From: iceman1001 Date: Fri, 19 Sep 2014 08:50:34 +0000 (+0200) Subject: Merge branch 'master' of https://github.com/Proxmark/proxmark3 X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/75465377b93c9a27450a186342e9cfd2a84b4173?hp=3d93d4f940e3251b3d18dfb1aa0839aa784cd573 Merge branch 'master' of https://github.com/Proxmark/proxmark3 Conflicts: armsrc/appmain.c armsrc/apps.h armsrc/iclass.c client/Makefile client/cmdhficlass.c client/loclass/cipher.c client/loclass/fileutils.c client/loclass/ikeys.h include/usb_cmd.h --- diff --git a/README.txt b/README.txt index ce5eacf4..cb2c7f3c 100644 --- a/README.txt +++ b/README.txt @@ -85,4 +85,3 @@ Jonathan Westhues user jwesthues, at host cq.cx May 2007, Cambridge MA - diff --git a/armsrc/apps.h b/armsrc/apps.h index 38c1d689..90313aec 100644 --- a/armsrc/apps.h +++ b/armsrc/apps.h @@ -264,7 +264,7 @@ void SimulateIClass(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain void ReaderIClass(uint8_t arg0); void ReaderIClass_Replay(uint8_t arg0,uint8_t *MAC); void IClass_iso14443A_GetPublic(uint8_t arg0); - + // hitag2.h void SnoopHitag(uint32_t type); void SimulateHitagTag(bool tag_mem_supplied, byte_t* data); diff --git a/armsrc/iclass.c b/armsrc/iclass.c index f71607d2..6ceb436b 100644 --- a/armsrc/iclass.c +++ b/armsrc/iclass.c @@ -47,6 +47,7 @@ // different initial value (CRC_ICLASS) #include "../common/iso14443crc.h" #include "../common/iso15693tools.h" +#include "iso15693tools.h" static int timeout = 4096; @@ -1514,23 +1515,23 @@ void ReaderIClass(uint8_t arg0) { { WDT_HIT(); - // Send act_all - ReaderTransmitIClass(act_all, 1); - // Card present? - if(ReaderReceiveIClass(resp)) { + // Send act_all + ReaderTransmitIClass(act_all, 1); + // Card present? + if(ReaderReceiveIClass(resp)) { - ReaderTransmitIClass(identify, 1); + ReaderTransmitIClass(identify, 1); - if(ReaderReceiveIClass(resp) == 10) { + if(ReaderReceiveIClass(resp) == 10) { //Copy the Anti-collision CSN to our select-packet - memcpy(&select[1],resp,8); + memcpy(&select[1],resp,8); //Dbprintf("Anti-collision CSN: %02x %02x %02x %02x %02x %02x %02x %02x",resp[0], resp[1], resp[2], // resp[3], resp[4], resp[5], // resp[6], resp[7]); //Select the card - ReaderTransmitIClass(select, sizeof(select)); + ReaderTransmitIClass(select, sizeof(select)); - if(ReaderReceiveIClass(resp) == 10) { + if(ReaderReceiveIClass(resp) == 10) { //Save CSN in response data memcpy(card_data,resp,8); datasize += 8; @@ -1569,7 +1570,7 @@ void ReaderIClass(uint8_t arg0) { break; } } - LED_A_OFF(); + LED_A_OFF(); } void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { @@ -1580,7 +1581,7 @@ void ReaderIClass_Replay(uint8_t arg0, uint8_t *MAC) { uint8_t check[] = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; uint8_t read[] = { 0x0c, 0x00, 0x00, 0x00 }; - uint16_t crc = 0; + uint16_t crc = 0; uint8_t cardsize=0; bool read_success=false; uint8_t mem=0; @@ -1814,7 +1815,7 @@ void IClass_iso14443A_write(uint8_t arg0, uint8_t blockNo, uint8_t *data, uint8_ memcpy(write+10,mac,4); while(!send_success){ ReaderTransmitIClass(write, sizeof(write)); - if(ReaderReceiveIClass(resp) == 10) { + if(ReaderReceiveIClass(resp) == 10) { write_success=true; } }// diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 6660ef75..60f5ec03 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -40,11 +40,20 @@ bool InitDesfireCard(){ return true; } +// ARG0 flag enums +enum { + NONE = 0x00, + INIT = 0x01, + DISCONNECT = 0x02, + FOO = 0x04, + BAR = 0x08, +} CmdOptions ; + void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain){ /* ARG0 contains flags. 0x01 = init card. - 0x02 = + 0x02 = No Disconnect 0x03 */ uint8_t flags = arg0; @@ -53,17 +62,18 @@ void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain){ memset(resp,0,sizeof(resp)); if (MF_DBGLEVEL >= 4) { - Dbprintf(" flags: %02X", flags); - Dbprintf(" len : %02X", datalen); - print_result("to send: ", datain, datalen); + Dbprintf(" flags : %02X", flags); + Dbprintf(" len : %02X", datalen); + print_result(" RX : ", datain, datalen); } - if ( flags & 0x01 ){ + if ( flags & INIT ){ if ( !InitDesfireCard() ) return; } int len = DesfireAPDU(datain, datalen, resp); + print_result(" <--: ", resp, len); if ( !len ) { if (MF_DBGLEVEL >= 4) { print_result("ERR <--: ", resp, len); @@ -71,10 +81,14 @@ void MifareSendCommand(uint8_t arg0, uint8_t arg1, uint8_t *datain){ OnError(); return; } - cmd_send(CMD_ACK,1,len,0,resp,len); - - OnSuccess(); + // reset the pcb_blocknum, + pcb_blocknum = 0; + + if ( flags & DISCONNECT ) + OnSuccess(); + + cmd_send(CMD_ACK,1,len,0,resp,len); } void MifareDesfireGetInformation(){ @@ -556,19 +570,16 @@ void MifareDES_Auth2(uint32_t arg0, uint8_t *datain){ } void OnSuccess(){ - // transmit a DESELECT COMMAND for Desfire. - ReaderTransmit(deselect_cmd, 3 , NULL); - // reset the pcb_blocknum, pcb_blocknum = 0; + ReaderTransmit(deselect_cmd, 3 , NULL); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); } void OnError(){ - cmd_send(CMD_ACK,0,0,0,0,0); - ReaderTransmit(deselect_cmd, 3 , NULL); - // reset the pcb_blocknum, pcb_blocknum = 0; + ReaderTransmit(deselect_cmd, 3 , NULL); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); + cmd_send(CMD_ACK,0,0,0,0,0); LEDsoff(); } diff --git a/client/Makefile b/client/Makefile index 026db798..1aa801ee 100644 --- a/client/Makefile +++ b/client/Makefile @@ -23,6 +23,11 @@ CXXFLAGS = -I$(QTDIR)/include -I$(QTDIR)/include/QtCore -I$(QTDIR)/include/QtGui QTLDLIBS = -L$(QTDIR)/lib -lQt5Core -lQt5Gui -lQt5Widgets MOC = $(QTDIR)/bin/moc LUAPLATFORM = mingw +else ifeq ($(platform),Darwin) +CXXFLAGS = $(shell pkg-config --cflags QtCore QtGui 2>/dev/null) -Wall -O4 +QTLDLIBS = $(shell pkg-config --libs QtCore QtGui 2>/dev/null) +MOC = $(shell pkg-config --variable=moc_location QtCore) +LUAPLATFORM = macosx else CXXFLAGS = $(shell pkg-config --cflags QtCore QtGui 2>/dev/null) -Wall -O4 QTLDLIBS = $(shell pkg-config --libs QtCore QtGui 2>/dev/null) @@ -78,8 +83,8 @@ CMDSRCS = nonce2key/crapto1.c\ cmdhfdes.c \ cmdhw.c \ cmdlf.c \ - cmdlfhid.c \ cmdlfio.c \ + cmdlfhid.c \ cmdlfem4x.c \ cmdlfhitag.c \ cmdlfti.c \ diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index e32664f5..bd215a61 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -97,7 +97,7 @@ int CmdHFiClassList(const char *Cmd) first_timestamp = timestamp; } - // Break and stick with current result if buffer was not completely full + // Break and stick with current result idf buffer was not completely full if (frame[0] == 0x44 && frame[1] == 0x44 && frame[2] == 0x44 && frame[3] == 0x44) break; char line[1000] = ""; @@ -437,7 +437,7 @@ int CmdHFiClassReader_Replay(const char *Cmd) PrintAndLog("Usage: hf iclass replay "); PrintAndLog(" sample: hf iclass replay 00112233"); return 0; - } + } if (param_gethex(Cmd, 0, MAC, 8)) { PrintAndLog("MAC must include 8 HEX symbols"); @@ -477,11 +477,12 @@ int CmdHFiClassReader_Dump(const char *Cmd) return 0; } - if (param_gethex(Cmd, 0, KEY, 16)) { + if (param_gethex(Cmd, 0, KEY, 16)) + { PrintAndLog("KEY must include 16 HEX symbols"); return 1; } - + if (param_getchar(Cmd, 1) == 'e') { PrintAndLog("Elite switch on"); @@ -593,7 +594,7 @@ int CmdHFiClass_iso14443A_write(const char *Cmd) if (blockNo>32) { PrintAndLog("Error: Maximum number of blocks is 32 for iClass 2K Cards!"); - return 1; + return 1; } if (param_gethex(Cmd, 2, bldata, 8)) { @@ -649,7 +650,10 @@ static command_t CommandTable[] = {"list", CmdHFiClassList, 0, "List iClass history"}, {"snoop", CmdHFiClassSnoop, 0, "Eavesdrop iClass communication"}, {"sim", CmdHFiClassSim, 0, "Simulate iClass tag"}, - {"reader", CmdHFiClassReader, 0, "Read an iClass tag"}, + {"reader",CmdHFiClassReader, 0, "Read an iClass tag"}, + {"replay",CmdHFiClassReader_Replay, 0, "Read an iClass tag via Reply Attack"}, + {"dump", CmdHFiClassReader_Dump, 0, "Authenticate and Dump iClass tag"}, + {"write", CmdHFiClass_iso14443A_write, 0, "Authenticate and Write iClass block"}, {"replay", CmdHFiClassReader_Replay, 0, "Read an iClass tag via Reply Attack"}, {"dump", CmdHFiClassReader_Dump, 0, "Authenticate and Dump iClass tag"}, {"write", CmdHFiClass_iso14443A_write, 0, "Authenticate and Write iClass block"}, diff --git a/client/cmdhfmfdes.c b/client/cmdhfmfdes.c index 824236be..f3217df2 100644 --- a/client/cmdhfmfdes.c +++ b/client/cmdhfmfdes.c @@ -172,7 +172,7 @@ int CmdHF14ADesInfo(const char *Cmd){ PrintAndLog("-------------------------------------------------------------"); - UsbCommand c1 = {CMD_MIFARE_DESFIRE, { 0x01, 0x01 }}; + UsbCommand c1 = {CMD_MIFARE_DESFIRE, { 0x03, 0x01 }}; c1.d.asBytes[0] = GET_KEY_SETTINGS; SendCommand(&c1); if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) { @@ -181,27 +181,27 @@ int CmdHF14ADesInfo(const char *Cmd){ PrintAndLog(" Master Key settings"); if ( resp.d.asBytes[3] & (1 << 3 ) ) - PrintAndLog(" 0x08 Configuration changeable;"); + PrintAndLog(" 0x08 Configuration changeable"); else - PrintAndLog(" 0x08 Configuration NOT changeable;"); + PrintAndLog(" 0x08 Configuration NOT changeable"); if ( resp.d.asBytes[3] & (1 << 2 ) ) - PrintAndLog(" 0x04 PICC Master Key not required for create / delete;"); + PrintAndLog(" 0x04 PICC Master Key not required for create / delete"); else - PrintAndLog(" 0x04 PICC Master Key required for create / delete;"); + PrintAndLog(" 0x04 PICC Master Key required for create / delete"); if ( resp.d.asBytes[3] & (1 << 1 ) ) - PrintAndLog(" 0x02 Free directory list access without PICC Master Key;"); + PrintAndLog(" 0x02 Free directory list access without PICC Master Key"); else - PrintAndLog(" 0x02 Directory list access with PICC Master Key;"); + PrintAndLog(" 0x02 Directory list access with PICC Master Key"); if ( resp.d.asBytes[3] & (1 << 0 ) ) - PrintAndLog(" 0x01 Allow changing the Master Key;"); + PrintAndLog(" 0x01 Allow changing the Master Key"); else - PrintAndLog(" 0x01 Master Key is not changeable anymore;"); + PrintAndLog(" 0x01 Master Key is not changeable anymore"); // init len - UsbCommand c2 = {CMD_MIFARE_DESFIRE, { 0x01, 0x02 }}; + UsbCommand c2 = {CMD_MIFARE_DESFIRE, { 0x03, 0x02 }}; c2.d.asBytes[0] = GET_KEY_VERSION; c2.d.asBytes[1] = 0x00; SendCommand(&c2); @@ -210,12 +210,12 @@ int CmdHF14ADesInfo(const char *Cmd){ } PrintAndLog(""); - PrintAndLog(" Max number of keys : %d", resp.d.asBytes[2]); + PrintAndLog(" Max number of keys : %d", resp.d.asBytes[4]); PrintAndLog(" Master key Version : %d (0x%02x)", resp.d.asBytes[3], resp.d.asBytes[3]); PrintAndLog("-------------------------------------------------------------"); - UsbCommand c3 = {CMD_MIFARE_DESFIRE, { 0x01, 0x01 }}; + UsbCommand c3 = {CMD_MIFARE_DESFIRE, { 0x03, 0x01 }}; c3.d.asBytes[0] = GET_FREE_MEMORY; SendCommand(&c3); if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) { @@ -229,11 +229,11 @@ int CmdHF14ADesInfo(const char *Cmd){ PrintAndLog("-------------------------------------------------------------"); /* - Card Master key (CMK) 0x00 on AID = 00 00 00 (card level) 0x1 - Application Master Key (AMK) 0x00 on AID != 00 00 00 - Application keys (APK) = 0x01-0x0D - Application free = 0x0E - Application never = 0x0F + Card Master key (CMK) 0x00 AID = 00 00 00 (card level) + Application Master Key (AMK) 0x00 AID != 00 00 00 + Application keys (APK) 0x01-0x0D + Application free 0x0E + Application never 0x0F ACCESS RIGHTS: keys 0,1,2,3 C @@ -298,8 +298,13 @@ char * GetProtocolStr(uint8_t id){ int CmdHF14ADesEnumApplications(const char *Cmd){ - UsbCommand c = {CMD_MIFARE_DESFIRE, { 0x01, 0x01 }}; - c.d.asBytes[0] = GET_APPLICATION_IDS; + uint32_t options = 0x00; + + options |= INIT; + options |= DISCONNECT; + + UsbCommand c = {CMD_MIFARE_DESFIRE, {options , 0x01 }}; + c.d.asBytes[0] = GET_APPLICATION_IDS; //0x6a SendCommand(&c); UsbCommand resp; @@ -316,26 +321,56 @@ int CmdHF14ADesEnumApplications(const char *Cmd){ PrintAndLog("---Desfire Enum Applications --------------------------------"); PrintAndLog("-------------------------------------------------------------"); - //UsbCommand respFiles; + UsbCommand respAid; + UsbCommand respFiles; uint8_t num = 0; int max = resp.arg[1] -3 -2; for(int i=3; i<=max; i+=3){ - PrintAndLog(" Aid %d : %s ",num ,sprint_hex(resp.d.asBytes+i,3)); + PrintAndLog(" Aid %d : %02X %02X %02X ",num ,resp.d.asBytes[i],resp.d.asBytes[i+1],resp.d.asBytes[i+2]); num++; - // UsbCommand cFiles = {CMD_MIFARE_DESFIRE, { 0x01, 0x04 }}; - // cFiles.d.asBytes[0] = GET_FILE_IDS; - // cFiles.d.asBytes[1] = resp.d.asBytes+i; - // cFiles.d.asBytes[2] = resp.d.asBytes+i+1; - // cFiles.d.asBytes[3] = resp.d.asBytes+i+2; - // SendCommand(&cFiles); + options = INIT; + + UsbCommand cAid = {CMD_MIFARE_DESFIRE, { options, 0x04 }}; + cAid.d.asBytes[0] = SELECT_APPLICATION; // 0x5a + cAid.d.asBytes[1] = resp.d.asBytes[i]; + cAid.d.asBytes[2] = resp.d.asBytes[i+1]; + cAid.d.asBytes[3] = resp.d.asBytes[i+2]; + SendCommand(&cAid); + + if (!WaitForResponseTimeout(CMD_ACK,&respAid,1500) ) { + PrintAndLog(" Timed-out"); + continue; + } + uint8_t isOK = respAid.arg[0] & 0xff; + if ( !isOK ){ + PrintAndLog(" Can't select AID: %s",sprint_hex(resp.d.asBytes+i,3)); + continue; + } + + options = DISCONNECT; + UsbCommand cFiles = {CMD_MIFARE_DESFIRE, { options, 0x01 }}; + cFiles.d.asBytes[0] = GET_FILE_IDS; // 0x6f + SendCommand(&cFiles); + + if ( !WaitForResponseTimeout(CMD_ACK,&respFiles,1500) ) { + PrintAndLog(" Timed-out"); + continue; + } else { - // if ( !WaitForResponseTimeout(CMD_ACK,&respFiles,1500) ) { - // PrintAndLog(" No files found"); - // break; - // } + uint8_t isOK = respFiles.arg[0] & 0xff; + if ( !isOK ){ + PrintAndLog(" No files found"); + continue; + } + + int respfileLen = resp.arg[1]-3-2; + for (int j=0; j< respfileLen; ++j){ + PrintAndLog(" Fileid %d :", resp.d.asBytes[j+3]); + } + } } PrintAndLog("-------------------------------------------------------------"); diff --git a/client/cmdhfmfdes.h b/client/cmdhfmfdes.h index 15bb9a23..8ecf36d3 100644 --- a/client/cmdhfmfdes.h +++ b/client/cmdhfmfdes.h @@ -19,6 +19,14 @@ char * GetCardSizeStr( uint8_t fsize ); char * GetVendorStr( uint8_t id); char * GetProtocolStr(uint8_t id); +// Command options for Desfire behavior. +enum { + NONE = 0x00, + INIT = 0x01, + DISCONNECT = 0x02, + FOO = 0x04, + BAR = 0x08, +} CmdOptions ; #define CREATE_APPLICATION 0xca diff --git a/client/loclass/ikeys.h b/client/loclass/ikeys.h index 629fa75b..1de46b62 100644 --- a/client/loclass/ikeys.h +++ b/client/loclass/ikeys.h @@ -4,11 +4,11 @@ /** * @brief - *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 ? (F 82 ) 8 be defined as + *Definition 11. Let the function hash0 : F 82 × F 82 × (F 62 ) 8 → (F 82 ) 8 be defined as * hash0(x, y, z [0] . . . z [7] ) = k [0] . . . k [7] where * z'[i] = (z[i] mod (63-i)) + i i = 0...3 * z'[i+4] = (z[i+4] mod (64-i)) + i i = 0...3 - * ? = check(z'); + * ẑ = check(z'); * @param c * @param k this is where the diversified key is put (should be 8 bytes) * @return diff --git a/client/obj/loclass/.dummy b/client/obj/loclass/.dummy new file mode 100644 index 00000000..e69de29b