]> git.zerfleddert.de Git - proxmark3-svn/blob - client/emv/emvcore.c
projects / proxmark3-svn / blob
? search:


0af75cdc73b9f1c1bf547e67e137d96de01469dd
[proxmark3-svn] / client / emv / emvcore.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2017 Merlok
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // EMV core functions
9 //-----------------------------------------------------------------------------
10
11 #include "emvcore.h"
12 #include "emvjson.h"
13 #include "util_posix.h"
14 #ifdef WITH_SMARTCARD
15 #include "cmdsmartcard.h"
16 #endif
17
18 // Got from here. Thanks)
19 // https://eftlab.co.uk/index.php/site-map/knowledge-base/211-emv-aid-rid-pix
20 static const char *PSElist [] = {
21 "325041592E5359532E4444463031", // 2PAY.SYS.DDF01 - Visa Proximity Payment System Environment - PPSE
22 "315041592E5359532E4444463031" // 1PAY.SYS.DDF01 - Visa Payment System Environment - PSE
23 };
24 //static const size_t PSElistLen = sizeof(PSElist)/sizeof(char*);
25
26 char *TransactionTypeStr[] = {
27 "MSD",
28 "VSDC",
29 "qVCDCMCHIP",
30 "CDA"
31 };
32
33 typedef struct {
34 enum CardPSVendor vendor;
35 const char* aid;
36 } TAIDList;
37
38 static const TAIDList AIDlist [] = {
39 // Visa International
40 { CV_VISA, "A00000000305076010"}, // VISA ELO Credit
41 { CV_VISA, "A0000000031010" }, // VISA Debit/Credit (Classic)
42 { CV_VISA, "A000000003101001" }, // VISA Credit
43 { CV_VISA, "A000000003101002" }, // VISA Debit
44 { CV_VISA, "A0000000032010" }, // VISA Electron
45 { CV_VISA, "A0000000032020" }, // VISA
46 { CV_VISA, "A0000000033010" }, // VISA Interlink
47 { CV_VISA, "A0000000034010" }, // VISA Specific
48 { CV_VISA, "A0000000035010" }, // VISA Specific
49 { CV_VISA, "A0000000036010" }, // Domestic Visa Cash Stored Value
50 { CV_VISA, "A0000000036020" }, // International Visa Cash Stored Value
51 { CV_VISA, "A0000000038002" }, // VISA Auth, VisaRemAuthen EMV-CAP (DPA)
52 { CV_VISA, "A0000000038010" }, // VISA Plus
53 { CV_VISA, "A0000000039010" }, // VISA Loyalty
54 { CV_VISA, "A000000003999910" }, // VISA Proprietary ATM
55 // Visa USA
56 { CV_VISA, "A000000098" }, // Debit Card
57 { CV_VISA, "A0000000980848" }, // Debit Card
58 // Mastercard International
59 { CV_MASTERCARD, "A00000000401" }, // MasterCard PayPass
60 { CV_MASTERCARD, "A0000000041010" }, // MasterCard Credit
61 { CV_MASTERCARD, "A00000000410101213" }, // MasterCard Credit
62 { CV_MASTERCARD, "A00000000410101215" }, // MasterCard Credit
63 { CV_MASTERCARD, "A0000000042010" }, // MasterCard Specific
64 { CV_MASTERCARD, "A0000000043010" }, // MasterCard Specific
65 { CV_MASTERCARD, "A0000000043060" }, // Maestro (Debit)
66 { CV_MASTERCARD, "A000000004306001" }, // Maestro (Debit)
67 { CV_MASTERCARD, "A0000000044010" }, // MasterCard Specific
68 { CV_MASTERCARD, "A0000000045010" }, // MasterCard Specific
69 { CV_MASTERCARD, "A0000000046000" }, // Cirrus
70 { CV_MASTERCARD, "A0000000048002" }, // SecureCode Auth EMV-CAP
71 { CV_MASTERCARD, "A0000000049999" }, // MasterCard PayPass
72 // American Express
73 { CV_AMERICANEXPRESS, "A000000025" },
74 { CV_AMERICANEXPRESS, "A0000000250000" },
75 { CV_AMERICANEXPRESS, "A00000002501" },
76 { CV_AMERICANEXPRESS, "A000000025010402" },
77 { CV_AMERICANEXPRESS, "A000000025010701" },
78 { CV_AMERICANEXPRESS, "A000000025010801" },
79 // Groupement des Cartes Bancaires "CB"
80 { CV_CB, "A0000000421010" }, // Cartes Bancaire EMV Card
81 { CV_CB, "A0000000422010" },
82 { CV_CB, "A0000000423010" },
83 { CV_CB, "A0000000424010" },
84 { CV_CB, "A0000000425010" },
85 // JCB CO., LTD.
86 { CV_JCB, "A00000006510" }, // JCB
87 { CV_JCB, "A0000000651010" }, // JCB J Smart Credit
88 // Other
89 { CV_OTHER, "A0000001544442" }, // Banricompras Debito - Banrisul - Banco do Estado do Rio Grande do SUL - S.A.
90 { CV_OTHER, "F0000000030001" }, // BRADESCO
91 { CV_OTHER, "A0000005241010" }, // RuPay - RuPay
92 { CV_OTHER, "D5780000021010" } // Bankaxept - Bankaxept
93 };
94 static const size_t AIDlistLen = sizeof(AIDlist)/sizeof(TAIDList);
95
96 static bool APDULogging = false;
97 void SetAPDULogging(bool logging) {
98 APDULogging = logging;
99 }
100
101 enum CardPSVendor GetCardPSVendor(uint8_t * AID, size_t AIDlen) {
102 char buf[100] = {0};
103 if (AIDlen < 1)
104 return CV_NA;
105
106 hex_to_buffer((uint8_t *)buf, AID, AIDlen, sizeof(buf) - 1, 0, 0, true);
107
108 for(int i = 0; i < AIDlistLen; i ++) {
109 if (strncmp(AIDlist[i].aid, buf, strlen(AIDlist[i].aid)) == 0){
110 return AIDlist[i].vendor;
111 }
112 }
113
114 return CV_NA;
115 }
116
117 static bool print_cb(void *data, const struct tlv *tlv, int level, bool is_leaf) {
118 emv_tag_dump(tlv, stdout, level);
119 if (is_leaf) {
120 dump_buffer(tlv->value, tlv->len, stdout, level);
121 }
122
123 return true;
124 }
125
126 void TLVPrintFromBuffer(uint8_t *data, int datalen) {
127 struct tlvdb *t = NULL;
128 t = tlvdb_parse_multi(data, datalen);
129 if (t) {
130 PrintAndLogEx(NORMAL, "-------------------- TLV decoded --------------------");
131
132 tlvdb_visit(t, print_cb, NULL, 0);
133 tlvdb_free(t);
134 } else {
135 PrintAndLogEx(WARNING, "TLV ERROR: Can't parse response as TLV tree.");
136 }
137 }
138
139 void TLVPrintFromTLVLev(struct tlvdb *tlv, int level) {
140 if (!tlv)
141 return;
142
143 tlvdb_visit(tlv, print_cb, NULL, level);
144 }
145
146 void TLVPrintFromTLV(struct tlvdb *tlv) {
147 TLVPrintFromTLVLev(tlv, 0);
148 }
149
150 void TLVPrintAIDlistFromSelectTLV(struct tlvdb *tlv) {
151 PrintAndLogEx(NORMAL, "|------------------|--------|-------------------------|");
152 PrintAndLogEx(NORMAL, "| AID |Priority| Name |");
153 PrintAndLogEx(NORMAL, "|------------------|--------|-------------------------|");
154
155 struct tlvdb *ttmp = tlvdb_find(tlv, 0x6f);
156 if (!ttmp)
157 PrintAndLogEx(NORMAL, "| none |");
158
159 while (ttmp) {
160 const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x84, NULL);
161 const struct tlv *tgName = tlvdb_get_inchild(ttmp, 0x50, NULL);
162 const struct tlv *tgPrio = tlvdb_get_inchild(ttmp, 0x87, NULL);
163 if (!tgAID)
164 break;
165 PrintAndLogEx(NORMAL, "|%s| %s |%s|",
166 sprint_hex_inrow_ex(tgAID->value, tgAID->len, 18),
167 (tgPrio) ? sprint_hex(tgPrio->value, 1) : " ",
168 (tgName) ? sprint_ascii_ex(tgName->value, tgName->len, 25) : " ");
169
170 ttmp = tlvdb_find_next(ttmp, 0x6f);
171 }
172
173 PrintAndLogEx(NORMAL, "|------------------|--------|-------------------------|");
174 }
175
176 struct tlvdb *GetPANFromTrack2(const struct tlv *track2) {
177 char track2Hex[200] = {0};
178 uint8_t PAN[100] = {0};
179 int PANlen = 0;
180 char *tmp = track2Hex;
181
182 if (!track2)
183 return NULL;
184
185 for (int i = 0; i < track2->len; ++i, tmp += 2)
186 sprintf(tmp, "%02x", (unsigned int)track2->value[i]);
187
188 int posD = strchr(track2Hex, 'd') - track2Hex;
189 if (posD < 1)
190 return NULL;
191
192 track2Hex[posD] = 0;
193 if (strlen(track2Hex) % 2) {
194 track2Hex[posD] = 'F';
195 track2Hex[posD + 1] = '\0';
196 }
197
198 param_gethex_to_eol(track2Hex, 0, PAN, sizeof(PAN), &PANlen);
199
200 return tlvdb_fixed(0x5a, PANlen, PAN);
201 }
202
203 struct tlvdb *GetdCVVRawFromTrack2(const struct tlv *track2) {
204 char track2Hex[200] = {0};
205 char dCVVHex[100] = {0};
206 uint8_t dCVV[100] = {0};
207 int dCVVlen = 0;
208 const int PINlen = 5; // must calculated from 9F67 MSD Offset but i have not seen this tag)
209 char *tmp = track2Hex;
210
211 if (!track2)
212 return NULL;
213
214 for (int i = 0; i < track2->len; ++i, tmp += 2)
215 sprintf(tmp, "%02x", (unsigned int)track2->value[i]);
216
217 int posD = strchr(track2Hex, 'd') - track2Hex;
218 if (posD < 1)
219 return NULL;
220
221 memset(dCVVHex, '0', 32);
222 // ATC
223 memcpy(dCVVHex + 0, track2Hex + posD + PINlen + 11, 4);
224 // PAN 5 hex
225 memcpy(dCVVHex + 4, track2Hex, 5);
226 // expire date
227 memcpy(dCVVHex + 9, track2Hex + posD + 1, 4);
228 // service code
229 memcpy(dCVVHex + 13, track2Hex + posD + 5, 3);
230
231 param_gethex_to_eol(dCVVHex, 0, dCVV, sizeof(dCVV), &dCVVlen);
232
233 return tlvdb_fixed(0x02, dCVVlen, dCVV);
234 }
235
236 int EMVExchangeEx(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, sAPDU apdu, bool IncludeLe, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
237 uint8_t data[APDU_RES_LEN] = {0};
238
239 *ResultLen = 0;
240 if (sw) *sw = 0;
241 uint16_t isw = 0;
242 int res = 0;
243
244 if (ActivateField) {
245 DropField();
246 msleep(50);
247 }
248
249 // COMPUTE APDU
250 memcpy(data, &apdu, 5);
251 if (apdu.data)
252 memcpy(&data[5], apdu.data, apdu.Lc);
253
254 if (APDULogging)
255 PrintAndLogEx(SUCCESS, ">>>> %s", sprint_hex(data, (IncludeLe?6:5) + apdu.Lc));
256
257 switch(channel) {
258 case ECC_CONTACTLESS:
259 // 6 byes + data = INS + CLA + P1 + P2 + Lc + <data = Nc> + Le(?IncludeLe)
260 res = ExchangeAPDU14a(data, (IncludeLe?6:5) + apdu.Lc, ActivateField, LeaveFieldON, Result, (int)MaxResultLen, (int *)ResultLen);
261 if (res) {
262 return res;
263 }
264 break;
265 case ECC_CONTACT:
266 //int ExchangeAPDUSC(uint8_t *datain, int datainlen, bool activateCard, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen);
267 #ifdef WITH_SMARTCARD
268 res = ExchangeAPDUSC(data, (IncludeLe?6:5) + apdu.Lc, ActivateField, LeaveFieldON, Result, (int)MaxResultLen, (int *)ResultLen);
269 if (res) {
270 return res;
271 }
272 #endif
273 break;
274 }
275
276 if (APDULogging)
277 PrintAndLogEx(SUCCESS, "<<<< %s", sprint_hex(Result, *ResultLen));
278
279 if (*ResultLen < 2) {
280 return 200;
281 }
282
283 *ResultLen -= 2;
284 isw = Result[*ResultLen] * 0x0100 + Result[*ResultLen + 1];
285 if (sw)
286 *sw = isw;
287
288 if (isw != 0x9000) {
289 if (APDULogging) {
290 if (*sw >> 8 == 0x61) {
291 PrintAndLogEx(ERR, "APDU chaining len:%02x -->", *sw & 0xff);
292 } else {
293 PrintAndLogEx(ERR, "APDU(%02x%02x) ERROR: [%4X] %s", apdu.CLA, apdu.INS, isw, GetAPDUCodeDescription(*sw >> 8, *sw & 0xff));
294 return 5;
295 }
296 }
297 }
298
299 // add to tlv tree
300 if (tlv) {
301 struct tlvdb *t = tlvdb_parse_multi(Result, *ResultLen);
302 tlvdb_add(tlv, t);
303 }
304
305 return 0;
306 }
307
308 int EMVExchange(EMVCommandChannel channel, bool LeaveFieldON, sAPDU apdu, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
309 return EMVExchangeEx(channel, false, LeaveFieldON, apdu, (channel == ECC_CONTACTLESS), Result, MaxResultLen, ResultLen, sw, tlv);
310 }
311
312 int EMVSelect(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t *AID, size_t AIDLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
313 return EMVExchangeEx(channel, ActivateField, LeaveFieldON, (sAPDU){0x00, 0xa4, 0x04, 0x00, AIDLen, AID}, (channel == ECC_CONTACTLESS), Result, MaxResultLen, ResultLen, sw, tlv);
314 }
315
316 int EMVSelectPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, uint8_t PSENum, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw) {
317 uint8_t buf[APDU_AID_LEN] = {0};
318 *ResultLen = 0;
319 int len = 0;
320 int res = 0;
321 switch (PSENum) {
322 case 1:
323 param_gethex_to_eol(PSElist[1], 0, buf, sizeof(buf), &len);
324 break;
325 case 2:
326 param_gethex_to_eol(PSElist[0], 0, buf, sizeof(buf), &len);
327 break;
328 default:
329 return -1;
330 }
331
332 // select
333 res = EMVSelect(channel, ActivateField, LeaveFieldON, buf, len, Result, MaxResultLen, ResultLen, sw, NULL);
334
335 return res;
336 }
337
338 int EMVSearchPSE(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, bool decodeTLV, struct tlvdb *tlv) {
339 uint8_t data[APDU_RES_LEN] = {0};
340 size_t datalen = 0;
341 uint16_t sw = 0;
342 int res;
343
344 // select PPSE
345 res = EMVSelectPSE(channel, ActivateField, true, 2, data, sizeof(data), &datalen, &sw);
346
347 if (!res){
348 struct tlvdb *t = NULL;
349 t = tlvdb_parse_multi(data, datalen);
350 if (t) {
351 int retrycnt = 0;
352 struct tlvdb *ttmp = tlvdb_find_path(t, (tlv_tag_t[]){0x6f, 0xa5, 0xbf0c, 0x61, 0x00});
353 if (!ttmp)
354 PrintAndLogEx(FAILED, "PPSE don't have records.");
355
356 while (ttmp) {
357 const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x4f, NULL);
358 if (tgAID) {
359 res = EMVSelect(channel, false, true, (uint8_t *)tgAID->value, tgAID->len, data, sizeof(data), &datalen, &sw, tlv);
360
361 // retry if error and not returned sw error
362 if (res && res != 5) {
363 if (++retrycnt < 3){
364 continue;
365 } else {
366 // card select error, proxmark error
367 if (res == 1) {
368 PrintAndLogEx(WARNING, "Exit...");
369 return 1;
370 }
371
372 retrycnt = 0;
373 PrintAndLogEx(NORMAL, "Retry failed [%s]. Skiped...", sprint_hex_inrow(tgAID->value, tgAID->len));
374 }
375
376 // next element
377 ttmp = tlvdb_find_next(ttmp, 0x61);
378 continue;
379 }
380 retrycnt = 0;
381
382 // all is ok
383 if (decodeTLV){
384 PrintAndLogEx(NORMAL, "%s:", sprint_hex_inrow(tgAID->value, tgAID->len));
385 TLVPrintFromBuffer(data, datalen);
386 }
387 }
388
389 ttmp = tlvdb_find_next(ttmp, 0x61);
390 }
391
392 tlvdb_free(t);
393 } else {
394 PrintAndLogEx(WARNING, "PPSE ERROR: Can't get TLV from response.");
395 }
396 } else {
397 PrintAndLogEx(WARNING, "PPSE ERROR: Can't select PPSE AID. Error: %d", res);
398 }
399
400 if(!LeaveFieldON)
401 DropField();
402
403 return res;
404 }
405
406 int EMVSearch(EMVCommandChannel channel, bool ActivateField, bool LeaveFieldON, bool decodeTLV, struct tlvdb *tlv) {
407 uint8_t aidbuf[APDU_AID_LEN] = {0};
408 int aidlen = 0;
409 uint8_t data[APDU_RES_LEN] = {0};
410 size_t datalen = 0;
411 uint16_t sw = 0;
412
413 int res = 0;
414 int retrycnt = 0;
415 for(int i = 0; i < AIDlistLen; i ++) {
416 param_gethex_to_eol(AIDlist[i].aid, 0, aidbuf, sizeof(aidbuf), &aidlen);
417 res = EMVSelect(channel, (i == 0) ? ActivateField : false, (i == AIDlistLen - 1) ? LeaveFieldON : true, aidbuf, aidlen, data, sizeof(data), &datalen, &sw, tlv);
418 // retry if error and not returned sw error
419 if (res && res != 5) {
420 if (++retrycnt < 3){
421 i--;
422 } else {
423 // (1) - card select error, proxmark error OR (200) - result length = 0
424 if (res == 1 || res == 200) {
425 PrintAndLogEx(WARNING, "Exit...");
426 return 1;
427 }
428
429 retrycnt = 0;
430 PrintAndLogEx(FAILED, "Retry failed [%s]. Skipped...", AIDlist[i].aid);
431 }
432 continue;
433 }
434 retrycnt = 0;
435
436 if (res)
437 continue;
438
439 if (!datalen)
440 continue;
441
442 if (decodeTLV) {
443 PrintAndLogEx(SUCCESS, "%s", AIDlist[i].aid);
444 TLVPrintFromBuffer(data, datalen);
445 }
446 }
447
448 return 0;
449 }
450
451 int EMVSelectApplication(struct tlvdb *tlv, uint8_t *AID, size_t *AIDlen) {
452 // check priority. 0x00 - highest
453 int prio = 0xffff;
454
455 *AIDlen = 0;
456
457 struct tlvdb *ttmp = tlvdb_find(tlv, 0x6f);
458 if (!ttmp)
459 return 1;
460
461 while (ttmp) {
462 const struct tlv *tgAID = tlvdb_get_inchild(ttmp, 0x84, NULL);
463 const struct tlv *tgPrio = tlvdb_get_inchild(ttmp, 0x87, NULL);
464
465 if (!tgAID)
466 break;
467
468 if (tgPrio) {
469 int pt = bytes_to_num((uint8_t*)tgPrio->value, (tgPrio->len < 2) ? tgPrio->len : 2);
470 if (pt < prio) {
471 prio = pt;
472
473 memcpy(AID, tgAID->value, tgAID->len);
474 *AIDlen = tgAID->len;
475 }
476 } else {
477 // takes the first application from list wo priority
478 if (!*AIDlen) {
479 memcpy(AID, tgAID->value, tgAID->len);
480 *AIDlen = tgAID->len;
481 }
482 }
483
484 ttmp = tlvdb_find_next(ttmp, 0x6f);
485 }
486
487 return 0;
488 }
489
490 int EMVGPO(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *PDOL, size_t PDOLLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
491 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x80, 0xa8, 0x00, 0x00, PDOLLen, PDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
492 }
493
494 int EMVReadRecord(EMVCommandChannel channel, bool LeaveFieldON, uint8_t SFI, uint8_t SFIrec, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
495 int res = EMVExchange(channel, LeaveFieldON, (sAPDU){0x00, 0xb2, SFIrec, (SFI << 3) | 0x04, 0, NULL}, Result, MaxResultLen, ResultLen, sw, tlv);
496 if (*sw == 0x6700) {
497 PrintAndLogEx(INFO, ">>> trying to reissue command withouth Le...");
498 res = EMVExchangeEx(channel, false, LeaveFieldON, (sAPDU){0x00, 0xb2, SFIrec, (SFI << 3) | 0x04, 0, NULL}, false, Result, MaxResultLen, ResultLen, sw, tlv);
499 }
500 return res;
501 }
502
503 int EMVAC(EMVCommandChannel channel, bool LeaveFieldON, uint8_t RefControl, uint8_t *CDOL, size_t CDOLLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
504 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x80, 0xae, RefControl, 0x00, CDOLLen, CDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
505 }
506
507 int EMVGenerateChallenge(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
508 int res = EMVExchange(channel, LeaveFieldON, (sAPDU){0x00, 0x84, 0x00, 0x00, 0x00, NULL}, Result, MaxResultLen, ResultLen, sw, tlv);
509 if (*sw == 0x6700) {
510 PrintAndLogEx(INFO, ">>> trying to reissue command withouth Le...");
511 res = EMVExchangeEx(channel, false, LeaveFieldON, (sAPDU){0x00, 0x84, 0x00, 0x00, 0x00, NULL}, false, Result, MaxResultLen, ResultLen, sw, tlv);
512 }
513 return res;
514 }
515
516 int EMVInternalAuthenticate(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *DDOL, size_t DDOLLen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
517 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x00, 0x88, 0x00, 0x00, DDOLLen, DDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
518 }
519
520 int MSCComputeCryptoChecksum(EMVCommandChannel channel, bool LeaveFieldON, uint8_t *UDOL, uint8_t UDOLlen, uint8_t *Result, size_t MaxResultLen, size_t *ResultLen, uint16_t *sw, struct tlvdb *tlv) {
521 return EMVExchange(channel, LeaveFieldON, (sAPDU){0x80, 0x2a, 0x8e, 0x80, UDOLlen, UDOL}, Result, MaxResultLen, ResultLen, sw, tlv);
522 }
523
524 // Authentication
525 static struct emv_pk *get_ca_pk(struct tlvdb *db) {
526 const struct tlv *df_tlv = tlvdb_get(db, 0x84, NULL);
527 const struct tlv *caidx_tlv = tlvdb_get(db, 0x8f, NULL);
528
529 if (!df_tlv || !caidx_tlv || df_tlv->len < 6 || caidx_tlv->len != 1)
530 return NULL;
531
532 PrintAndLogEx(NORMAL, "CA public key index 0x%0x", caidx_tlv->value[0]);
533 return emv_pk_get_ca_pk(df_tlv->value, caidx_tlv->value[0]);
534 }
535
536 int trSDA(struct tlvdb *tlv) {
537
538 struct emv_pk *pk = get_ca_pk(tlv);
539 if (!pk) {
540 PrintAndLogEx(WARNING, "Error: Key not found. Exit.");
541 return 2;
542 }
543
544 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlv);
545 if (!issuer_pk) {
546 emv_pk_free(pk);
547 PrintAndLogEx(WARNING, "Error: Issuer certificate not found. Exit.");
548 return 2;
549 }
550
551 PrintAndLogEx(SUCCESS, "Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx",
552 issuer_pk->rid[0],
553 issuer_pk->rid[1],
554 issuer_pk->rid[2],
555 issuer_pk->rid[3],
556 issuer_pk->rid[4],
557 issuer_pk->index,
558 issuer_pk->serial[0],
559 issuer_pk->serial[1],
560 issuer_pk->serial[2]
561 );
562
563 const struct tlv *sda_tlv = tlvdb_get(tlv, 0x21, NULL);
564 if (!sda_tlv || sda_tlv->len < 1) {
565 emv_pk_free(issuer_pk);
566 emv_pk_free(pk);
567 PrintAndLogEx(WARNING, "Can't find input list for Offline Data Authentication. Exit.");
568 return 3;
569 }
570
571 struct tlvdb *dac_db = emv_pki_recover_dac(issuer_pk, tlv, sda_tlv);
572 if (dac_db) {
573 const struct tlv *dac_tlv = tlvdb_get(dac_db, 0x9f45, NULL);
574 PrintAndLogEx(NORMAL, "SDA verified OK. (%02hhx:%02hhx)\n", dac_tlv->value[0], dac_tlv->value[1]);
575 tlvdb_add(tlv, dac_db);
576 } else {
577 emv_pk_free(issuer_pk);
578 emv_pk_free(pk);
579 PrintAndLogEx(WARNING, "SSAD verify error");
580 return 4;
581 }
582
583 emv_pk_free(issuer_pk);
584 emv_pk_free(pk);
585 return 0;
586 }
587
588 static const unsigned char default_ddol_value[] = {0x9f, 0x37, 0x04};
589 static struct tlv default_ddol_tlv = {.tag = 0x9f49, .len = 3, .value = default_ddol_value };
590
591 int trDDA(EMVCommandChannel channel, bool decodeTLV, struct tlvdb *tlv) {
592 uint8_t buf[APDU_RES_LEN] = {0};
593 size_t len = 0;
594 uint16_t sw = 0;
595
596 struct emv_pk *pk = get_ca_pk(tlv);
597 if (!pk) {
598 PrintAndLogEx(WARNING, "Error: Key not found. Exit.");
599 return 2;
600 }
601
602 const struct tlv *sda_tlv = tlvdb_get(tlv, 0x21, NULL);
603 if (!sda_tlv || sda_tlv->len < 1) {
604 emv_pk_free(pk);
605 PrintAndLogEx(WARNING, "Error: Can't find input list for Offline Data Authentication. Exit.");
606 return 3;
607 }
608
609 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlv);
610 if (!issuer_pk) {
611 emv_pk_free(pk);
612 PrintAndLogEx(WARNING, "Error: Issuer certificate not found. Exit.");
613 return 2;
614 }
615 PrintAndLogEx(SUCCESS, "Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
616 issuer_pk->rid[0],
617 issuer_pk->rid[1],
618 issuer_pk->rid[2],
619 issuer_pk->rid[3],
620 issuer_pk->rid[4],
621 issuer_pk->index,
622 issuer_pk->serial[0],
623 issuer_pk->serial[1],
624 issuer_pk->serial[2]
625 );
626
627 struct emv_pk *icc_pk = emv_pki_recover_icc_cert(issuer_pk, tlv, sda_tlv);
628 if (!icc_pk) {
629 emv_pk_free(pk);
630 emv_pk_free(issuer_pk);
631 PrintAndLogEx(WARNING, "Error: ICC setrificate not found. Exit.");
632 return 2;
633 }
634 PrintAndLogEx(SUCCESS, "ICC PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
635 icc_pk->rid[0],
636 icc_pk->rid[1],
637 icc_pk->rid[2],
638 icc_pk->rid[3],
639 icc_pk->rid[4],
640 icc_pk->index,
641 icc_pk->serial[0],
642 icc_pk->serial[1],
643 icc_pk->serial[2]
644 );
645
646 struct emv_pk *icc_pe_pk = emv_pki_recover_icc_pe_cert(issuer_pk, tlv);
647 if (!icc_pe_pk) {
648 PrintAndLogEx(WARNING, "WARNING: ICC PE PK recover error. ");
649 } else {
650 PrintAndLogEx(SUCCESS, "ICC PE PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
651 icc_pe_pk->rid[0],
652 icc_pe_pk->rid[1],
653 icc_pe_pk->rid[2],
654 icc_pe_pk->rid[3],
655 icc_pe_pk->rid[4],
656 icc_pe_pk->index,
657 icc_pe_pk->serial[0],
658 icc_pe_pk->serial[1],
659 icc_pe_pk->serial[2]
660 );
661 }
662
663 // 9F4B: Signed Dynamic Application Data
664 const struct tlv *sdad_tlv = tlvdb_get(tlv, 0x9f4b, NULL);
665 // DDA with internal authenticate OR fDDA with filled 0x9F4B tag (GPO result)
666 // EMV kernel3 v2.4, contactless book C-3, C.1., page 147
667 if (sdad_tlv) {
668 PrintAndLogEx(NORMAL, "\n* * Got Signed Dynamic Application Data (9F4B) form GPO. Maybe fDDA...");
669
670 const struct tlvdb *atc_db = emv_pki_recover_atc_ex(icc_pk, tlv, true);
671 if (!atc_db) {
672 PrintAndLogEx(WARNING, "Error: Can't recover IDN (ICC Dynamic Number)");
673 emv_pk_free(pk);
674 emv_pk_free(issuer_pk);
675 emv_pk_free(icc_pk);
676 return 8;
677 }
678
679 // 9f36 Application Transaction Counter (ATC)
680 const struct tlv *atc_tlv = tlvdb_get(atc_db, 0x9f36, NULL);
681 if(atc_tlv) {
682 PrintAndLogEx(NORMAL, "\nATC (Application Transaction Counter) [%zu] %s", atc_tlv->len, sprint_hex_inrow(atc_tlv->value, atc_tlv->len));
683
684 const struct tlv *core_atc_tlv = tlvdb_get(tlv, 0x9f36, NULL);
685 if(tlv_equal(core_atc_tlv, atc_tlv)) {
686 PrintAndLogEx(SUCCESS, "ATC check OK.");
687 PrintAndLogEx(SUCCESS, "fDDA (fast DDA) verified OK.");
688 } else {
689 PrintAndLogEx(WARNING, "Error: fDDA verified, but ATC in the certificate and ATC in the record not the same.");
690 }
691 } else {
692 PrintAndLogEx(NORMAL, "\nERROR: fDDA (fast DDA) verify error");
693 emv_pk_free(pk);
694 emv_pk_free(issuer_pk);
695 emv_pk_free(icc_pk);
696 return 9;
697 }
698 } else {
699 struct tlvdb *dac_db = emv_pki_recover_dac(issuer_pk, tlv, sda_tlv);
700 if (dac_db) {
701 const struct tlv *dac_tlv = tlvdb_get(dac_db, 0x9f45, NULL);
702 PrintAndLogEx(NORMAL, "SDA verified OK. (%02hhx:%02hhx)\n", dac_tlv->value[0], dac_tlv->value[1]);
703 tlvdb_add(tlv, dac_db);
704 } else {
705 PrintAndLogEx(WARNING, "Error: SSAD verify error");
706 emv_pk_free(pk);
707 emv_pk_free(issuer_pk);
708 emv_pk_free(icc_pk);
709 return 4;
710 }
711
712 PrintAndLogEx(NORMAL, "\n* Calc DDOL");
713 const struct tlv *ddol_tlv = tlvdb_get(tlv, 0x9f49, NULL);
714 if (!ddol_tlv) {
715 ddol_tlv = &default_ddol_tlv;
716 PrintAndLogEx(NORMAL, "DDOL [9f49] not found. Using default DDOL");
717 }
718
719 struct tlv *ddol_data_tlv = dol_process(ddol_tlv, tlv, 0);
720 if (!ddol_data_tlv) {
721 PrintAndLogEx(WARNING, "Error: Can't create DDOL TLV");
722 emv_pk_free(pk);
723 emv_pk_free(issuer_pk);
724 emv_pk_free(icc_pk);
725 return 5;
726 }
727
728 PrintAndLogEx(NORMAL, "DDOL data[%d]: %s", ddol_data_tlv->len, sprint_hex(ddol_data_tlv->value, ddol_data_tlv->len));
729
730 PrintAndLogEx(NORMAL, "\n* Internal Authenticate");
731 int res = EMVInternalAuthenticate(channel, true, (uint8_t *)ddol_data_tlv->value, ddol_data_tlv->len, buf, sizeof(buf), &len, &sw, NULL);
732 if (res) {
733 PrintAndLogEx(WARNING, "Internal Authenticate error(%d): %4x. Exit...", res, sw);
734 free(ddol_data_tlv);
735 emv_pk_free(pk);
736 emv_pk_free(issuer_pk);
737 emv_pk_free(icc_pk);
738 return 6;
739 }
740
741 struct tlvdb *dda_db = NULL;
742 if (buf[0] == 0x80) {
743 if (len < 3 ) {
744 PrintAndLogEx(WARNING, "Error: Internal Authenticate format1 parsing error. length=%d", len);
745 } else {
746 // 9f4b Signed Dynamic Application Data
747 dda_db = tlvdb_fixed(0x9f4b, len - 2, buf + 2);
748 tlvdb_add(tlv, dda_db);
749 if (decodeTLV){
750 PrintAndLogEx(NORMAL, "* * Decode response format 1:");
751 TLVPrintFromTLV(dda_db);
752 }
753 }
754 } else {
755 dda_db = tlvdb_parse_multi(buf, len);
756 if(!dda_db) {
757 PrintAndLogEx(WARNING, "Error: Can't parse Internal Authenticate result as TLV");
758 free(ddol_data_tlv);
759 emv_pk_free(pk);
760 emv_pk_free(issuer_pk);
761 emv_pk_free(icc_pk);
762 return 7;
763 }
764 tlvdb_add(tlv, dda_db);
765
766 if (decodeTLV)
767 TLVPrintFromTLV(dda_db);
768 }
769
770 struct tlvdb *idn_db = emv_pki_recover_idn_ex(icc_pk, dda_db, ddol_data_tlv, true);
771 free(ddol_data_tlv);
772 if (!idn_db) {
773 PrintAndLogEx(WARNING, "Error: Can't recover IDN (ICC Dynamic Number)");
774 tlvdb_free(dda_db);
775 emv_pk_free(pk);
776 emv_pk_free(issuer_pk);
777 emv_pk_free(icc_pk);
778 return 8;
779 }
780 tlvdb_free(dda_db);
781
782 // 9f4c ICC Dynamic Number
783 const struct tlv *idn_tlv = tlvdb_get(idn_db, 0x9f4c, NULL);
784 if(idn_tlv) {
785 PrintAndLogEx(NORMAL, "\nIDN (ICC Dynamic Number) [%zu] %s", idn_tlv->len, sprint_hex_inrow(idn_tlv->value, idn_tlv->len));
786 PrintAndLogEx(NORMAL, "DDA verified OK.");
787 tlvdb_add(tlv, idn_db);
788 tlvdb_free(idn_db);
789 } else {
790 PrintAndLogEx(NORMAL, "\nERROR: DDA verify error");
791 tlvdb_free(idn_db);
792
793 emv_pk_free(pk);
794 emv_pk_free(issuer_pk);
795 emv_pk_free(icc_pk);
796 return 9;
797 }
798 }
799
800 emv_pk_free(pk);
801 emv_pk_free(issuer_pk);
802 emv_pk_free(icc_pk);
803 return 0;
804 }
805
806 int trCDA(struct tlvdb *tlv, struct tlvdb *ac_tlv, struct tlv *pdol_data_tlv, struct tlv *ac_data_tlv) {
807
808 struct emv_pk *pk = get_ca_pk(tlv);
809 if (!pk) {
810 PrintAndLogEx(WARNING, "Error: Key not found. Exit.");
811 return 2;
812 }
813
814 const struct tlv *sda_tlv = tlvdb_get(tlv, 0x21, NULL);
815 if (!sda_tlv || sda_tlv->len < 1) {
816 PrintAndLogEx(WARNING, "Error: Can't find input list for Offline Data Authentication. Exit.");
817 emv_pk_free(pk);
818 return 3;
819 }
820
821 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlv);
822 if (!issuer_pk) {
823 PrintAndLogEx(WARNING, "Error: Issuer certificate not found. Exit.");
824 emv_pk_free(pk);
825 return 2;
826 }
827 PrintAndLogEx(SUCCESS, "Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
828 issuer_pk->rid[0],
829 issuer_pk->rid[1],
830 issuer_pk->rid[2],
831 issuer_pk->rid[3],
832 issuer_pk->rid[4],
833 issuer_pk->index,
834 issuer_pk->serial[0],
835 issuer_pk->serial[1],
836 issuer_pk->serial[2]
837 );
838
839 struct emv_pk *icc_pk = emv_pki_recover_icc_cert(issuer_pk, tlv, sda_tlv);
840 if (!icc_pk) {
841 PrintAndLogEx(WARNING, "Error: ICC setrificate not found. Exit.");
842 emv_pk_free(pk);
843 emv_pk_free(issuer_pk);
844 return 2;
845 }
846 PrintAndLogEx(SUCCESS, "ICC PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
847 icc_pk->rid[0],
848 icc_pk->rid[1],
849 icc_pk->rid[2],
850 icc_pk->rid[3],
851 icc_pk->rid[4],
852 icc_pk->index,
853 icc_pk->serial[0],
854 icc_pk->serial[1],
855 icc_pk->serial[2]
856 );
857
858 struct tlvdb *dac_db = emv_pki_recover_dac(issuer_pk, tlv, sda_tlv);
859 if (dac_db) {
860 const struct tlv *dac_tlv = tlvdb_get(dac_db, 0x9f45, NULL);
861 PrintAndLogEx(NORMAL, "SSAD verified OK. (%02hhx:%02hhx)", dac_tlv->value[0], dac_tlv->value[1]);
862 tlvdb_add(tlv, dac_db);
863 } else {
864 PrintAndLogEx(WARNING, "Error: SSAD verify error");
865 emv_pk_free(pk);
866 emv_pk_free(issuer_pk);
867 emv_pk_free(icc_pk);
868 return 4;
869 }
870
871 PrintAndLogEx(NORMAL, "\n* * Check Signed Dynamic Application Data (SDAD)");
872 struct tlvdb *idn_db = emv_pki_perform_cda_ex(icc_pk, tlv, ac_tlv,
873 pdol_data_tlv, // pdol
874 ac_data_tlv, // cdol1
875 NULL, // cdol2
876 true);
877 if (idn_db) {
878 const struct tlv *idn_tlv = tlvdb_get(idn_db, 0x9f4c, NULL);
879 PrintAndLogEx(NORMAL, "\nIDN (ICC Dynamic Number) [%zu] %s", idn_tlv->len, sprint_hex_inrow(idn_tlv->value, idn_tlv->len));
880 PrintAndLogEx(NORMAL, "CDA verified OK.");
881 tlvdb_add(tlv, idn_db);
882 } else {
883 PrintAndLogEx(NORMAL, "\nERROR: CDA verify error");
884 }
885
886 emv_pk_free(pk);
887 emv_pk_free(issuer_pk);
888 emv_pk_free(icc_pk);
889 return 0;
890 }
891
892 int RecoveryCertificates(struct tlvdb *tlvRoot, json_t *root) {
893
894 struct emv_pk *pk = get_ca_pk(tlvRoot);
895 if (!pk) {
896 PrintAndLog("ERROR: Key not found. Exit.");
897 return 1;
898 }
899
900 struct emv_pk *issuer_pk = emv_pki_recover_issuer_cert(pk, tlvRoot);
901 if (!issuer_pk) {
902 emv_pk_free(pk);
903 PrintAndLog("WARNING: Issuer certificate not found. Exit.");
904 return 2;
905 }
906 PrintAndLog("Issuer PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx",
907 issuer_pk->rid[0],
908 issuer_pk->rid[1],
909 issuer_pk->rid[2],
910 issuer_pk->rid[3],
911 issuer_pk->rid[4],
912 issuer_pk->index,
913 issuer_pk->serial[0],
914 issuer_pk->serial[1],
915 issuer_pk->serial[2]
916 );
917
918 JsonSaveBufAsHex(root, "$.ApplicationData.RID", issuer_pk->rid, 5);
919
920 char *issuer_pk_c = emv_pk_dump_pk(issuer_pk);
921 JsonSaveStr(root, "$.ApplicationData.IssuerPublicKeyDec", issuer_pk_c);
922 JsonSaveBufAsHex(root, "$.ApplicationData.IssuerPublicKeyModulus", issuer_pk->modulus, issuer_pk->mlen);
923 free(issuer_pk_c);
924
925 struct emv_pk *icc_pk = emv_pki_recover_icc_cert(issuer_pk, tlvRoot, NULL);
926 if (!icc_pk) {
927 emv_pk_free(pk);
928 emv_pk_free(issuer_pk);
929 PrintAndLog("WARNING: ICC certificate not found. Exit.");
930 return 2;
931 }
932 printf("ICC PK recovered. RID %02hhx:%02hhx:%02hhx:%02hhx:%02hhx IDX %02hhx CSN %02hhx:%02hhx:%02hhx\n",
933 icc_pk->rid[0],
934 icc_pk->rid[1],
935 icc_pk->rid[2],
936 icc_pk->rid[3],
937 icc_pk->rid[4],
938 icc_pk->index,
939 icc_pk->serial[0],
940 icc_pk->serial[1],
941 icc_pk->serial[2]
942 );
943
944 char *icc_pk_c = emv_pk_dump_pk(icc_pk);
945 JsonSaveStr(root, "$.ApplicationData.ICCPublicKeyDec", icc_pk_c);
946 JsonSaveBufAsHex(root, "$.ApplicationData.ICCPublicKeyModulus", icc_pk->modulus, icc_pk->mlen);
947 free(issuer_pk_c);
948
949 return 0;
950 }
Proxmark3 GIT tracking
Impressum, Datenschutz