]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdhfmfdes.c
projects / proxmark3-svn / blob
? search:


f3217df20e6364931057a606837d1d380f3e829f
[proxmark3-svn] / client / cmdhfmfdes.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2014 Iceman
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // High frequency MIFARE Desfire commands
9 //-----------------------------------------------------------------------------
10
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 #include <ctype.h>
15 #include <openssl/des.h>
16 #include "cmdmain.h"
17 #include "proxmark3.h"
18 #include "../include/common.h"
19 #include "../include/mifare.h"
20 #include "../common/iso14443crc.h"
21 #include "data.h"
22 #include "ui.h"
23 #include "cmdparser.h"
24 #include "util.h"
25 #include "cmdhfmfdes.h"
26
27
28 uint8_t key_zero_data[16] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
29 uint8_t key_defa_data[16] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f };
30 uint8_t key_ones_data[16] = { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 };
31
32
33 static int CmdHelp(const char *Cmd);
34 static void xor(unsigned char * dst, unsigned char * src, size_t len);
35 static int32_t le24toh (uint8_t data[3]);
36
37
38 int CmdHF14ADesWb(const char *Cmd)
39 {
40 /* uint8_t blockNo = 0;
41 uint8_t keyType = 0;
42 uint8_t key[6] = {0, 0, 0, 0, 0, 0};
43 uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
44
45 char cmdp = 0x00;
46
47 if (strlen(Cmd)<3) {
48 PrintAndLog("Usage: hf mf wrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
49 PrintAndLog(" sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
50 return 0;
51 }
52
53 blockNo = param_get8(Cmd, 0);
54 cmdp = param_getchar(Cmd, 1);
55 if (cmdp == 0x00) {
56 PrintAndLog("Key type must be A or B");
57 return 1;
58 }
59 if (cmdp != 'A' && cmdp != 'a') keyType = 1;
60 if (param_gethex(Cmd, 2, key, 12)) {
61 PrintAndLog("Key must include 12 HEX symbols");
62 return 1;
63 }
64 if (param_gethex(Cmd, 3, bldata, 32)) {
65 PrintAndLog("Block data must include 32 HEX symbols");
66 return 1;
67 }
68 PrintAndLog("--block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6));
69 PrintAndLog("--data: %s", sprint_hex(bldata, 16));
70
71 UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
72 memcpy(c.d.asBytes, key, 6);
73 memcpy(c.d.asBytes + 10, bldata, 16);
74 SendCommand(&c);
75
76 UsbCommand resp;
77 if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
78 uint8_t isOK = resp.arg[0] & 0xff;
79 PrintAndLog("isOk:%02x", isOK);
80 } else {
81 PrintAndLog("Command execute timeout");
82 }
83 */
84 return 0;
85 }
86
87 int CmdHF14ADesRb(const char *Cmd)
88 {
89 // uint8_t blockNo = 0;
90 // uint8_t keyType = 0;
91 // uint8_t key[6] = {0, 0, 0, 0, 0, 0};
92
93 // char cmdp = 0x00;
94
95
96 // if (strlen(Cmd)<3) {
97 // PrintAndLog("Usage: hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>");
98 // PrintAndLog(" sample: hf mf rdbl 0 A FFFFFFFFFFFF ");
99 // return 0;
100 // }
101
102 // blockNo = param_get8(Cmd, 0);
103 // cmdp = param_getchar(Cmd, 1);
104 // if (cmdp == 0x00) {
105 // PrintAndLog("Key type must be A or B");
106 // return 1;
107 // }
108 // if (cmdp != 'A' && cmdp != 'a') keyType = 1;
109 // if (param_gethex(Cmd, 2, key, 12)) {
110 // PrintAndLog("Key must include 12 HEX symbols");
111 // return 1;
112 // }
113 // PrintAndLog("--block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6));
114
115 // UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
116 // memcpy(c.d.asBytes, key, 6);
117 // SendCommand(&c);
118
119 // UsbCommand resp;
120 // if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
121 // uint8_t isOK = resp.arg[0] & 0xff;
122 // uint8_t * data = resp.d.asBytes;
123
124 // if (isOK)
125 // PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
126 // else
127 // PrintAndLog("isOk:%02x", isOK);
128 // } else {
129 // PrintAndLog("Command execute timeout");
130 // }
131
132 return 0;
133 }
134
135 int CmdHF14ADesInfo(const char *Cmd){
136
137 UsbCommand c = {CMD_MIFARE_DESFIRE_INFO};
138 SendCommand(&c);
139 UsbCommand resp;
140
141 if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
142 PrintAndLog("Command execute timeout");
143 return 0;
144 }
145 uint8_t isOK = resp.arg[0] & 0xff;
146 if ( !isOK ){
147 PrintAndLog("Command unsuccessful");
148 return 0;
149 }
150
151 PrintAndLog("---Desfire Information---------------------------------------");
152 PrintAndLog("-------------------------------------------------------------");
153 PrintAndLog(" UID : %s",sprint_hex(resp.d.asBytes, 7));
154 PrintAndLog(" Batch number : %s",sprint_hex(resp.d.asBytes+28,5));
155 PrintAndLog(" Production date : week %02x, 20%02x",resp.d.asBytes[33], resp.d.asBytes[34]);
156 PrintAndLog("-------------------------------------------------------------");
157 PrintAndLog(" Hardware Information");
158 PrintAndLog(" Vendor Id : %s", GetVendorStr(resp.d.asBytes[7]));
159 PrintAndLog(" Type : 0x%02X",resp.d.asBytes[8]);
160 PrintAndLog(" Subtype : 0x%02X",resp.d.asBytes[9]);
161 PrintAndLog(" Version : %d.%d",resp.d.asBytes[10], resp.d.asBytes[11]);
162 PrintAndLog(" Storage size : %s",GetCardSizeStr(resp.d.asBytes[12]));
163 PrintAndLog(" Protocol : %s",GetProtocolStr(resp.d.asBytes[13]));
164 PrintAndLog("-------------------------------------------------------------");
165 PrintAndLog(" Software Information");
166 PrintAndLog(" Vendor Id : %s",GetVendorStr(resp.d.asBytes[14]));
167 PrintAndLog(" Type : 0x%02X",resp.d.asBytes[15]);
168 PrintAndLog(" Subtype : 0x%02X",resp.d.asBytes[16]);
169 PrintAndLog(" Version : %d.%d",resp.d.asBytes[17], resp.d.asBytes[18]);
170 PrintAndLog(" storage size : %s", GetCardSizeStr(resp.d.asBytes[19]));
171 PrintAndLog(" Protocol : %s", GetProtocolStr(resp.d.asBytes[20]));
172 PrintAndLog("-------------------------------------------------------------");
173
174
175 UsbCommand c1 = {CMD_MIFARE_DESFIRE, { 0x03, 0x01 }};
176 c1.d.asBytes[0] = GET_KEY_SETTINGS;
177 SendCommand(&c1);
178 if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
179 return 0;
180 }
181
182 PrintAndLog(" Master Key settings");
183 if ( resp.d.asBytes[3] & (1 << 3 ) )
184 PrintAndLog(" 0x08 Configuration changeable");
185 else
186 PrintAndLog(" 0x08 Configuration NOT changeable");
187
188 if ( resp.d.asBytes[3] & (1 << 2 ) )
189 PrintAndLog(" 0x04 PICC Master Key not required for create / delete");
190 else
191 PrintAndLog(" 0x04 PICC Master Key required for create / delete");
192
193 if ( resp.d.asBytes[3] & (1 << 1 ) )
194 PrintAndLog(" 0x02 Free directory list access without PICC Master Key");
195 else
196 PrintAndLog(" 0x02 Directory list access with PICC Master Key");
197
198 if ( resp.d.asBytes[3] & (1 << 0 ) )
199 PrintAndLog(" 0x01 Allow changing the Master Key");
200 else
201 PrintAndLog(" 0x01 Master Key is not changeable anymore");
202
203 // init len
204 UsbCommand c2 = {CMD_MIFARE_DESFIRE, { 0x03, 0x02 }};
205 c2.d.asBytes[0] = GET_KEY_VERSION;
206 c2.d.asBytes[1] = 0x00;
207 SendCommand(&c2);
208 if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
209 return 0;
210 }
211
212 PrintAndLog("");
213 PrintAndLog(" Max number of keys : %d", resp.d.asBytes[4]);
214 PrintAndLog(" Master key Version : %d (0x%02x)", resp.d.asBytes[3], resp.d.asBytes[3]);
215 PrintAndLog("-------------------------------------------------------------");
216
217
218 UsbCommand c3 = {CMD_MIFARE_DESFIRE, { 0x03, 0x01 }};
219 c3.d.asBytes[0] = GET_FREE_MEMORY;
220 SendCommand(&c3);
221 if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
222 return 0;
223 }
224
225 uint8_t tmp[3];
226 memcpy(tmp, resp.d.asBytes+3,3);
227
228 PrintAndLog(" Free memory on card : %d bytes", le24toh( tmp ));
229 PrintAndLog("-------------------------------------------------------------");
230
231 /*
232 Card Master key (CMK) 0x00 AID = 00 00 00 (card level)
233 Application Master Key (AMK) 0x00 AID != 00 00 00
234 Application keys (APK) 0x01-0x0D
235 Application free 0x0E
236 Application never 0x0F
237
238 ACCESS RIGHTS:
239 keys 0,1,2,3 C
240 keys 4,5,6,7 RW
241 keys 8,9,10,11 W
242 keys 12,13,14,15 R
243
244 Session key:
245 16 : RndA(byte0-byte3) + RndB(byte0-byte3) + RndA(byte4-byte7) + RndB(byte4-byte7)
246 8 : RndA(byte0-byte3) + RndB(byte0-byte3)
247
248 AES 16 : RndA(byte0-byte3) + RndB(byte0-byte3) + RndA(byte12-byte15) + RndB(byte12-byte15)
249 */
250
251 return 1;
252 }
253
254 char * GetVendorStr( uint8_t id){
255 static char buf[30];
256 char *retStr = buf;
257
258 if ( id == 0x04 )
259 sprintf(retStr, "0x%02X (NXP)",id);
260 else
261 sprintf(retStr,"0x%02X (Unknown)",id);
262 return buf;
263 }
264
265 /*
266 The 7 MSBits (= n) code the storage size itself based on 2^n,
267 the LSBit is set to '0' if the size is exactly 2^n
268 and set to '1' if the storage size is between 2^n and 2^(n+1).
269 For this version of DESFire the 7 MSBits are set to 0x0C (2^12 = 4096) and the LSBit is '0'.
270 */
271 char * GetCardSizeStr( uint8_t fsize ){
272
273 static char buf[30];
274 char *retStr = buf;
275
276 uint16_t usize = 1 << ((fsize >>1) + 1);
277 uint16_t lsize = 1 << (fsize >>1);
278
279 // is LSB set?
280 if ( fsize & (1 << 0 ) )
281 sprintf(retStr, "0x%02X (%d - %d bytes)",fsize, usize, lsize);
282 else
283 sprintf(retStr, "0x%02X (%d bytes)", fsize, lsize);
284 return buf;
285 }
286
287 char * GetProtocolStr(uint8_t id){
288
289 static char buf[30];
290 char *retStr = buf;
291
292 if ( id == 0x05)
293 sprintf(retStr,"0x%02X (ISO 14443-3, 14443-4)", id);
294 else
295 sprintf(retStr,"0x%02X", id);
296 return buf;
297 }
298
299 int CmdHF14ADesEnumApplications(const char *Cmd){
300
301 uint32_t options = 0x00;
302
303 options |= INIT;
304 options |= DISCONNECT;
305
306 UsbCommand c = {CMD_MIFARE_DESFIRE, {options , 0x01 }};
307 c.d.asBytes[0] = GET_APPLICATION_IDS; //0x6a
308 SendCommand(&c);
309 UsbCommand resp;
310
311 if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
312 return 0;
313 }
314
315 uint8_t isOK = resp.arg[0] & 0xff;
316 if ( !isOK ){
317 PrintAndLog("Command unsuccessful");
318 return 0;
319 }
320
321 PrintAndLog("---Desfire Enum Applications --------------------------------");
322 PrintAndLog("-------------------------------------------------------------");
323
324 UsbCommand respAid;
325 UsbCommand respFiles;
326
327 uint8_t num = 0;
328 int max = resp.arg[1] -3 -2;
329
330 for(int i=3; i<=max; i+=3){
331 PrintAndLog(" Aid %d : %02X %02X %02X ",num ,resp.d.asBytes[i],resp.d.asBytes[i+1],resp.d.asBytes[i+2]);
332 num++;
333
334 options = INIT;
335
336 UsbCommand cAid = {CMD_MIFARE_DESFIRE, { options, 0x04 }};
337 cAid.d.asBytes[0] = SELECT_APPLICATION; // 0x5a
338 cAid.d.asBytes[1] = resp.d.asBytes[i];
339 cAid.d.asBytes[2] = resp.d.asBytes[i+1];
340 cAid.d.asBytes[3] = resp.d.asBytes[i+2];
341 SendCommand(&cAid);
342
343 if (!WaitForResponseTimeout(CMD_ACK,&respAid,1500) ) {
344 PrintAndLog(" Timed-out");
345 continue;
346 }
347 uint8_t isOK = respAid.arg[0] & 0xff;
348 if ( !isOK ){
349 PrintAndLog(" Can't select AID: %s",sprint_hex(resp.d.asBytes+i,3));
350 continue;
351 }
352
353 options = DISCONNECT;
354 UsbCommand cFiles = {CMD_MIFARE_DESFIRE, { options, 0x01 }};
355 cFiles.d.asBytes[0] = GET_FILE_IDS; // 0x6f
356 SendCommand(&cFiles);
357
358 if ( !WaitForResponseTimeout(CMD_ACK,&respFiles,1500) ) {
359 PrintAndLog(" Timed-out");
360 continue;
361 } else {
362
363 uint8_t isOK = respFiles.arg[0] & 0xff;
364 if ( !isOK ){
365 PrintAndLog(" No files found");
366 continue;
367 }
368
369 int respfileLen = resp.arg[1]-3-2;
370 for (int j=0; j< respfileLen; ++j){
371 PrintAndLog(" Fileid %d :", resp.d.asBytes[j+3]);
372 }
373 }
374
375 }
376 PrintAndLog("-------------------------------------------------------------");
377
378
379 return 1;
380 }
381
382 int CmdHF14ADesNonces(const char *Cmd){
383 return 1;
384 }
385
386 //
387 // MIAFRE DesFire Authentication
388 //
389 #define BUFSIZE 64
390 int CmdHF14ADesAuth(const char *Cmd){
391
392 // NR DESC KEYLENGHT
393 // ------------------------
394 // 1 = DES 8
395 // 2 = 3DES 16
396 // 3 = 3K 3DES 24
397 // 4 = AES 16
398
399 // AUTHENTICTION MODES:
400 // 1 Normal
401 // 2 ISO
402 // 3 AES
403
404 uint8_t keylength = 8;
405 //unsigned char testinput[] = { 0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x99,0xaa,0xbb,0xcc,0xdd,0xee,0xff,0x00};
406 unsigned char key[24]; // = { 0x75,0x28,0x78,0x39,0x74,0x93,0xCB,0x70};
407
408 if (strlen(Cmd)<3) {
409 PrintAndLog("Usage: hf mfdes auth <1|2|3> <1|2|3|4> <keyno> <key> ");
410 PrintAndLog(" AUTH modes 1 = normal, 2 = iso, 3 = aes");
411 PrintAndLog(" Crypto: 1 = DES 2 = 3DES 3 = 3K3DES 4 = AES");
412 PrintAndLog(" keynumber");
413 PrintAndLog(" sample: hf mfdes auth 1 1 0 11223344");
414 return 0;
415 }
416 uint8_t cmdAuthMode = param_get8(Cmd,0);
417 uint8_t cmdAuthAlgo = param_get8(Cmd,1);
418 uint8_t cmdKeyNo = param_get8(Cmd,2);
419
420 switch (cmdAuthMode)
421 {
422 case 1:
423 if ( cmdAuthAlgo != 1 && cmdAuthAlgo != 2) {
424 PrintAndLog("Crypto algo not valid for the auth mode");
425 return 1;
426 }
427 break;
428 case 2:
429 if ( cmdAuthAlgo != 1 && cmdAuthAlgo != 2 && cmdAuthAlgo != 3) {
430 PrintAndLog("Crypto algo not valid for the auth mode");
431 return 1;
432 }
433 break;
434 case 3:
435 if ( cmdAuthAlgo != 4) {
436 PrintAndLog("Crypto algo not valid for the auth mode");
437 return 1;
438 }
439 break;
440 default:
441 PrintAndLog("Wrong Auth mode");
442 return 1;
443 break;
444 }
445
446 switch (cmdAuthAlgo){
447 case 2:
448 keylength = 16;
449 PrintAndLog("3DES selected");
450 break;
451 case 3:
452 keylength = 24;
453 PrintAndLog("3 key 3DES selected");
454 break;
455 case 4:
456 keylength = 16;
457 PrintAndLog("AES selected");
458 break;
459 default:
460 cmdAuthAlgo = 1;
461 keylength = 8;
462 PrintAndLog("DES selected");
463 break;
464 }
465
466 // key
467 if (param_gethex(Cmd, 3, key, keylength*2)) {
468 PrintAndLog("Key must include %d HEX symbols", keylength);
469 return 1;
470 }
471 // algo, nyckellängd,
472 UsbCommand c = {CMD_MIFARE_DESFIRE_AUTH1, { cmdAuthMode, cmdAuthAlgo, cmdKeyNo }};
473
474 c.d.asBytes[0] = keylength;
475 memcpy(c.d.asBytes+1, key, keylength);
476 //memcpy(c.d.asBytes + 30, testinput, keylength);
477
478 SendCommand(&c);
479 UsbCommand resp;
480
481 if (WaitForResponseTimeout(CMD_ACK,&resp,3000)) {
482 uint8_t isOK = resp.arg[0] & 0xff;
483 PrintAndLog("isOk:%02x", isOK);
484
485 } else {
486 PrintAndLog("Command execute timeout");
487 return 0;
488 }
489
490 uint8_t * data= resp.d.asBytes;
491
492 // PrintAndLog("-------------------------------------------------------------");
493 PrintAndLog(" Key :%s",sprint_hex(key, keylength));
494 // PrintAndLog(" Plain :%s",sprint_hex(testinput, keylength));
495 PrintAndLog(" Encoded :%s",sprint_hex(data, keylength));
496 PrintAndLog("-------------------------------------------------------------");
497 //PrintAndLog(" Expected :B5 21 9E E8 1A A7 49 9D 21 96 68 7E 13 97 38 56");
498
499 return 1;
500 }
501
502
503 static void xor(unsigned char * dst, unsigned char * src, size_t len) {
504 for( ; len > 0; len--,dst++,src++)
505 *dst ^= *src;
506 }
507
508 static int32_t le24toh (uint8_t data[3]) {
509 return (data[2] << 16) | (data[1] << 8) | data[0];
510 }
511
512 static command_t CommandTable[] =
513 {
514 {"help", CmdHelp, 1, "This help"},
515 {"auth", CmdHF14ADesAuth, 0, "Tries a MIFARE DesFire Authentication"},
516 {"rb", CmdHF14ADesRb, 0, "Read MIFARE DesFire block"},
517 {"wb", CmdHF14ADesWb, 0, "write MIFARE DesFire block"},
518 {"info", CmdHF14ADesInfo, 0, "Get MIFARE DesFire information"},
519 {"enum", CmdHF14ADesEnumApplications,0, "Tries enumerate all applications"},
520 {"nonce", CmdHF14ADesNonces, 0, "<n> Collect n>0 nonces"},
521 {NULL, NULL, 0, NULL}
522 };
523
524 int CmdHFMFDes(const char *Cmd)
525 {
526 // flush
527 WaitForResponseTimeout(CMD_ACK,NULL,100);
528 CmdsParse(CommandTable, Cmd);
529 return 0;
530 }
531
532 int CmdHelp(const char *Cmd)
533 {
534 CmdsHelp(CommandTable);
535 return 0;
536 }
537
538
Proxmark3 GIT tracking
Impressum, Datenschutz