]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdhfmf.c
small fix in auth (#693)
[proxmark3-svn] / client / cmdhfmf.c
index b653cf300a1a7199b0d7e869cda93a187188c895..5efb4a41c3a030ee2b775138992048c9d767b8ad 100644 (file)
 #include <stdio.h>\r
 #include <stdlib.h>\r
 #include <ctype.h>\r
 #include <stdio.h>\r
 #include <stdlib.h>\r
 #include <ctype.h>\r
-#include "proxmark3.h"\r
+#include "comms.h"\r
 #include "cmdmain.h"\r
 #include "cmdhfmfhard.h"\r
 #include "cmdmain.h"\r
 #include "cmdhfmfhard.h"\r
+#include "parity.h"\r
 #include "util.h"\r
 #include "util_posix.h"\r
 #include "usb_cmd.h"\r
 #include "util.h"\r
 #include "util_posix.h"\r
 #include "usb_cmd.h"\r
@@ -26,6 +27,9 @@
 #include "mifare.h"\r
 #include "mfkey.h"\r
 #include "hardnested/hardnested_bf_core.h"\r
 #include "mifare.h"\r
 #include "mfkey.h"\r
 #include "hardnested/hardnested_bf_core.h"\r
+#include "cliparser/cliparser.h"\r
+#include "cmdhf14a.h"\r
+#include <polarssl/aes.h>\r
 \r
 #define NESTED_SECTOR_RETRY     10                     // how often we try mfested() until we give up\r
 \r
 \r
 #define NESTED_SECTOR_RETRY     10                     // how often we try mfested() until we give up\r
 \r
@@ -683,9 +687,9 @@ int CmdHF14AMfNested(const char *Cmd)
                        if (transferToEml) {\r
                                uint8_t sectortrailer;\r
                                if (trgBlockNo < 32*4) {        // 4 block sector\r
                        if (transferToEml) {\r
                                uint8_t sectortrailer;\r
                                if (trgBlockNo < 32*4) {        // 4 block sector\r
-                                       sectortrailer = (trgBlockNo & 0x03) + 3;\r
+                                       sectortrailer = trgBlockNo | 0x03;\r
                                } else {                                        // 16 block sector\r
                                } else {                                        // 16 block sector\r
-                                       sectortrailer = (trgBlockNo & 0x0f) + 15;\r
+                                       sectortrailer = trgBlockNo | 0x0f;\r
                                }\r
                                mfEmlGetMem(keyBlock, sectortrailer, 1);\r
 \r
                                }\r
                                mfEmlGetMem(keyBlock, sectortrailer, 1);\r
 \r
@@ -725,7 +729,6 @@ int CmdHF14AMfNested(const char *Cmd)
                                                blockNo = i * 4;\r
                                                keyType = j;\r
                                                num_to_bytes(e_sector[i].Key[j], 6, key);\r
                                                blockNo = i * 4;\r
                                                keyType = j;\r
                                                num_to_bytes(e_sector[i].Key[j], 6, key);\r
-                                               \r
                                                keyFound = true;\r
                                                break;\r
                                        }\r
                                                keyFound = true;\r
                                                break;\r
                                        }\r
@@ -736,6 +739,7 @@ int CmdHF14AMfNested(const char *Cmd)
                        // Can't found a key....\r
                        if (!keyFound) {\r
                                PrintAndLog("Can't found any of the known keys.");\r
                        // Can't found a key....\r
                        if (!keyFound) {\r
                                PrintAndLog("Can't found any of the known keys.");\r
+                               free(e_sector);\r
                                return 4;\r
                        }\r
                        PrintAndLog("--auto key. block no:%3d, key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
                                return 4;\r
                        }\r
                        PrintAndLog("--auto key. block no:%3d, key type:%c key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));\r
@@ -1186,7 +1190,10 @@ int CmdHF14AMfChk(const char *Cmd)
 \r
        // initialize storage for found keys\r
        e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
 \r
        // initialize storage for found keys\r
        e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
-       if (e_sector == NULL) return 1;\r
+       if (e_sector == NULL) {\r
+               free(keyBlock);\r
+               return 1;\r
+       }\r
        for (uint8_t keyAB = 0; keyAB < 2; keyAB++) {\r
                for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
                        e_sector[sectorNo].Key[keyAB] = 0xffffffffffff;\r
        for (uint8_t keyAB = 0; keyAB < 2; keyAB++) {\r
                for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
                        e_sector[sectorNo].Key[keyAB] = 0xffffffffffff;\r
@@ -1685,10 +1692,7 @@ int CmdHF14AMfESet(const char *Cmd)
        }\r
 \r
        //  1 - blocks count\r
        }\r
 \r
        //  1 - blocks count\r
-       UsbCommand c = {CMD_MIFARE_EML_MEMSET, {blockNo, 1, 0}};\r
-       memcpy(c.d.asBytes, memBlock, 16);\r
-       SendCommand(&c);\r
-       return 0;\r
+       return mfEmlSetMem(memBlock, blockNo, 1);\r
 }\r
 \r
 \r
 }\r
 \r
 \r
@@ -1907,7 +1911,7 @@ int CmdHF14AMfECFill(const char *Cmd)
                default:   numSectors = 16;\r
        }\r
 \r
                default:   numSectors = 16;\r
        }\r
 \r
-       printf("--params: numSectors: %d, keyType:%d", numSectors, keyType);\r
+       printf("--params: numSectors: %d, keyType:%d\n", numSectors, keyType);\r
        UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {numSectors, keyType, 0}};\r
        SendCommand(&c);\r
        return 0;\r
        UsbCommand c = {CMD_MIFARE_EML_CARDLOAD, {numSectors, keyType, 0}};\r
        SendCommand(&c);\r
        return 0;\r
@@ -2473,6 +2477,7 @@ int CmdHF14AMfSniff(const char *Cmd){
        //var\r
        int res = 0;\r
        int len = 0;\r
        //var\r
        int res = 0;\r
        int len = 0;\r
+       int parlen = 0;\r
        int blockLen = 0;\r
        int pckNum = 0;\r
        int num = 0;\r
        int blockLen = 0;\r
        int pckNum = 0;\r
        int num = 0;\r
@@ -2484,6 +2489,7 @@ int CmdHF14AMfSniff(const char *Cmd){
        uint8_t *buf = NULL;\r
        uint16_t bufsize = 0;\r
        uint8_t *bufPtr = NULL;\r
        uint8_t *buf = NULL;\r
        uint16_t bufsize = 0;\r
        uint8_t *bufPtr = NULL;\r
+       uint8_t parity[16];\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
        if ( ctmp == 'h' || ctmp == 'H' ) {\r
 \r
        char ctmp = param_getchar(Cmd, 0);\r
        if ( ctmp == 'h' || ctmp == 'H' ) {\r
@@ -2575,6 +2581,7 @@ int CmdHF14AMfSniff(const char *Cmd){
                                        } else {\r
                                                isTag = false;\r
                                        }\r
                                        } else {\r
                                                isTag = false;\r
                                        }\r
+                                       parlen = (len - 1) / 8 + 1;\r
                                        bufPtr += 2;\r
                                        if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {\r
                                                memcpy(uid, bufPtr + 2, 7);\r
                                        bufPtr += 2;\r
                                        if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {\r
                                                memcpy(uid, bufPtr + 2, 7);\r
@@ -2593,15 +2600,22 @@ int CmdHF14AMfSniff(const char *Cmd){
                                                if (wantDecrypt)\r
                                                        mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);\r
                                        } else {\r
                                                if (wantDecrypt)\r
                                                        mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);\r
                                        } else {\r
-                                               PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));\r
+                                               oddparitybuf(bufPtr, len, parity);\r
+                                               PrintAndLog("%s(%d):%s [%s] c[%s]%c", \r
+                                                       isTag ? "TAG":"RDR", \r
+                                                       num, \r
+                                                       sprint_hex(bufPtr, len), \r
+                                                       printBitsPar(bufPtr + len, len), \r
+                                                       printBitsPar(parity, len),\r
+                                                       memcmp(bufPtr + len, parity, len / 8 + 1) ? '!' : ' ');\r
                                                if (wantLogToFile)\r
                                                        AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
                                                if (wantDecrypt)\r
                                                if (wantLogToFile)\r
                                                        AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
                                                if (wantDecrypt)\r
-                                                       mfTraceDecode(bufPtr, len, wantSaveToEmlFile);\r
+                                                       mfTraceDecode(bufPtr, len, bufPtr[len], wantSaveToEmlFile);\r
                                                num++;\r
                                        }\r
                                        bufPtr += len;\r
                                                num++;\r
                                        }\r
                                        bufPtr += len;\r
-                                       bufPtr += ((len-1)/8+1);        // ignore parity\r
+                                       bufPtr += parlen;       // ignore parity\r
                                }\r
                                pckNum = 0;\r
                        }\r
                                }\r
                                pckNum = 0;\r
                        }\r
@@ -2623,6 +2637,154 @@ int CmdDecryptTraceCmds(const char *Cmd){
        return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);\r
 }\r
 \r
        return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);\r
 }\r
 \r
+int aes_encode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){\r
+       uint8_t iiv[16] = {0};\r
+       if (iv)\r
+               memcpy(iiv, iv, 16);\r
+       \r
+       aes_context aes;\r
+       aes_init(&aes);\r
+       if (aes_setkey_enc(&aes, key, 128))\r
+               return 1;\r
+       if (aes_crypt_cbc(&aes, AES_ENCRYPT, length, iiv, input, output))\r
+               return 2;\r
+       aes_free(&aes);\r
+\r
+       return 0;\r
+}\r
+\r
+int aes_decode(uint8_t *iv, uint8_t *key, uint8_t *input, uint8_t *output, int length){\r
+       uint8_t iiv[16] = {0};\r
+       if (iv)\r
+               memcpy(iiv, iv, 16);\r
+       \r
+       aes_context aes;\r
+       aes_init(&aes);\r
+       if (aes_setkey_dec(&aes, key, 128))\r
+               return 1;\r
+       if (aes_crypt_cbc(&aes, AES_DECRYPT, length, iiv, input, output))\r
+               return 2;\r
+       aes_free(&aes);\r
+\r
+       return 0;\r
+}\r
+\r
+int CmdHF14AMfAuth4(const char *cmd) {\r
+       uint8_t keyn[20] = {0};\r
+       int keynlen = 0;\r
+       uint8_t key[16] = {0};\r
+       int keylen = 0;\r
+       uint8_t data[257] = {0};\r
+       int datalen = 0;\r
+       \r
+       uint8_t Rnd1[17] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00};\r
+       uint8_t Rnd2[17] = {0};\r
+       \r
+       \r
+       CLIParserInit("hf mf auth4", \r
+               "Executes AES authentication command in ISO14443-4", \r
+               "Usage:\n\thf mf auth4 4000 000102030405060708090a0b0c0d0e0f -> executes authentication\n"\r
+                       "\thf mf auth4 9003 FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF -> executes authentication\n");\r
+\r
+       void* argtable[] = {\r
+               arg_param_begin,\r
+               arg_str1(NULL,  NULL,     "<Key Num (HEX 2 bytes)>", NULL),\r
+               arg_str1(NULL,  NULL,     "<Key Value (HEX 16 bytes)>", NULL),\r
+               arg_param_end\r
+       };\r
+       CLIExecWithReturn(cmd, argtable, true);\r
+       \r
+       CLIGetStrWithReturn(1, keyn, &keynlen);\r
+       CLIGetStrWithReturn(2, key, &keylen);\r
+       CLIParserFree();\r
+       \r
+       if (keynlen != 2) {\r
+               PrintAndLog("ERROR: <Key Num> must be 2 bytes long instead of: %d", keynlen);\r
+               return 1;\r
+       }\r
+       \r
+       if (keylen != 16) {\r
+               PrintAndLog("ERROR: <Key Value> must be 16 bytes long instead of: %d", keylen);\r
+               return 1;\r
+       }\r
+\r
+       uint8_t cmd1[] = {0x0a, 0x00, 0x70, keyn[1], keyn[0], 0x00};\r
+       int res = ExchangeRAW14a(cmd1, sizeof(cmd1), true, true, data, sizeof(data), &datalen);\r
+       if (res) {\r
+               PrintAndLog("ERROR exchande raw error: %d", res);\r
+               DropField();\r
+               return 2;\r
+       }\r
+       \r
+       PrintAndLog("<phase1: %s", sprint_hex(data, datalen));\r
+               \r
+       if (datalen < 3) {\r
+               PrintAndLog("ERROR: card response length: %d", datalen);\r
+               DropField();\r
+               return 3;\r
+       }\r
+       \r
+       if (data[0] != 0x0a || data[1] != 0x00) {\r
+               PrintAndLog("ERROR: card response. Framing error. :%s", sprint_hex(data, 2));\r
+               DropField();\r
+               return 3;\r
+       }\r
+\r
+       if (data[2] != 0x90) {\r
+               PrintAndLog("ERROR: card response error: %02x", data[2]);\r
+               DropField();\r
+               return 3;\r
+       }\r
+\r
+       if (datalen != 19) {\r
+               PrintAndLog("ERROR: card response must be 16 bytes long instead of: %d", datalen);\r
+               DropField();\r
+               return 3;\r
+       }\r
+       \r
+    aes_decode(NULL, key, &data[3], Rnd2, 16);\r
+       Rnd2[16] = Rnd2[0];\r
+       PrintAndLog("Rnd2: %s", sprint_hex(Rnd2, 16));\r
+\r
+       uint8_t cmd2[35] = {0};\r
+       cmd2[0] = 0x0b;\r
+       cmd2[1] = 0x00;\r
+       cmd2[2] = 0x72;\r
+\r
+       uint8_t raw[32] = {0};\r
+       memmove(raw, Rnd1, 16);\r
+       memmove(&raw[16], &Rnd2[1], 16);\r
+\r
+    aes_encode(NULL, key, raw, &cmd2[3], 32);\r
+       PrintAndLog(">phase2: %s", sprint_hex(cmd2, 35));\r
+       \r
+       res = ExchangeRAW14a(cmd2, sizeof(cmd2), false, false, data, sizeof(data), &datalen);\r
+       if (res) {\r
+               PrintAndLog("ERROR exchande raw error: %d", res);\r
+               DropField();\r
+               return 4;\r
+       }\r
+       \r
+       PrintAndLog("<phase2: %s", sprint_hex(data, datalen));\r
+\r
+    aes_decode(NULL, key, &data[3], raw, 32);\r
+       PrintAndLog("res: %s", sprint_hex(raw, 32));\r
+       \r
+       PrintAndLog("Rnd1`: %s", sprint_hex(&raw[4], 16));\r
+       if (memcmp(&raw[4], &Rnd1[1], 16)) {\r
+               PrintAndLog("\nERROR: Authentication FAILED. rnd not equal");\r
+               PrintAndLog("rnd1 reader: %s", sprint_hex(&Rnd1[1], 16));\r
+               PrintAndLog("rnd1   card: %s", sprint_hex(&raw[4], 16));\r
+               DropField();\r
+               return 5;\r
+       }\r
+\r
+       DropField();\r
+       PrintAndLog("\nAuthentication OK");\r
+       \r
+       return 0;\r
+}\r
+\r
 static command_t CommandTable[] =\r
 {\r
   {"help",             CmdHelp,                 1, "This help"},\r
 static command_t CommandTable[] =\r
 {\r
   {"help",             CmdHelp,                 1, "This help"},\r
@@ -2632,6 +2794,7 @@ static command_t CommandTable[] =
   {"dump",             CmdHF14AMfDump,          0, "Dump MIFARE classic tag to binary file"},\r
   {"restore",                 CmdHF14AMfRestore,       0, "Restore MIFARE classic binary file to BLANK tag"},\r
   {"wrbl",             CmdHF14AMfWrBl,          0, "Write MIFARE classic block"},\r
   {"dump",             CmdHF14AMfDump,          0, "Dump MIFARE classic tag to binary file"},\r
   {"restore",                 CmdHF14AMfRestore,       0, "Restore MIFARE classic binary file to BLANK tag"},\r
   {"wrbl",             CmdHF14AMfWrBl,          0, "Write MIFARE classic block"},\r
+  {"auth4",            CmdHF14AMfAuth4,         0, "ISO14443-4 AES authentication"},\r
   {"chk",              CmdHF14AMfChk,           0, "Test block keys"},\r
   {"mifare",           CmdHF14AMifare,          0, "Read parity error messages."},\r
   {"hardnested",       CmdHF14AMfNestedHard,    0, "Nested attack for hardened Mifare cards"},\r
   {"chk",              CmdHF14AMfChk,           0, "Test block keys"},\r
   {"mifare",           CmdHF14AMifare,          0, "Read parity error messages."},\r
   {"hardnested",       CmdHF14AMfNestedHard,    0, "Nested attack for hardened Mifare cards"},\r
@@ -2658,11 +2821,9 @@ static command_t CommandTable[] =
 \r
 int CmdHFMF(const char *Cmd)\r
 {\r
 \r
 int CmdHFMF(const char *Cmd)\r
 {\r
-       // flush\r
-       WaitForResponseTimeout(CMD_ACK,NULL,100);\r
-\r
-  CmdsParse(CommandTable, Cmd);\r
-  return 0;\r
+       (void)WaitForResponseTimeout(CMD_ACK,NULL,100);\r
+       CmdsParse(CommandTable, Cmd);\r
+       return 0;\r
 }\r
 \r
 int CmdHelp(const char *Cmd)\r
 }\r
 \r
 int CmdHelp(const char *Cmd)\r
Impressum, Datenschutz