NORMAL, "SFI ERROR! Skipped...");
+ continue;
+ }
+
+ for(int n = SFIstart; n <= SFIend; n++) {
+ PrintAndLogEx(NORMAL, "* * * SFI[%02x] %d", SFI, n);
+
+ res = EMVReadRecord(channel, true, SFI, n, buf, sizeof(buf), &len, &sw, tlvRoot);
+ if (res) {
+ PrintAndLogEx(WARNING, "Error SFI[%02x]. APDU error %4x", SFI, sw);
+ continue;
+ }
+
+ if (decodeTLV) {
+ TLVPrintFromBuffer(buf, len);
+ PrintAndLogEx(NORMAL, "");
+ }
+
+ // Build Input list for Offline Data Authentication
+ // EMV 4.3 book3 10.3, page 96
+ if (SFIoffline > 0) {
+ if (SFI < 11) {
+ const unsigned char *abuf = buf;
+ size_t elmlen = len;
+ struct tlv e;
+ if (tlv_parse_tl(&abuf, &elmlen, &e)) {
+ memcpy(&ODAiList[ODAiListLen], &buf[len - elmlen], elmlen);
+ ODAiListLen += elmlen;
+ } else {
+ PrintAndLogEx(WARNING, "Error SFI[%02x]. Creating input list for Offline Data Authentication error.", SFI);
+ }
+ } else {
+ memcpy(&ODAiList[ODAiListLen], buf, len);
+ ODAiListLen += len;
+ }
+
+ SFIoffline--;
+ }
+ }
+ }
+
+ break;
+ }
+
+ // copy Input list for Offline Data Authentication
+ if (ODAiListLen) {
+ struct tlvdb *oda = tlvdb_fixed(0x21, ODAiListLen, ODAiList); // not a standard tag
+ tlvdb_add(tlvRoot, oda);
+ PrintAndLogEx(NORMAL, "* Input list for Offline Data Authentication added to TLV. len=%d \n", ODAiListLen);
+ }
+
+ // get AIP
+ uint16_t AIP = 0;
+ const struct tlv *AIPtlv = tlvdb_get(tlvRoot, 0x82, NULL);
+ if (AIPtlv) {
+ AIP = AIPtlv->value[0] + AIPtlv->value[1] * 0x100;
+ PrintAndLogEx(NORMAL, "* * AIP=%04x", AIP);
+ } else {
+ PrintAndLogEx(ERR, "Can't found AIP.");
+ }
+
+ // SDA
+ if (AIP & 0x0040) {
+ PrintAndLogEx(NORMAL, "\n* SDA");
+ trSDA(tlvRoot);
+ }
+
+ // DDA
+ if (AIP & 0x0020) {
+ PrintAndLogEx(NORMAL, "\n* DDA");
+ trDDA(channel, decodeTLV, tlvRoot);
+ }
+
+ // transaction check
+
+ // qVSDC
+ if (TrType == TT_QVSDCMCHIP|| TrType == TT_CDA){
+ // 9F26: Application Cryptogram
+ const struct tlv *AC = tlvdb_get(tlvRoot, 0x9F26, NULL);
+ if (AC) {
+ PrintAndLogEx(NORMAL, "\n--> qVSDC transaction.");
+ PrintAndLogEx(NORMAL, "* AC path");
+
+ // 9F36: Application Transaction Counter (ATC)
+ const struct tlv *ATC = tlvdb_get(tlvRoot, 0x9F36, NULL);
+ if (ATC) {
+
+ // 9F10: Issuer Application Data - optional
+ const struct tlv *IAD = tlvdb_get(tlvRoot, 0x9F10, NULL);
+
+ // print AC data
+ PrintAndLogEx(NORMAL, "ATC: %s", sprint_hex(ATC->value, ATC->len));
+ PrintAndLogEx(NORMAL, "AC: %s", sprint_hex(AC->value, AC->len));
+ if (IAD){
+ PrintAndLogEx(NORMAL, "IAD: %s", sprint_hex(IAD->value, IAD->len));
+
+ if (IAD->len >= IAD->value[0] + 1) {
+ PrintAndLogEx(NORMAL, "\tKey index: 0x%02x", IAD->value[1]);
+ PrintAndLogEx(NORMAL, "\tCrypto ver: 0x%02x(%03d)", IAD->value[2], IAD->value[2]);
+ PrintAndLogEx(NORMAL, "\tCVR:", sprint_hex(&IAD->value[3], IAD->value[0] - 2));
+ struct tlvdb * cvr = tlvdb_fixed(0x20, IAD->value[0] - 2, &IAD->value[3]);
+ TLVPrintFromTLVLev(cvr, 1);
+ }
+ } else {
+ PrintAndLogEx(WARNING, "IAD not found.");
+ }
+
+ } else {
+ PrintAndLogEx(ERR, "AC: Application Transaction Counter (ATC) not found.");
+ }
+ }
+ }
+
+ // Mastercard M/CHIP
+ if (GetCardPSVendor(AID, AIDlen) == CV_MASTERCARD && (TrType == TT_QVSDCMCHIP || TrType == TT_CDA)){
+ const struct tlv *CDOL1 = tlvdb_get(tlvRoot, 0x8c, NULL);
+ if (CDOL1 && GetCardPSVendor(AID, AIDlen) == CV_MASTERCARD) { // and m/chip transaction flag
+ PrintAndLogEx(NORMAL, "\n--> Mastercard M/Chip transaction.");
+
+ PrintAndLogEx(NORMAL, "* * Generate challenge");
+ res = EMVGenerateChallenge(channel, true, buf, sizeof(buf), &len, &sw, tlvRoot);
+ if (res) {
+ PrintAndLogEx(WARNING, "GetChallenge. APDU error %4x", sw);
+ dreturn(6);
+ }
+ if (len < 4) {
+ PrintAndLogEx(WARNING, "GetChallenge. Wrong challenge length %d", len);
+ dreturn(6);
+ }
+
+ // ICC Dynamic Number
+ struct tlvdb * ICCDynN = tlvdb_fixed(0x9f4c, len, buf);
+ tlvdb_add(tlvRoot, ICCDynN);
+ if (decodeTLV){
+ PrintAndLogEx(NORMAL, "\n* * ICC Dynamic Number:");
+ TLVPrintFromTLV(ICCDynN);
+ }
+
+ PrintAndLogEx(NORMAL, "* * Calc CDOL1");
+ struct tlv *cdol_data_tlv = dol_process(tlvdb_get(tlvRoot, 0x8c, NULL), tlvRoot, 0x01); // 0x01 - dummy tag
+ if (!cdol_data_tlv){
+ PrintAndLogEx(WARNING, "Error: can't create CDOL1 TLV.");
+ dreturn(6);
+ }
+ PrintAndLogEx(NORMAL, "CDOL1 data[%d]: %s", cdol_data_tlv->len, sprint_hex(cdol_data_tlv->value, cdol_data_tlv->len));
+
+ PrintAndLogEx(NORMAL, "* * AC1");
+ // EMVAC_TC + EMVAC_CDAREQ --- to get SDAD
+ res = EMVAC(channel, true, (TrType == TT_CDA) ? EMVAC_TC + EMVAC_CDAREQ : EMVAC_TC, (uint8_t *)cdol_data_tlv->value, cdol_data_tlv->len, buf, sizeof(buf), &len, &sw, tlvRoot);
+
+ if (res) {
+ PrintAndLogEx(NORMAL, "AC1 error(%d): %4x. Exit...", res, sw);
+ dreturn(7);
+ }
+
+ if (decodeTLV)
+ TLVPrintFromBuffer(buf, len);
+
+ // CDA
+ PrintAndLogEx(NORMAL, "\n* CDA:");
+ struct tlvdb *ac_tlv = tlvdb_parse_multi(buf, len);
+ res = trCDA(tlvRoot, ac_tlv, pdol_data_tlv, cdol_data_tlv);
+ if (res) {
+ PrintAndLogEx(NORMAL, "CDA error (%d)", res);
+ }
+ free(ac_tlv);
+ free(cdol_data_tlv);
+
+ PrintAndLogEx(NORMAL, "\n* M/Chip transaction result:");
+ // 9F27: Cryptogram Information Data (CID)
+ const struct tlv *CID = tlvdb_get(tlvRoot, 0x9F27, NULL);
+ if (CID) {
+ emv_tag_dump(CID, stdout, 0);
+ PrintAndLogEx(NORMAL, "------------------------------");
+ if (CID->len > 0) {
+ switch(CID->value[0] & EMVAC_AC_MASK){
+ case EMVAC_AAC:
+ PrintAndLogEx(NORMAL, "Transaction DECLINED.");
+ break;
+ case EMVAC_TC:
+ PrintAndLogEx(NORMAL, "Transaction approved OFFLINE.");
+ break;
+ case EMVAC_ARQC:
+ PrintAndLogEx(NORMAL, "Transaction approved ONLINE.");
+ break;
+ default:
+ PrintAndLogEx(WARNING, "Error: CID transaction code error %2x", CID->value[0] & EMVAC_AC_MASK);
+ break;
+ }
+ } else {
+ PrintAndLogEx(WARNING, "Wrong CID length %d", CID->len);
+ }
+ } else {
+ PrintAndLogEx(WARNING, "CID(9F27) not found.");
+ }
+
+ }
+ }
+
+ // MSD
+ if (AIP & 0x8000 && TrType == TT_MSD) {
+ PrintAndLogEx(NORMAL, "\n--> MSD transaction.");
+
+ PrintAndLogEx(NORMAL, "* MSD dCVV path. Check dCVV");
+
+ const struct tlv *track2 = tlvdb_get(tlvRoot, 0x57, NULL);
+ if (track2) {
+ PrintAndLogEx(NORMAL, "Track2: %s", sprint_hex(track2->value, track2->len));
+
+ struct tlvdb *dCVV = GetdCVVRawFromTrack2(track2);
+ PrintAndLogEx(NORMAL, "dCVV raw data:");
+ TLVPrintFromTLV(dCVV);
+
+ if (GetCardPSVendor(AID, AIDlen) == CV_MASTERCARD) {
+ PrintAndLogEx(NORMAL, "\n* Mastercard calculate UDOL");
+
+ // UDOL (9F69)
+ const struct tlv *UDOL = tlvdb_get(tlvRoot, 0x9F69, NULL);
+ // UDOL(9F69) default: 9F6A (Unpredictable number) 4 bytes
+ const struct tlv defUDOL = {
+ .tag = 0x01,
+ .len = 3,
+ .value = (uint8_t *)"\x9f\x6a\x04",
+ };
+ if (!UDOL)
+ PrintAndLogEx(NORMAL, "Use default UDOL.");
+
+ struct tlv *udol_data_tlv = dol_process(UDOL ? UDOL : &defUDOL, tlvRoot, 0x01); // 0x01 - dummy tag
+ if (!udol_data_tlv){
+ PrintAndLogEx(WARNING, "can't create UDOL TLV.");
+ dreturn(8);
+ }
+
+ PrintAndLogEx(NORMAL, "UDOL data[%d]: %s", udol_data_tlv->len, sprint_hex(udol_data_tlv->value, udol_data_tlv->len));
+
+ PrintAndLogEx(NORMAL, "\n* Mastercard compute cryptographic checksum(UDOL)");
+
+ res = MSCComputeCryptoChecksum(channel, true, (uint8_t *)udol_data_tlv->value, udol_data_tlv->len, buf, sizeof(buf), &len, &sw, tlvRoot);
+ if (res) {
+ PrintAndLogEx(WARNING, "Compute Crypto Checksum. APDU error %4x", sw);
+ free(udol_data_tlv);
+ dreturn(9);
+ }
+
+ // Mastercard compute cryptographic checksum result
+ TLVPrintFromBuffer(buf, len);
+ PrintAndLogEx(NORMAL, "");
+
+ free(udol_data_tlv);
+
+ }
+ } else {
+ PrintAndLogEx(WARNING, "MSD: Track2 data not found.");
+ }
+ }
+
+ // VSDC
+ if (GetCardPSVendor(AID, AIDlen) == CV_VISA && (TrType == TT_VSDC || TrType == TT_CDA)){
+ PrintAndLogEx(NORMAL, "\n--> VSDC transaction.");
+
+ PrintAndLogEx(NORMAL, "* * Calc CDOL1");
+ struct tlv *cdol_data_tlv = dol_process(tlvdb_get(tlvRoot, 0x8c, NULL), tlvRoot, 0x01); // 0x01 - dummy tag
+ if (!cdol_data_tlv) {
+ PrintAndLogEx(WARNING, "Error: can't create CDOL1 TLV.");
+ dreturn(6);
+ }
+
+ PrintAndLogEx(NORMAL, "CDOL1 data[%d]: %s", cdol_data_tlv->len, sprint_hex(cdol_data_tlv->value, cdol_data_tlv->len));
+
+ PrintAndLogEx(NORMAL, "* * AC1");
+ // EMVAC_TC + EMVAC_CDAREQ --- to get SDAD
+ res = EMVAC(channel, true, (TrType == TT_CDA) ? EMVAC_TC + EMVAC_CDAREQ : EMVAC_TC, (uint8_t *)cdol_data_tlv->value, cdol_data_tlv->len, buf, sizeof(buf), &len, &sw, tlvRoot);
+
+ if (res) {
+ PrintAndLogEx(NORMAL, "AC1 error(%d): %4x. Exit...", res, sw);
+ dreturn(7);
+ }
+
+ // process Format1 (0x80) and print Format2 (0x77)
+ ProcessACResponseFormat1(tlvRoot, buf, len, decodeTLV);
+
+ uint8_t CID = 0;
+ tlvdb_get_uint8(tlvRoot, 0x9f27, &CID);
+
+ // AC1 print result
+ PrintAndLog("");
+ if ((CID & EMVAC_AC_MASK) == EMVAC_AAC) PrintAndLogEx(INFO, "AC1 result: AAC (Transaction declined)");
+ if ((CID & EMVAC_AC_MASK) == EMVAC_TC) PrintAndLogEx(INFO, "AC1 result: TC (Transaction approved)");
+ if ((CID & EMVAC_AC_MASK) == EMVAC_ARQC) PrintAndLogEx(INFO, "AC1 result: ARQC (Online authorisation requested)");
+ if ((CID & EMVAC_AC_MASK) == EMVAC_AC_MASK) PrintAndLogEx(INFO, "AC1 result: RFU");
+
+ // decode Issuer Application Data (IAD)
+ uint8_t CryptoVersion = 0;
+ const struct tlv *IAD = tlvdb_get(tlvRoot, 0x9f10, NULL);
+ if (IAD && (IAD->len > 1)) {
+ PrintAndLogEx(NORMAL, "\n* * Issuer Application Data (IAD):");
+ uint8_t VDDlen = IAD->value[0]; // Visa discretionary data length
+ uint8_t IDDlen = 0; // Issuer discretionary data length
+ PrintAndLogEx(NORMAL, "IAD length: %d", IAD->len);
+ PrintAndLogEx(NORMAL, "VDDlen: %d", VDDlen);
+ if (VDDlen < IAD->len - 1)
+ IDDlen = IAD->value[VDDlen + 1];
+ PrintAndLogEx(NORMAL, "IDDlen: %d", IDDlen);
+
+ uint8_t DerivKeyIndex = IAD->value[1];
+ CryptoVersion = IAD->value[2];
+
+ PrintAndLogEx(NORMAL, "CryptoVersion: %d", CryptoVersion);
+ PrintAndLogEx(NORMAL, "DerivKeyIndex: %d", DerivKeyIndex);
+
+ // Card Verification Results (CVR) decode
+ if ((VDDlen - 2) > 0) {
+ uint8_t CVRlen = IAD->value[3];
+ if (CVRlen == (VDDlen - 2 - 1)) {
+ PrintAndLogEx(NORMAL, "CVR length: %d", CVRlen);
+ PrintAndLogEx(NORMAL, "CVR: %s", sprint_hex(&IAD->value[4], CVRlen));
+ } else {
+ PrintAndLogEx(NORMAL, "Wrong CVR length! CVR: %s", sprint_hex(&IAD->value[3], VDDlen - 2));
+ }
+ }
+ if (IDDlen)
+ PrintAndLogEx(NORMAL, "IDD: %s", sprint_hex(&IAD->value[VDDlen + 1], IDDlen));
+ } else {
+ PrintAndLogEx(NORMAL, "Issuer Application Data (IAD) not found.");
+ }
+
+ PrintAndLogEx(NORMAL, "\n* * Processing online request");
+
+ // authorization response code from acquirer
+ const char HostResponse[] = "00"; // 0x3030
+ size_t HostResponseLen = sizeof(HostResponse) - 1;
+ PrintAndLogEx(NORMAL, "Host Response: `%s`", HostResponse);
+ tlvdb_change_or_add_node(tlvRoot, 0x8a, HostResponseLen, (const unsigned char *)HostResponse);
+
+ if (CryptoVersion == 10) {
+ PrintAndLogEx(NORMAL, "\n* * Generate ARPC");
+
+ // Application Cryptogram (AC)
+ const struct tlv *AC = tlvdb_get(tlvRoot, 0x9f26, NULL);
+ if (AC && (AC->len > 0)) {
+ PrintAndLogEx(NORMAL, "AC: %s", sprint_hex(AC->value, AC->len));
+
+ size_t rawARPClen = AC->len;
+ uint8_t rawARPC[rawARPClen];
+ memcpy(rawARPC, AC->value, AC->len);
+ for (int i = 0; (i < HostResponseLen) && (i < rawARPClen); i++)
+ rawARPC[i] ^= HostResponse[i];
+ PrintAndLogEx(NORMAL, "raw ARPC: %s", sprint_hex(rawARPC, rawARPClen));
+
+ // here must be calculation of ARPC, but we dont know a bank keys.
+ PrintAndLogEx(NORMAL, "ARPC: n/a");
+
+ } else {
+ PrintAndLogEx(NORMAL, "Application Cryptogram (AC) not found.");
+ }
+
+ // here must be external authenticate, but we dont know ARPC
+
+ }
+
+
+ // needs to send AC2 command (res == ARQC)
+ if ((CID & EMVAC_AC_MASK) == EMVAC_ARQC) {
+ PrintAndLogEx(NORMAL, "\n* * Calc CDOL2");
+ struct tlv *cdol2_data_tlv = dol_process(tlvdb_get(tlvRoot, 0x8d, NULL), tlvRoot, 0x01); // 0x01 - dummy tag
+ if (!cdol2_data_tlv) {
+ PrintAndLogEx(WARNING, "Error: can't create CDOL2 TLV.");
+ dreturn(6);
+ }
+
+ PrintAndLogEx(NORMAL, "CDOL2 data[%d]: %s", cdol2_data_tlv->len, sprint_hex(cdol2_data_tlv->value, cdol2_data_tlv->len));
+
+ //PrintAndLogEx(NORMAL, "* * AC2");
+
+
+ // here must be AC2, but we dont make external authenticate (
+
+/* // AC2
+ PRINT_INDENT(level);
+ if ((CID & EMVAC_AC2_MASK) == EMVAC_AAC2) fprintf(f, "\tAC2: AAC (Transaction declined)\n");
+ if ((CID & EMVAC_AC2_MASK) == EMVAC_TC2) fprintf(f, "\tAC2: TC (Transaction approved)\n");
+ if ((CID & EMVAC_AC2_MASK) == EMVAC_ARQC2) fprintf(f, "\tAC2: not requested (ARQC)\n");
+ if ((CID & EMVAC_AC2_MASK) == EMVAC_AC2_MASK) fprintf(f, "\tAC2: RFU\n");
+*/
+ }
+
+ }
+
+ DropFieldEx( channel );
+
+ // Destroy TLV's
+ free(pdol_data_tlv);
+ tlvdb_free(tlvSelect);
+ tlvdb_free(tlvRoot);
+
+ PrintAndLogEx(NORMAL, "\n* Transaction completed.");
+ return 0;
+}
+
+int CmdEMVScan(const char *cmd) {
+ uint8_t AID[APDU_DATA_LEN] = {0};
+ size_t AIDlen = 0;
+ uint8_t buf[APDU_RESPONSE_LEN] = {0};
+ size_t len = 0;
+ uint16_t sw = 0;
+ int res;
+ json_t *root;
+ json_error_t error;
+
+ CLIParserInit("emv scan",
+ "Scan EMV card and save it contents to a file.",
+ "It executes EMV contactless transaction and saves result to a file which can be used for emulation\n"
+ "Usage:\n\temv scan -at -> scan MSD transaction mode and show APDU and TLV\n"
+ "\temv scan -c -> scan CDA transaction mode\n");
+
+ void* argtable[] = {
+ arg_param_begin,
+ arg_lit0("aA", "apdu", "show APDU reqests and responses."),
+ arg_lit0("tT", "tlv", "TLV decode results."),
+ arg_lit0("eE", "extract", "Extract TLV elements and fill Application Data"),
+ arg_lit0("jJ", "jload", "Load transaction parameters from `emv/defparams.json` file."),
+ arg_rem("By default:", "Transaction type - MSD"),
+ arg_lit0("vV", "qvsdc", "Transaction type - qVSDC or M/Chip."),
+ arg_lit0("cC", "qvsdccda", "Transaction type - qVSDC or M/Chip plus CDA (SDAD generation)."),
+ arg_lit0("xX", "vsdc", "Transaction type - VSDC. For test only. Not a standart behavior."),
+ arg_lit0("gG", "acgpo", "VISA. generate AC from GPO."),
+ arg_lit0("mM", "merge", "Merge output file with card's data. (warning: the file may be corrupted!)"),
+#ifdef WITH_SMARTCARD
+ arg_lit0("wW", "wired", "Send data via contact (iso7816) interface. Contactless interface set by default."),
+#endif
+ arg_str1(NULL, NULL, "output.json", "JSON output file name"),
+ arg_param_end
+ };
+ CLIExecWithReturn(cmd, argtable, true);
+
+ bool showAPDU = arg_get_lit(1);
+ bool decodeTLV = arg_get_lit(2);
+ bool extractTLVElements = arg_get_lit(3);
+ bool paramLoadJSON = arg_get_lit(4);
+
+ enum TransactionType TrType = TT_MSD;
+ if (arg_get_lit(6))
+ TrType = TT_QVSDCMCHIP;
+ if (arg_get_lit(7))
+ TrType = TT_CDA;
+ if (arg_get_lit(8))
+ TrType = TT_VSDC;
+
+ bool GenACGPO = arg_get_lit(9);
+ bool MergeJSON = arg_get_lit(10);
+ EMVCommandChannel channel = ECC_CONTACTLESS;
+ uint8_t relfname[250] = {0};
+ char *crelfname = (char *)relfname;
+ int relfnamelen = 0;
+#ifdef WITH_SMARTCARD
+ if (arg_get_lit(11)) {
+ channel = ECC_CONTACT;
+ }
+ CLIGetStrWithReturn(12, relfname, &relfnamelen);
+#else
+ CLIGetStrWithReturn(11, relfname, &relfnamelen);
+#endif
+ PrintChannel(channel);
+ uint8_t psenum = (channel == ECC_CONTACT) ? 1 : 2;
+ CLIParserFree();
+
+ SetAPDULogging(showAPDU);
+
+ // current path + file name
+ if (!strstr(crelfname, ".json"))
+ strcat(crelfname, ".json");
+ char fname[strlen(get_my_executable_directory()) + strlen(crelfname) + 1];
+ strcpy(fname, get_my_executable_directory());
+ strcat(fname, crelfname);
+
+ if (MergeJSON) {
+ root = json_load_file(fname, 0, &error);
+ if (!root) {
+ PrintAndLogEx(ERR, "json error on line %d: %s", error.line, error.text);
+ return 1;
+ }
+
+ if (!json_is_object(root)) {
+ PrintAndLogEx(ERR, "Invalid json format. root must be an object.");
+ return 1;
+ }
+ } else {
+ root = json_object();
+ }
+
+ // drop field at start
+ DropFieldEx( channel );
+
+ JsonSaveStr(root, "$.File.Created", "proxmark3 `emv scan`");
+
+ if (channel == ECC_CONTACTLESS) {
+ // iso 14443 select
+ PrintAndLogEx(NORMAL, "--> GET UID, ATS.");
+
+ iso14a_card_select_t card;
+ if (Hf14443_4aGetCardData(&card)) {
+ return 2;
+ }
+ if (!card.uidlen) {
+ PrintAndLogEx(ERR, "get ATS error");
+ return 2;
+ }
+
+ JsonSaveStr(root, "$.Card.Contactless.Communication", "iso14443-4a");
+ JsonSaveBufAsHex(root, "$.Card.Contactless.UID", (uint8_t *)&card.uid, card.uidlen);
+ JsonSaveHex(root, "$.Card.Contactless.ATQA", card.atqa[0] + (card.atqa[1] << 2), 2);
+ JsonSaveHex(root, "$.Card.Contactless.SAK", card.sak, 0);
+ JsonSaveBufAsHex(root, "$.Card.Contactless.ATS", (uint8_t *)card.ats, card.ats_len);
+ } else {
+ PrintAndLogEx(NORMAL, "--> GET ATR.");
+
+ smart_card_atr_t ccard;
+ smart_getATR(&ccard);
+
+ if (!ccard.atr_len) {
+ PrintAndLogEx(ERR, "get ATR error");
+ return 2;
+ }
+
+ JsonSaveStr(root, "$.Card.Contact.Communication", "iso7816");
+ JsonSaveBufAsHex(root, "$.Card.Contact.ATR", (uint8_t *)ccard.atr, ccard.atr_len);
+ }
+
+ // init applets list tree
+ const char *al = "Applets list";
+ struct tlvdb *tlvSelect = tlvdb_fixed(1, strlen(al), (const unsigned char *)al);
+
+ // EMV PPSE
+ PrintAndLogEx(NORMAL, "--> PPSE.");
+ res = EMVSelectPSE(channel, true, true, 2, buf, sizeof(buf), &len, &sw);
+
+ if (!res && sw == 0x9000){
+ if (decodeTLV)
+ TLVPrintFromBuffer(buf, len);
+
+ JsonSaveBufAsHex(root, "$.PPSE.AID", (uint8_t *)"2PAY.SYS.DDF01", 14);
+
+ struct tlvdb *fci = tlvdb_parse_multi(buf, len);
+ if (extractTLVElements)
+ JsonSaveTLVTree(root, root, "$.PPSE.FCITemplate", fci);
+ else
+ JsonSaveTLVTreeElm(root, "$.PPSE.FCITemplate", fci, true, true, false);
+ JsonSaveTLVValue(root, "$.Application.KernelID", tlvdb_find_full(fci, 0x9f2a));
+ tlvdb_free(fci);
+ }
+
+ res = EMVSearchPSE(channel, false, true, psenum, decodeTLV, tlvSelect);
+
+ // check PPSE and select application id
+ if (!res) {
+ TLVPrintAIDlistFromSelectTLV(tlvSelect);
+ } else {
+ // EMV SEARCH with AID list
+ SetAPDULogging(false);
+ PrintAndLogEx(NORMAL, "--> AID search.");
+ if (EMVSearch(channel, false, true, decodeTLV, tlvSelect)) {
+ PrintAndLogEx(ERR, "Can't found any of EMV AID. Exit...");
+ tlvdb_free(tlvSelect);
+ DropFieldEx( channel );
+ return 3;
+ }
+
+ // check search and select application id
+ TLVPrintAIDlistFromSelectTLV(tlvSelect);
+ }
+
+ // EMV SELECT application
+ SetAPDULogging(showAPDU);
+ EMVSelectApplication(tlvSelect, AID, &AIDlen);
+
+ tlvdb_free(tlvSelect);
+
+ if (!AIDlen) {
+ PrintAndLogEx(INFO, "Can't select AID. EMV AID not found. Exit...");
+ DropFieldEx( channel );
+ return 4;
+ }
+
+ JsonSaveBufAsHex(root, "$.Application.AID", AID, AIDlen);
+
+ // Init TLV tree
+ const char *alr = "Root terminal TLV tree";
+ struct tlvdb *tlvRoot = tlvdb_fixed(1, strlen(alr), (const unsigned char *)alr);
+
+ // EMV SELECT applet
+
+ PrintAndLogEx(NORMAL, "\n-->Selecting AID:%s.", sprint_hex_inrow(AID, AIDlen));
+ SetAPDULogging(showAPDU);
+ res = EMVSelect(channel, false, true, AID, AIDlen, buf, sizeof(buf), &len, &sw, tlvRoot);
+
+ if (res) {
+ PrintAndLogEx(ERR, "Can't select AID (%d). Exit...", res);
+ tlvdb_free(tlvRoot);
+ DropFieldEx( channel );
+ return 5;
+ }
+
+ if (decodeTLV)
+ TLVPrintFromBuffer(buf, len);
+
+ // save mode
+ if (tlvdb_get(tlvRoot, 0x9f38, NULL)) {
+ JsonSaveStr(root, "$.Application.Mode", TransactionTypeStr[TrType]);
+ }
+
+ struct tlvdb *fci = tlvdb_parse_multi(buf, len);
+ if (extractTLVElements)
+ JsonSaveTLVTree(root, root, "$.Application.FCITemplate", fci);
+ else
+ JsonSaveTLVTreeElm(root, "$.Application.FCITemplate", fci, true, true, false);
+ tlvdb_free(fci);
+
+ // create transaction parameters
+ PrintAndLogEx(NORMAL, "-->Init transaction parameters.");
+ InitTransactionParameters(tlvRoot, paramLoadJSON, TrType, GenACGPO);
+
+ PrintAndLogEx(NORMAL, "-->Calc PDOL.");
+ struct tlv *pdol_data_tlv = dol_process(tlvdb_get(tlvRoot, 0x9f38, NULL), tlvRoot, 0x83);
+ if (!pdol_data_tlv){
+ PrintAndLogEx(ERR, "Can't create PDOL TLV.");
+ tlvdb_free(tlvRoot);
+ DropFieldEx( channel );
+ return 6;
+ }
+
+ size_t pdol_data_tlv_data_len;
+ unsigned char *pdol_data_tlv_data = tlv_encode(pdol_data_tlv, &pdol_data_tlv_data_len);
+ if (!pdol_data_tlv_data) {
+ PrintAndLogEx(ERR, "Can't create PDOL data.");
+ tlvdb_free(tlvRoot);
+ DropFieldEx( channel );
+ return 6;
+ }
+ PrintAndLogEx(INFO, "PDOL data[%d]: %s", pdol_data_tlv_data_len, sprint_hex(pdol_data_tlv_data, pdol_data_tlv_data_len));
+
+ PrintAndLogEx(INFO, "-->GPO.");
+ res = EMVGPO(channel, true, pdol_data_tlv_data, pdol_data_tlv_data_len, buf, sizeof(buf), &len, &sw, tlvRoot);
+
+ free(pdol_data_tlv_data);
+ free(pdol_data_tlv);
+
+ if (res) {
+ PrintAndLogEx(ERR, "GPO error(%d): %4x. Exit...", res, sw);
+ tlvdb_free(tlvRoot);
+ DropFieldEx( channel );
+ return 7;
+ }
+ ProcessGPOResponseFormat1(tlvRoot, buf, len, decodeTLV);
+
+ struct tlvdb *gpofci = tlvdb_parse_multi(buf, len);
+ if (extractTLVElements)
+ JsonSaveTLVTree(root, root, "$.Application.GPO", gpofci);
+ else
+ JsonSaveTLVTreeElm(root, "$.Application.GPO", gpofci, true, true, false);
+
+ JsonSaveTLVValue(root, "$.ApplicationData.AIP", tlvdb_find_full(gpofci, 0x82));
+ JsonSaveTLVValue(root, "$.ApplicationData.AFL", tlvdb_find_full(gpofci, 0x94));
+
+ tlvdb_free(gpofci);
+
+ PrintAndLogEx(INFO, "-->Read records from AFL.");
+ const struct tlv *AFL = tlvdb_get(tlvRoot, 0x94, NULL);
+
+ while(AFL && AFL->len) {
+ if (AFL->len % 4) {
+ PrintAndLogEx(ERR, "Wrong AFL length: %d", AFL->len);
+ break;
+ }
+
+ json_t *sfijson = json_path_get(root, "$.Application.Records");
+ if (!sfijson) {
+ json_t *app = json_path_get(root, "$.Application");
+ json_object_set_new(app, "Records", json_array());
+
+ sfijson = json_path_get(root, "$.Application.Records");
+ }
+ if (!json_is_array(sfijson)) {
+ PrintAndLogEx(ERR, "Internal logic error. `$.Application.Records` is not an array.");
+ break;
+ }
+ for (int i = 0; i < AFL->len / 4; i++) {
+ uint8_t SFI = AFL->value[i * 4 + 0] >> 3;
+ uint8_t SFIstart = AFL->value[i * 4 + 1];
+ uint8_t SFIend = AFL->value[i * 4 + 2];
+ uint8_t SFIoffline = AFL->value[i * 4 + 3];
+
+ PrintAndLogEx(INFO, "--->SFI[%02x] start:%02x end:%02x offline:%02x", SFI, SFIstart, SFIend, SFIoffline);
+ if (SFI == 0 || SFI == 31 || SFIstart == 0 || SFIstart > SFIend) {
+ PrintAndLogEx(ERR, "SFI ERROR! Skipped...");
+ continue;
+ }
+
+ for(int n = SFIstart; n <= SFIend; n++) {
+ PrintAndLogEx(INFO, "---->SFI[%02x] %d", SFI, n);
+
+ res = EMVReadRecord(channel, true, SFI, n, buf, sizeof(buf), &len, &sw, tlvRoot);
+ if (res) {
+ PrintAndLogEx(ERR, "SFI[%02x]. APDU error %4x", SFI, sw);
+ continue;
+ }
+
+ if (decodeTLV) {
+ TLVPrintFromBuffer(buf, len);
+ PrintAndLogEx(NORMAL, "");
+ }
+
+ json_t *jsonelm = json_object();
+ json_array_append_new(sfijson, jsonelm);
+
+ JsonSaveHex(jsonelm, "SFI", SFI, 1);
+ JsonSaveHex(jsonelm, "RecordNum", n, 1);
+ JsonSaveHex(jsonelm, "Offline", SFIoffline, 1);
+
+ struct tlvdb *rsfi = tlvdb_parse_multi(buf, len);
+ if (extractTLVElements)
+ JsonSaveTLVTree(root, jsonelm, "$.Data", rsfi);
+ else
+ JsonSaveTLVTreeElm(jsonelm, "$.Data", rsfi, true, true, false);
+ tlvdb_free(rsfi);
+ }
+ }
+
+ break;
+ }
+
+ // getting certificates
+ if (tlvdb_get(tlvRoot, 0x90, NULL)) {
+ PrintAndLogEx(INFO, "-->Recovering certificates.");
+ PKISetStrictExecution(false);
+ RecoveryCertificates(tlvRoot, root);
+ PKISetStrictExecution(true);
+ }
+
+ // free tlv object
+ tlvdb_free(tlvRoot);
+
+ DropFieldEx( channel );
+
+ res = json_dump_file(root, fname, JSON_INDENT(2));
+ if (res) {
+ PrintAndLogEx(ERR, "Can't save the file: %s", fname);
+ return 200;