]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/epa.c
CHG: started the process of fixing "hf legic write" and "hf legic sim" commands.
[proxmark3-svn] / armsrc / epa.c
index a3c6669ed648374608c30fc000ac1a7fc2bcda30..16d9001455dd7f58819c40aabb2a58611e61c140 100644 (file)
@@ -5,17 +5,18 @@
 // at your option, any later version. See the LICENSE.txt file for the text of
 // the license.
 //-----------------------------------------------------------------------------
-// Routines to support the German eletronic "Personalausweis" (ID card)
+// Routines to support the German electronic "Personalausweis" (ID card)
 // Note that the functions which do not implement USB commands do NOT initialize
 // the card (with iso14443a_select_card etc.). If You want to use these
 // functions, You need to do the setup before calling them!
 //-----------------------------------------------------------------------------
 
 #include "iso14443a.h"
+#include "iso14443b.h"
 #include "epa.h"
-#include "../common/cmd.h"
+#include "cmd.h"
 
-// Protocol and Parameter Selection Request
+// Protocol and Parameter Selection Request for ISO 14443 type A cards
 // use regular (1x) speed in both directions
 // CRC is already included
 static const uint8_t pps[] = {0xD0, 0x11, 0x00, 0x52, 0xA6};
@@ -74,6 +75,54 @@ static const uint8_t oid_pace_start[] = {
     0x04 // id-PACE
 };
 
+// APDUs for replaying:
+// MSE: Set AT (initiate PACE)
+static uint8_t apdu_replay_mse_set_at_pace[41];
+// General Authenticate (Get Nonce)
+static uint8_t apdu_replay_general_authenticate_pace_get_nonce[8];
+// General Authenticate (Map Nonce)
+static uint8_t apdu_replay_general_authenticate_pace_map_nonce[75];
+// General Authenticate (Mutual Authenticate)
+static uint8_t apdu_replay_general_authenticate_pace_mutual_authenticate[75];
+// General Authenticate (Perform Key Agreement)
+static uint8_t apdu_replay_general_authenticate_pace_perform_key_agreement[18];
+// pointers to the APDUs (for iterations)
+static struct {
+       uint8_t len;
+       uint8_t *data;
+} const apdus_replay[] = {
+       {sizeof(apdu_replay_mse_set_at_pace), apdu_replay_mse_set_at_pace},
+       {sizeof(apdu_replay_general_authenticate_pace_get_nonce), apdu_replay_general_authenticate_pace_get_nonce},
+       {sizeof(apdu_replay_general_authenticate_pace_map_nonce), apdu_replay_general_authenticate_pace_map_nonce},
+       {sizeof(apdu_replay_general_authenticate_pace_mutual_authenticate), apdu_replay_general_authenticate_pace_mutual_authenticate},
+       {sizeof(apdu_replay_general_authenticate_pace_perform_key_agreement), apdu_replay_general_authenticate_pace_perform_key_agreement}
+};
+
+// lengths of the replay APDUs
+static uint8_t apdu_lengths_replay[5];
+
+// type of card (ISO 14443 A or B)
+static char iso_type;
+
+//-----------------------------------------------------------------------------
+// Wrapper for sending APDUs to type A and B cards
+//-----------------------------------------------------------------------------
+int EPA_APDU(uint8_t *apdu, size_t length, uint8_t *response)
+{
+       switch(iso_type)
+       {
+               case 'a':
+                       return iso14_apdu(apdu, (uint16_t) length, response);
+                       break;
+               case 'b':
+                       return iso14443b_apdu(apdu, length, response);
+                       break;
+               default:
+                       return 0;
+                       break;
+       }
+}
+
 //-----------------------------------------------------------------------------
 // Closes the communication channel and turns off the field
 //-----------------------------------------------------------------------------
@@ -81,6 +130,7 @@ void EPA_Finish()
 {
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
+       iso_type = 0;
 }
 
 //-----------------------------------------------------------------------------
@@ -101,16 +151,16 @@ size_t EPA_Parse_CardAccess(uint8_t *data,
                             pace_version_info_t *pace_info)
 {
        size_t index = 0;
-       
+
        while (index <= length - 2) {
                // determine type of element
                // SET or SEQUENCE
                if (data[index] == 0x31 || data[index] == 0x30) {
                        // enter the set (skip tag + length)
                        index += 2;
-                       // extended length
+                       // check for extended length
                        if ((data[index - 1] & 0x80) != 0) {
-                               index += (data[index] & 0x7F);
+                               index += (data[index-1] & 0x7F);
                        }
                }
                // OID
@@ -158,7 +208,7 @@ size_t EPA_Parse_CardAccess(uint8_t *data,
                        index += 2 + data[index + 1];
                }
        }
-       
+
        // TODO: We should check whether we reached the end in error, but for that
        //       we need a better parser (e.g. with states like IN_SET or IN_PACE_INFO)
        return 0;
@@ -176,31 +226,31 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
        // we reserve 262 bytes here just to be safe (256-byte APDU + SW + ISO frame)
        uint8_t response_apdu[262];
        int rapdu_length = 0;
-       
+
        // select the file EF.CardAccess
-       rapdu_length = iso14_apdu((uint8_t *)apdu_select_binary_cardaccess,
+       rapdu_length = EPA_APDU((uint8_t *)apdu_select_binary_cardaccess,
                                  sizeof(apdu_select_binary_cardaccess),
                                  response_apdu);
-       if (rapdu_length != 6
+       if (rapdu_length < 6
            || response_apdu[rapdu_length - 4] != 0x90
            || response_apdu[rapdu_length - 3] != 0x00)
        {
-               Dbprintf("epa - no select cardaccess");
+               DbpString("Failed to select EF.CardAccess!");
                return -1;
        }
-       
+
        // read the file
-       rapdu_length = iso14_apdu((uint8_t *)apdu_read_binary,
+       rapdu_length = EPA_APDU((uint8_t *)apdu_read_binary,
                                  sizeof(apdu_read_binary),
                                  response_apdu);
        if (rapdu_length <= 6
            || response_apdu[rapdu_length - 4] != 0x90
            || response_apdu[rapdu_length - 3] != 0x00)
        {
-               Dbprintf("epa - no read cardaccess");
+               Dbprintf("Failed to read EF.CardAccess!");
                return -1;
        }
-       
+
        // copy the content into the buffer
        // length of data available: apdu_length - 4 (ISO frame) - 2 (SW)
        size_t to_copy = rapdu_length - 6;
@@ -215,14 +265,9 @@ int EPA_Read_CardAccess(uint8_t *buffer, size_t max_length)
 //-----------------------------------------------------------------------------
 static void EPA_PACE_Collect_Nonce_Abort(uint8_t step, int func_return)
 {
-//     // step in which the failure occured
-//     ack->arg[0] = step;
-//     // last return code
-//     ack->arg[1] = func_return;
-
        // power down the field
        EPA_Finish();
-       
+
        // send the USB packet
        cmd_send(CMD_ACK,step,func_return,0,0,0);
 }
@@ -246,35 +291,23 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
        // return value of a function
        int func_return = 0;
 
-//     // initialize ack with 0s
-//     memset(ack->arg, 0, 12);
-//     memset(ack->d.asBytes, 0, 48);
-       
        // set up communication
        func_return = EPA_Setup();
        if (func_return != 0) { 
                EPA_PACE_Collect_Nonce_Abort(1, func_return);
-               Dbprintf("epa: setup fucked up! %d", func_return);
                return;
        }
 
-       // increase the timeout (at least some cards really do need this!)
-       iso14a_set_timeout(0x0002FFFF);
-       Dbprintf("epa: Epic!");
-       
        // read the CardAccess file
        // this array will hold the CardAccess file
        uint8_t card_access[256] = {0};
        int card_access_length = EPA_Read_CardAccess(card_access, 256);
        // the response has to be at least this big to hold the OID
        if (card_access_length < 18) {
-               Dbprintf("epa: Too small!");
                EPA_PACE_Collect_Nonce_Abort(2, card_access_length);
                return;
        }
 
-       Dbprintf("epa: foo!");
-       
        // this will hold the PACE info of the card
        pace_version_info_t pace_version_info;
        // search for the PACE OID
@@ -285,13 +318,11 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
                EPA_PACE_Collect_Nonce_Abort(3, func_return);
                return;
        }
-       
-       Dbprintf("epa: bar!");
-       
+
        // initiate the PACE protocol
        // use the CAN for the password since that doesn't change
        func_return = EPA_PACE_MSE_Set_AT(pace_version_info, 2);
-       
+
        // now get the nonce
        uint8_t nonce[256] = {0};
        uint8_t requested_size = (uint8_t)c->arg[0];
@@ -302,13 +333,11 @@ void EPA_PACE_Collect_Nonce(UsbCommand *c)
                EPA_PACE_Collect_Nonce_Abort(4, func_return);
                return;
        }
-  
-  // all done, return
+
+       // all done, return
        EPA_Finish();
-       
+
        // save received information
-//     ack->arg[1] = func_return;
-//     memcpy(ack->d.asBytes, nonce, func_return);
        cmd_send(CMD_ACK,0,func_return,0,nonce,func_return);
 }
 
@@ -330,10 +359,10 @@ int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
               sizeof(apdu_general_authenticate_pace_get_nonce));
        // append Le (requested length + 2 due to tag/length taking 2 bytes) in RAPDU
        apdu[sizeof(apdu_general_authenticate_pace_get_nonce)] = requested_length + 4;
-       
+
        // send it
        uint8_t response_apdu[262];
-       int send_return = iso14_apdu(apdu,
+       int send_return = EPA_APDU(apdu,
                                     sizeof(apdu),
                                     response_apdu);
        // check if the command succeeded
@@ -343,7 +372,7 @@ int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
        {
                return -1;
        }
-       
+
        // if there is no nonce in the RAPDU, return here
        if (send_return < 10)
        {
@@ -358,7 +387,7 @@ int EPA_PACE_Get_Nonce(uint8_t requested_length, uint8_t *nonce)
        }
        // copy the nonce
        memcpy(nonce, response_apdu + 6, nonce_length);
-       
+
        return nonce_length;
 }
 
@@ -404,7 +433,7 @@ int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
        apdu[4] = apdu_length - 5;
        // send it
        uint8_t response_apdu[6];
-       int send_return = iso14_apdu(apdu,
+       int send_return = EPA_APDU(apdu,
                                     apdu_length,
                                     response_apdu);
        // check if the command succeeded
@@ -417,95 +446,113 @@ int EPA_PACE_MSE_Set_AT(pace_version_info_t pace_version_info, uint8_t password)
        return 0;
 }
 
+//-----------------------------------------------------------------------------
+// Perform the PACE protocol by replaying given APDUs
+//-----------------------------------------------------------------------------
+void EPA_PACE_Replay(UsbCommand *c)
+{
+       uint32_t timings[sizeof(apdu_lengths_replay) / sizeof(apdu_lengths_replay[0])] = {0};
+
+       // if an APDU has been passed, save it
+       if (c->arg[0] != 0) {
+               // make sure it's not too big
+               if(c->arg[2] > apdus_replay[c->arg[0] - 1].len)
+               {
+                       cmd_send(CMD_ACK, 1, 0, 0, NULL, 0);
+               }
+               memcpy(apdus_replay[c->arg[0] - 1].data + c->arg[1],
+                  c->d.asBytes,
+                  c->arg[2]);
+               // save/update APDU length
+               if (c->arg[1] == 0) {
+                       apdu_lengths_replay[c->arg[0] - 1] = c->arg[2];
+               } else {
+                       apdu_lengths_replay[c->arg[0] - 1] += c->arg[2];
+               }
+               cmd_send(CMD_ACK, 0, 0, 0, NULL, 0);
+               return;
+       }
+
+       // return value of a function
+       int func_return;
+
+       // set up communication
+       func_return = EPA_Setup();
+       if (func_return != 0) {
+               EPA_Finish();
+               cmd_send(CMD_ACK, 2, func_return, 0, NULL, 0);
+               return;
+       }
+
+       // increase the timeout (at least some cards really do need this!)/////////////
+       // iso14a_set_timeout(0x0003FFFF);
+
+       // response APDU
+       uint8_t response_apdu[300] = {0};
+
+       // now replay the data and measure the timings
+       for (int i = 0; i < sizeof(apdu_lengths_replay); i++) {
+               StartCountUS();
+               func_return = EPA_APDU(apdus_replay[i].data,
+                                        apdu_lengths_replay[i],
+                                        response_apdu);
+               timings[i] = GetCountUS();
+               // every step but the last one should succeed
+               if (i < sizeof(apdu_lengths_replay) - 1
+                   && (func_return < 6
+                       || response_apdu[func_return - 4] != 0x90
+                       || response_apdu[func_return - 3] != 0x00))
+               {
+                       EPA_Finish();
+                       cmd_send(CMD_ACK, 3 + i, func_return, 0, timings, 20);
+                       return;
+               }
+       }
+       EPA_Finish();
+       cmd_send(CMD_ACK,0,0,0,timings,20);
+       return;
+}
+
 //-----------------------------------------------------------------------------
 // Set up a communication channel (Card Select, PPS)
 // Returns 0 on success or a non-zero error code on failure
 //-----------------------------------------------------------------------------
 int EPA_Setup()
 {
-       // return code
-       //int return_code = 0;
-       
-       // card UID
-       //uint8_t uid[10] = {0x00};
-       
+       int return_code = 0;
+       uint8_t uid[10];
+       uint8_t pps_response[3];
+       uint8_t pps_response_par[1];
+       iso14a_card_select_t card_a_info;
+       iso14b_card_select_t card_b_info;
+
+       // first, look for type A cards
        // power up the field
        iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
-       iso14a_clear_trace();
-       iso14a_set_tracing(TRUE);
-       iso14a_set_timeout(10500);
-       
-       // card select information
-       byte_t cardbuf[USB_CMD_DATA_SIZE];
-       memset(cardbuf,0,USB_CMD_DATA_SIZE);
-       iso14a_card_select_t *card = (iso14a_card_select_t*)cardbuf;
-       
        // select the card
-       // if (!iso14443a_select_card(uid, &card_info, NULL)) {
-               // Dbprintf("Epa: Can't select card");
-               // return -1;
-       // }
-       
-       uint8_t wupa[]     = { 0x26 };  // 0x26 - REQA  0x52 - WAKE-UP
-       uint8_t sel_all[]  = { 0x93,0x20 };
-       uint8_t sel_uid[]  = { 0x93,0x70,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
-       uint8_t rats[]       = { 0xE0,0x81,0x00,0x00 }; // FSD=256, FSDI=8, CID=1
-       
-       uint8_t *resp = ((uint8_t *)BigBuf) + RECV_RESP_OFFSET;
-       uint8_t *resp_par = ((uint8_t *)BigBuf) + RECV_RESP_PAR_OFFSET;
-       
-       byte_t uid_resp[4];
-       size_t uid_resp_len = 4;
-
-       uint8_t sak = 0x04; // cascade uid
-       int len;
-        
-       // Broadcast for a card, WUPA (0x52) will force response from all cards in the field
-    ReaderTransmitBitsPar(wupa,7,0, NULL);
-       
-       // Receive the ATQA
-       if(!ReaderReceive(resp, resp_par)) return -1;
-  
-    // SELECT_ALL
-    ReaderTransmit(sel_all,sizeof(sel_all), NULL);
-    if (!ReaderReceive(resp, resp_par)) return -1;
-       
-       // uid response from tag
-       memcpy(uid_resp,resp,uid_resp_len);
-
-       // Construct SELECT UID command
-       // transmitting a full UID (1 Byte cmd, 1 Byte NVB, 4 Byte UID, 1 Byte BCC, 2 Bytes CRC)
-    memcpy(sel_uid+2,uid_resp,4);                                                                              // the UID
-       sel_uid[6] = sel_uid[2] ^ sel_uid[3] ^ sel_uid[4] ^ sel_uid[5];         // calculate and add BCC
-    AppendCrc14443a(sel_uid,7);                                                                                        // calculate and add CRC
-    ReaderTransmit(sel_uid,sizeof(sel_uid), NULL);
-
-    // Receive the SAK
-    if (!ReaderReceive(resp, resp_par)) return -1;
-    sak = resp[0];
-       
-       // Request for answer to select
-       AppendCrc14443a(rats, 2);
-       ReaderTransmit(rats, sizeof(rats), NULL);
-
-       if ( !(len = ReaderReceive(resp, resp_par) )) return -1;
-
-       // populate the collected data.
-    memcpy( card->uid, uid_resp, uid_resp_len);
-    card->uidlen += uid_resp_len;
-    card->sak = sak;
-    card->ats_len = len;
-    memcpy(card->ats, resp, sizeof(card->ats));
-       
-       
-       // send the PPS request
-       // ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
-       // uint8_t pps_response[3];
-       // uint8_t pps_response_par[1];
-       // return_code = ReaderReceive(pps_response,pps_response_par);
-       // if (return_code != 3 || pps_response[0] != 0xD0) {
-               // return return_code == 0 ? 2 : return_code;
-       // }
-       
-       return -1;
-}
\ No newline at end of file
+       return_code = iso14443a_select_card(uid, &card_a_info, NULL, true, 0);
+       if (return_code == 1) {
+               // send the PPS request
+               ReaderTransmit((uint8_t *)pps, sizeof(pps), NULL);
+               return_code = ReaderReceive(pps_response, pps_response_par);
+               if (return_code != 3 || pps_response[0] != 0xD0) {
+                       return return_code == 0 ? 2 : return_code;
+               }
+               Dbprintf("ISO 14443 Type A");
+               iso_type = 'a';
+               return 0;
+       }
+
+       // if we're here, there is no type A card, so we look for type B
+       // power up the field
+       iso14443b_setup();
+       // select the card
+       return_code = iso14443b_select_card( &card_b_info );
+       if (return_code == 1) {
+               Dbprintf("ISO 14443 Type B");
+               iso_type = 'b';
+               return 0;
+       }
+       Dbprintf("No card found.");
+       return 1;
+}
Impressum, Datenschutz