]>
Commit | Line | Data |
---|---|---|
f38a1528 | 1 | //----------------------------------------------------------------------------- |
2 | // Copyright (C) 2014 Iceman | |
3 | // | |
4 | // This code is licensed to you under the terms of the GNU GPL, version 2 or, | |
5 | // at your option, any later version. See the LICENSE.txt file for the text of | |
6 | // the license. | |
7 | //----------------------------------------------------------------------------- | |
8 | // High frequency MIFARE Desfire commands | |
9 | //----------------------------------------------------------------------------- | |
10 | ||
11 | #include <stdio.h> | |
12 | #include <stdlib.h> | |
13 | #include <string.h> | |
14 | #include <ctype.h> | |
15 | #include <openssl/des.h> | |
16 | #include "cmdmain.h" | |
17 | #include "proxmark3.h" | |
18 | #include "../include/common.h" | |
19 | #include "../include/mifare.h" | |
20 | #include "../common/iso14443crc.h" | |
21 | #include "data.h" | |
22 | #include "ui.h" | |
23 | #include "cmdparser.h" | |
24 | #include "util.h" | |
25 | #include "cmdhfmfdes.h" | |
26 | ||
27 | ||
28 | uint8_t key_zero_data[16] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }; | |
29 | uint8_t key_defa_data[16] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }; | |
30 | uint8_t key_ones_data[16] = { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 }; | |
31 | ||
32 | ||
33 | static int CmdHelp(const char *Cmd); | |
34 | static void xor(unsigned char * dst, unsigned char * src, size_t len); | |
35 | static int32_t le24toh (uint8_t data[3]); | |
36 | ||
37 | ||
38 | int CmdHF14ADesWb(const char *Cmd) | |
39 | { | |
40 | /* uint8_t blockNo = 0; | |
41 | uint8_t keyType = 0; | |
42 | uint8_t key[6] = {0, 0, 0, 0, 0, 0}; | |
43 | uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; | |
44 | ||
45 | char cmdp = 0x00; | |
46 | ||
47 | if (strlen(Cmd)<3) { | |
48 | PrintAndLog("Usage: hf mf wrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>"); | |
49 | PrintAndLog(" sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F"); | |
50 | return 0; | |
51 | } | |
52 | ||
53 | blockNo = param_get8(Cmd, 0); | |
54 | cmdp = param_getchar(Cmd, 1); | |
55 | if (cmdp == 0x00) { | |
56 | PrintAndLog("Key type must be A or B"); | |
57 | return 1; | |
58 | } | |
59 | if (cmdp != 'A' && cmdp != 'a') keyType = 1; | |
60 | if (param_gethex(Cmd, 2, key, 12)) { | |
61 | PrintAndLog("Key must include 12 HEX symbols"); | |
62 | return 1; | |
63 | } | |
64 | if (param_gethex(Cmd, 3, bldata, 32)) { | |
65 | PrintAndLog("Block data must include 32 HEX symbols"); | |
66 | return 1; | |
67 | } | |
68 | PrintAndLog("--block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6)); | |
69 | PrintAndLog("--data: %s", sprint_hex(bldata, 16)); | |
70 | ||
71 | UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}}; | |
72 | memcpy(c.d.asBytes, key, 6); | |
73 | memcpy(c.d.asBytes + 10, bldata, 16); | |
74 | SendCommand(&c); | |
75 | ||
76 | UsbCommand resp; | |
77 | if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { | |
78 | uint8_t isOK = resp.arg[0] & 0xff; | |
79 | PrintAndLog("isOk:%02x", isOK); | |
80 | } else { | |
81 | PrintAndLog("Command execute timeout"); | |
82 | } | |
83 | */ | |
84 | return 0; | |
85 | } | |
86 | ||
87 | int CmdHF14ADesRb(const char *Cmd) | |
88 | { | |
89 | // uint8_t blockNo = 0; | |
90 | // uint8_t keyType = 0; | |
91 | // uint8_t key[6] = {0, 0, 0, 0, 0, 0}; | |
92 | ||
93 | // char cmdp = 0x00; | |
94 | ||
95 | ||
96 | // if (strlen(Cmd)<3) { | |
97 | // PrintAndLog("Usage: hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>"); | |
98 | // PrintAndLog(" sample: hf mf rdbl 0 A FFFFFFFFFFFF "); | |
99 | // return 0; | |
100 | // } | |
101 | ||
102 | // blockNo = param_get8(Cmd, 0); | |
103 | // cmdp = param_getchar(Cmd, 1); | |
104 | // if (cmdp == 0x00) { | |
105 | // PrintAndLog("Key type must be A or B"); | |
106 | // return 1; | |
107 | // } | |
108 | // if (cmdp != 'A' && cmdp != 'a') keyType = 1; | |
109 | // if (param_gethex(Cmd, 2, key, 12)) { | |
110 | // PrintAndLog("Key must include 12 HEX symbols"); | |
111 | // return 1; | |
112 | // } | |
113 | // PrintAndLog("--block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6)); | |
114 | ||
115 | // UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}}; | |
116 | // memcpy(c.d.asBytes, key, 6); | |
117 | // SendCommand(&c); | |
118 | ||
119 | // UsbCommand resp; | |
120 | // if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { | |
121 | // uint8_t isOK = resp.arg[0] & 0xff; | |
122 | // uint8_t * data = resp.d.asBytes; | |
123 | ||
124 | // if (isOK) | |
125 | // PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16)); | |
126 | // else | |
127 | // PrintAndLog("isOk:%02x", isOK); | |
128 | // } else { | |
129 | // PrintAndLog("Command execute timeout"); | |
130 | // } | |
131 | ||
132 | return 0; | |
133 | } | |
134 | ||
135 | int CmdHF14ADesInfo(const char *Cmd){ | |
136 | ||
313ee67e | 137 | UsbCommand c = {CMD_MIFARE_DESFIRE_INFO}; |
f38a1528 | 138 | SendCommand(&c); |
139 | UsbCommand resp; | |
140 | ||
313ee67e | 141 | if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) { |
f38a1528 | 142 | PrintAndLog("Command execute timeout"); |
143 | return 0; | |
313ee67e | 144 | } |
145 | uint8_t isOK = resp.arg[0] & 0xff; | |
146 | if ( !isOK ){ | |
3d93d4f9 | 147 | PrintAndLog("Command unsuccessful"); |
313ee67e | 148 | return 0; |
f38a1528 | 149 | } |
150 | ||
151 | PrintAndLog("---Desfire Information---------------------------------------"); | |
152 | PrintAndLog("-------------------------------------------------------------"); | |
153 | PrintAndLog(" UID : %s",sprint_hex(resp.d.asBytes, 7)); | |
154 | PrintAndLog(" Batch number : %s",sprint_hex(resp.d.asBytes+28,5)); | |
155 | PrintAndLog(" Production date : week %02x, 20%02x",resp.d.asBytes[33], resp.d.asBytes[34]); | |
156 | PrintAndLog("-------------------------------------------------------------"); | |
157 | PrintAndLog(" Hardware Information"); | |
158 | PrintAndLog(" Vendor Id : %s", GetVendorStr(resp.d.asBytes[7])); | |
159 | PrintAndLog(" Type : 0x%02X",resp.d.asBytes[8]); | |
160 | PrintAndLog(" Subtype : 0x%02X",resp.d.asBytes[9]); | |
161 | PrintAndLog(" Version : %d.%d",resp.d.asBytes[10], resp.d.asBytes[11]); | |
162 | PrintAndLog(" Storage size : %s",GetCardSizeStr(resp.d.asBytes[12])); | |
163 | PrintAndLog(" Protocol : %s",GetProtocolStr(resp.d.asBytes[13])); | |
164 | PrintAndLog("-------------------------------------------------------------"); | |
165 | PrintAndLog(" Software Information"); | |
166 | PrintAndLog(" Vendor Id : %s",GetVendorStr(resp.d.asBytes[14])); | |
167 | PrintAndLog(" Type : 0x%02X",resp.d.asBytes[15]); | |
168 | PrintAndLog(" Subtype : 0x%02X",resp.d.asBytes[16]); | |
169 | PrintAndLog(" Version : %d.%d",resp.d.asBytes[17], resp.d.asBytes[18]); | |
170 | PrintAndLog(" storage size : %s", GetCardSizeStr(resp.d.asBytes[19])); | |
171 | PrintAndLog(" Protocol : %s", GetProtocolStr(resp.d.asBytes[20])); | |
172 | PrintAndLog("-------------------------------------------------------------"); | |
173 | ||
313ee67e | 174 | |
75465377 | 175 | UsbCommand c1 = {CMD_MIFARE_DESFIRE, { 0x03, 0x01 }}; |
313ee67e | 176 | c1.d.asBytes[0] = GET_KEY_SETTINGS; |
177 | SendCommand(&c1); | |
178 | if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) { | |
179 | return 0; | |
180 | } | |
181 | ||
f38a1528 | 182 | PrintAndLog(" Master Key settings"); |
313ee67e | 183 | if ( resp.d.asBytes[3] & (1 << 3 ) ) |
75465377 | 184 | PrintAndLog(" 0x08 Configuration changeable"); |
f38a1528 | 185 | else |
75465377 | 186 | PrintAndLog(" 0x08 Configuration NOT changeable"); |
f38a1528 | 187 | |
313ee67e | 188 | if ( resp.d.asBytes[3] & (1 << 2 ) ) |
75465377 | 189 | PrintAndLog(" 0x04 PICC Master Key not required for create / delete"); |
f38a1528 | 190 | else |
75465377 | 191 | PrintAndLog(" 0x04 PICC Master Key required for create / delete"); |
f38a1528 | 192 | |
313ee67e | 193 | if ( resp.d.asBytes[3] & (1 << 1 ) ) |
75465377 | 194 | PrintAndLog(" 0x02 Free directory list access without PICC Master Key"); |
f38a1528 | 195 | else |
75465377 | 196 | PrintAndLog(" 0x02 Directory list access with PICC Master Key"); |
f38a1528 | 197 | |
313ee67e | 198 | if ( resp.d.asBytes[3] & (1 << 0 ) ) |
75465377 | 199 | PrintAndLog(" 0x01 Allow changing the Master Key"); |
f38a1528 | 200 | else |
75465377 | 201 | PrintAndLog(" 0x01 Master Key is not changeable anymore"); |
f38a1528 | 202 | |
313ee67e | 203 | // init len |
75465377 | 204 | UsbCommand c2 = {CMD_MIFARE_DESFIRE, { 0x03, 0x02 }}; |
313ee67e | 205 | c2.d.asBytes[0] = GET_KEY_VERSION; |
206 | c2.d.asBytes[1] = 0x00; | |
207 | SendCommand(&c2); | |
208 | if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) { | |
209 | return 0; | |
210 | } | |
211 | ||
212 | PrintAndLog(""); | |
75465377 | 213 | PrintAndLog(" Max number of keys : %d", resp.d.asBytes[4]); |
313ee67e | 214 | PrintAndLog(" Master key Version : %d (0x%02x)", resp.d.asBytes[3], resp.d.asBytes[3]); |
f38a1528 | 215 | PrintAndLog("-------------------------------------------------------------"); |
216 | ||
313ee67e | 217 | |
75465377 | 218 | UsbCommand c3 = {CMD_MIFARE_DESFIRE, { 0x03, 0x01 }}; |
313ee67e | 219 | c3.d.asBytes[0] = GET_FREE_MEMORY; |
220 | SendCommand(&c3); | |
221 | if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) { | |
222 | return 0; | |
223 | } | |
224 | ||
f38a1528 | 225 | uint8_t tmp[3]; |
313ee67e | 226 | memcpy(tmp, resp.d.asBytes+3,3); |
f38a1528 | 227 | |
228 | PrintAndLog(" Free memory on card : %d bytes", le24toh( tmp )); | |
229 | PrintAndLog("-------------------------------------------------------------"); | |
3d93d4f9 | 230 | |
f38a1528 | 231 | /* |
75465377 | 232 | Card Master key (CMK) 0x00 AID = 00 00 00 (card level) |
233 | Application Master Key (AMK) 0x00 AID != 00 00 00 | |
234 | Application keys (APK) 0x01-0x0D | |
235 | Application free 0x0E | |
236 | Application never 0x0F | |
f38a1528 | 237 | |
238 | ACCESS RIGHTS: | |
239 | keys 0,1,2,3 C | |
240 | keys 4,5,6,7 RW | |
241 | keys 8,9,10,11 W | |
242 | keys 12,13,14,15 R | |
243 | ||
f38a1528 | 244 | Session key: |
245 | 16 : RndA(byte0-byte3) + RndB(byte0-byte3) + RndA(byte4-byte7) + RndB(byte4-byte7) | |
246 | 8 : RndA(byte0-byte3) + RndB(byte0-byte3) | |
247 | ||
248 | AES 16 : RndA(byte0-byte3) + RndB(byte0-byte3) + RndA(byte12-byte15) + RndB(byte12-byte15) | |
249 | */ | |
250 | ||
f38a1528 | 251 | return 1; |
252 | } | |
253 | ||
254 | char * GetVendorStr( uint8_t id){ | |
255 | static char buf[30]; | |
256 | char *retStr = buf; | |
257 | ||
258 | if ( id == 0x04 ) | |
259 | sprintf(retStr, "0x%02X (NXP)",id); | |
260 | else | |
261 | sprintf(retStr,"0x%02X (Unknown)",id); | |
262 | return buf; | |
263 | } | |
264 | ||
265 | /* | |
266 | The 7 MSBits (= n) code the storage size itself based on 2^n, | |
267 | the LSBit is set to '0' if the size is exactly 2^n | |
268 | and set to '1' if the storage size is between 2^n and 2^(n+1). | |
269 | For this version of DESFire the 7 MSBits are set to 0x0C (2^12 = 4096) and the LSBit is '0'. | |
270 | */ | |
271 | char * GetCardSizeStr( uint8_t fsize ){ | |
272 | ||
273 | static char buf[30]; | |
274 | char *retStr = buf; | |
275 | ||
276 | uint16_t usize = 1 << ((fsize >>1) + 1); | |
277 | uint16_t lsize = 1 << (fsize >>1); | |
278 | ||
279 | // is LSB set? | |
280 | if ( fsize & (1 << 0 ) ) | |
281 | sprintf(retStr, "0x%02X (%d - %d bytes)",fsize, usize, lsize); | |
282 | else | |
283 | sprintf(retStr, "0x%02X (%d bytes)", fsize, lsize); | |
284 | return buf; | |
285 | } | |
286 | ||
287 | char * GetProtocolStr(uint8_t id){ | |
288 | ||
289 | static char buf[30]; | |
290 | char *retStr = buf; | |
291 | ||
292 | if ( id == 0x05) | |
293 | sprintf(retStr,"0x%02X (ISO 14443-3, 14443-4)", id); | |
294 | else | |
295 | sprintf(retStr,"0x%02X", id); | |
296 | return buf; | |
297 | } | |
298 | ||
299 | int CmdHF14ADesEnumApplications(const char *Cmd){ | |
3d93d4f9 | 300 | |
75465377 | 301 | uint32_t options = 0x00; |
302 | ||
303 | options |= INIT; | |
304 | options |= DISCONNECT; | |
305 | ||
306 | UsbCommand c = {CMD_MIFARE_DESFIRE, {options , 0x01 }}; | |
307 | c.d.asBytes[0] = GET_APPLICATION_IDS; //0x6a | |
3d93d4f9 | 308 | SendCommand(&c); |
309 | UsbCommand resp; | |
310 | ||
311 | if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) { | |
312 | return 0; | |
313 | } | |
314 | ||
315 | uint8_t isOK = resp.arg[0] & 0xff; | |
316 | if ( !isOK ){ | |
317 | PrintAndLog("Command unsuccessful"); | |
318 | return 0; | |
319 | } | |
320 | ||
321 | PrintAndLog("---Desfire Enum Applications --------------------------------"); | |
322 | PrintAndLog("-------------------------------------------------------------"); | |
323 | ||
75465377 | 324 | UsbCommand respAid; |
325 | UsbCommand respFiles; | |
3d93d4f9 | 326 | |
327 | uint8_t num = 0; | |
328 | int max = resp.arg[1] -3 -2; | |
329 | ||
330 | for(int i=3; i<=max; i+=3){ | |
75465377 | 331 | PrintAndLog(" Aid %d : %02X %02X %02X ",num ,resp.d.asBytes[i],resp.d.asBytes[i+1],resp.d.asBytes[i+2]); |
3d93d4f9 | 332 | num++; |
333 | ||
75465377 | 334 | options = INIT; |
335 | ||
336 | UsbCommand cAid = {CMD_MIFARE_DESFIRE, { options, 0x04 }}; | |
337 | cAid.d.asBytes[0] = SELECT_APPLICATION; // 0x5a | |
338 | cAid.d.asBytes[1] = resp.d.asBytes[i]; | |
339 | cAid.d.asBytes[2] = resp.d.asBytes[i+1]; | |
340 | cAid.d.asBytes[3] = resp.d.asBytes[i+2]; | |
341 | SendCommand(&cAid); | |
342 | ||
343 | if (!WaitForResponseTimeout(CMD_ACK,&respAid,1500) ) { | |
344 | PrintAndLog(" Timed-out"); | |
345 | continue; | |
346 | } | |
347 | uint8_t isOK = respAid.arg[0] & 0xff; | |
348 | if ( !isOK ){ | |
349 | PrintAndLog(" Can't select AID: %s",sprint_hex(resp.d.asBytes+i,3)); | |
350 | continue; | |
351 | } | |
352 | ||
353 | options = DISCONNECT; | |
354 | UsbCommand cFiles = {CMD_MIFARE_DESFIRE, { options, 0x01 }}; | |
355 | cFiles.d.asBytes[0] = GET_FILE_IDS; // 0x6f | |
356 | SendCommand(&cFiles); | |
357 | ||
358 | if ( !WaitForResponseTimeout(CMD_ACK,&respFiles,1500) ) { | |
359 | PrintAndLog(" Timed-out"); | |
360 | continue; | |
361 | } else { | |
362 | ||
363 | uint8_t isOK = respFiles.arg[0] & 0xff; | |
364 | if ( !isOK ){ | |
365 | PrintAndLog(" No files found"); | |
366 | continue; | |
367 | } | |
3d93d4f9 | 368 | |
75465377 | 369 | int respfileLen = resp.arg[1]-3-2; |
370 | for (int j=0; j< respfileLen; ++j){ | |
371 | PrintAndLog(" Fileid %d :", resp.d.asBytes[j+3]); | |
372 | } | |
373 | } | |
3d93d4f9 | 374 | |
375 | } | |
376 | PrintAndLog("-------------------------------------------------------------"); | |
377 | ||
378 | ||
f38a1528 | 379 | return 1; |
380 | } | |
381 | ||
382 | int CmdHF14ADesNonces(const char *Cmd){ | |
383 | return 1; | |
384 | } | |
385 | ||
386 | // | |
387 | // MIAFRE DesFire Authentication | |
388 | // | |
389 | #define BUFSIZE 64 | |
390 | int CmdHF14ADesAuth(const char *Cmd){ | |
391 | ||
392 | // NR DESC KEYLENGHT | |
393 | // ------------------------ | |
394 | // 1 = DES 8 | |
395 | // 2 = 3DES 16 | |
396 | // 3 = 3K 3DES 24 | |
397 | // 4 = AES 16 | |
398 | ||
399 | // AUTHENTICTION MODES: | |
400 | // 1 Normal | |
401 | // 2 ISO | |
402 | // 3 AES | |
403 | ||
404 | uint8_t keylength = 8; | |
405 | //unsigned char testinput[] = { 0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff,0x00}; | |
406 | unsigned char key[24]; // = { 0x75,0x28,0x78,0x39,0x74,0x93,0xCB,0x70}; | |
407 | ||
408 | if (strlen(Cmd)<3) { | |
409 | PrintAndLog("Usage: hf mfdes auth <1|2|3> <1|2|3|4> <keyno> <key> "); | |
410 | PrintAndLog(" AUTH modes 1 = normal, 2 = iso, 3 = aes"); | |
411 | PrintAndLog(" Crypto: 1 = DES 2 = 3DES 3 = 3K3DES 4 = AES"); | |
412 | PrintAndLog(" keynumber"); | |
413 | PrintAndLog(" sample: hf mfdes auth 1 1 0 11223344"); | |
414 | return 0; | |
415 | } | |
416 | uint8_t cmdAuthMode = param_get8(Cmd,0); | |
417 | uint8_t cmdAuthAlgo = param_get8(Cmd,1); | |
418 | uint8_t cmdKeyNo = param_get8(Cmd,2); | |
419 | ||
420 | switch (cmdAuthMode) | |
421 | { | |
422 | case 1: | |
423 | if ( cmdAuthAlgo != 1 && cmdAuthAlgo != 2) { | |
424 | PrintAndLog("Crypto algo not valid for the auth mode"); | |
425 | return 1; | |
426 | } | |
427 | break; | |
428 | case 2: | |
429 | if ( cmdAuthAlgo != 1 && cmdAuthAlgo != 2 && cmdAuthAlgo != 3) { | |
430 | PrintAndLog("Crypto algo not valid for the auth mode"); | |
431 | return 1; | |
432 | } | |
433 | break; | |
434 | case 3: | |
435 | if ( cmdAuthAlgo != 4) { | |
436 | PrintAndLog("Crypto algo not valid for the auth mode"); | |
437 | return 1; | |
438 | } | |
439 | break; | |
440 | default: | |
441 | PrintAndLog("Wrong Auth mode"); | |
442 | return 1; | |
443 | break; | |
444 | } | |
445 | ||
446 | switch (cmdAuthAlgo){ | |
447 | case 2: | |
448 | keylength = 16; | |
449 | PrintAndLog("3DES selected"); | |
450 | break; | |
451 | case 3: | |
452 | keylength = 24; | |
453 | PrintAndLog("3 key 3DES selected"); | |
454 | break; | |
455 | case 4: | |
456 | keylength = 16; | |
457 | PrintAndLog("AES selected"); | |
458 | break; | |
459 | default: | |
460 | cmdAuthAlgo = 1; | |
461 | keylength = 8; | |
462 | PrintAndLog("DES selected"); | |
463 | break; | |
464 | } | |
465 | ||
466 | // key | |
467 | if (param_gethex(Cmd, 3, key, keylength*2)) { | |
468 | PrintAndLog("Key must include %d HEX symbols", keylength); | |
469 | return 1; | |
470 | } | |
471 |