X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/c3511781a16c6f3f24abe2ad9a08c0737b1dc3b0..3fb6e1fa408562724e16f4b144ab09c2ce64520f:/client/cmdhficlass.c diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index 60713a01..35cf350c 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -14,16 +14,16 @@ #include #include #include +#include #include "iso14443crc.h" // Can also be used for iClass, using 0xE012 as CRC-type -#include "data.h" -#include "proxmark3.h" +#include "comms.h" #include "ui.h" #include "cmdparser.h" #include "cmdhficlass.h" #include "common.h" #include "util.h" #include "cmdmain.h" -#include "polarssl/des.h" +#include "mbedtls/des.h" #include "loclass/cipherutils.h" #include "loclass/cipher.h" #include "loclass/ikeys.h" @@ -32,6 +32,8 @@ #include "protocols.h" #include "usb_cmd.h" #include "cmdhfmfu.h" +#include "util_posix.h" +#include "cmdhf14a.h" // DropField() static int CmdHelp(const char *Cmd); @@ -51,6 +53,20 @@ typedef struct iclass_block { uint8_t d[8]; } iclass_block_t; +int usage_hf_iclass_chk(void) { + PrintAndLog("Checkkeys loads a dictionary text file with 8byte hex keys to test authenticating against a iClass tag"); + PrintAndLog("Usage: hf iclass chk [h|e|r] "); + PrintAndLog("Options:"); + PrintAndLog("h Show this help"); + PrintAndLog("f Dictionary file with default iclass keys"); + PrintAndLog(" e target Elite / High security key scheme"); + PrintAndLog(" r interpret dictionary file as raw (diversified keys)"); + PrintAndLog("Samples:"); + PrintAndLog(" hf iclass chk f default_iclass_keys.dic"); + PrintAndLog(" hf iclass chk f default_iclass_keys.dic e"); + return 0; +} + int xorbits_8(uint8_t val) { uint8_t res = val ^ (val >> 1); //1st pass res = res ^ (res >> 1); // 2nd pass @@ -278,14 +294,13 @@ int CmdHFiClassELoad(const char *Cmd) { //File handling and reading FILE *f; char filename[FILE_PATH_SIZE]; - if(opt == 'f' && param_getstr(Cmd, 1, filename, sizeof(filename)) > 0) - { + if (opt == 'f' && param_getstr(Cmd, 1, filename, sizeof(filename)) > 0) { f = fopen(filename, "rb"); - }else{ + } else { return hf_iclass_eload_usage(); } - if(!f) { + if (!f) { PrintAndLog("Failed to read from file '%s'", filename); return 1; } @@ -308,8 +323,7 @@ int CmdHFiClassELoad(const char *Cmd) { printIclassDumpInfo(dump); //Validate - if (bytes_read < fsize) - { + if (bytes_read < fsize) { prnlog("Error, could only read %d bytes (should be %d)",bytes_read, fsize ); free(dump); return 1; @@ -318,10 +332,10 @@ int CmdHFiClassELoad(const char *Cmd) { uint32_t bytes_sent = 0; uint32_t bytes_remaining = bytes_read; - while(bytes_remaining > 0){ + while (bytes_remaining > 0) { uint32_t bytes_in_packet = MIN(USB_CMD_DATA_SIZE, bytes_remaining); UsbCommand c = {CMD_ICLASS_EML_MEMSET, {bytes_sent,bytes_in_packet,0}}; - memcpy(c.d.asBytes, dump, bytes_in_packet); + memcpy(c.d.asBytes, dump+bytes_sent, bytes_in_packet); SendCommand(&c); bytes_remaining -= bytes_in_packet; bytes_sent += bytes_in_packet; @@ -399,8 +413,8 @@ int CmdHFiClassDecrypt(const char *Cmd) { fseek(f, 0, SEEK_SET); uint8_t enc_dump[8] = {0}; uint8_t *decrypted = malloc(fsize); - des3_context ctx = { DES_DECRYPT ,{ 0 } }; - des3_set2key_dec( &ctx, key); + mbedtls_des3_context ctx = { {0} }; + mbedtls_des3_set2key_dec( &ctx, key); size_t bytes_read = fread(enc_dump, 1, 8, f); //Use the first block (CSN) for filename @@ -416,7 +430,7 @@ int CmdHFiClassDecrypt(const char *Cmd) { { memcpy(decrypted+(blocknum*8), enc_dump, 8); }else{ - des3_crypt_ecb(&ctx, enc_dump,decrypted +(blocknum*8) ); + mbedtls_des3_crypt_ecb(&ctx, enc_dump,decrypted +(blocknum*8) ); } printvar("decrypted block", decrypted +(blocknum*8), 8); bytes_read = fread(enc_dump, 1, 8, f); @@ -451,10 +465,10 @@ static int iClassEncryptBlkData(uint8_t *blkData) { uint8_t encryptedData[16]; uint8_t *encrypted = encryptedData; - des3_context ctx = { DES_DECRYPT ,{ 0 } }; - des3_set2key_enc( &ctx, key); + mbedtls_des3_context ctx = { {0} }; + mbedtls_des3_set2key_enc( &ctx, key); - des3_crypt_ecb(&ctx, blkData,encrypted); + mbedtls_des3_crypt_ecb(&ctx, blkData,encrypted); //printvar("decrypted block", decrypted, 8); memcpy(blkData,encrypted,8); @@ -531,7 +545,7 @@ static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool u memcpy(div_key, KEY, 8); else HFiClassCalcDivKey(CSN, KEY, div_key, elite); - PrintAndLog("Authing with %s: %02x%02x%02x%02x%02x%02x%02x%02x", rawkey ? "raw key" : "diversified key", div_key[0],div_key[1],div_key[2],div_key[3],div_key[4],div_key[5],div_key[6],div_key[7]); + if (verbose) PrintAndLog("Authing with %s: %02x%02x%02x%02x%02x%02x%02x%02x", rawkey ? "raw key" : "diversified key", div_key[0],div_key[1],div_key[2],div_key[3],div_key[4],div_key[5],div_key[6],div_key[7]); doMAC(CCNR, div_key, MAC); UsbCommand resp; @@ -541,12 +555,12 @@ static bool select_and_auth(uint8_t *KEY, uint8_t *MAC, uint8_t *div_key, bool u SendCommand(&d); if (!WaitForResponseTimeout(CMD_ACK,&resp,4500)) { - PrintAndLog("Auth Command execute timeout"); + if (verbose) PrintAndLog("Auth Command execute timeout"); return false; } uint8_t isOK = resp.arg[0] & 0xff; if (!isOK) { - PrintAndLog("Authentication error"); + if (verbose) PrintAndLog("Authentication error"); return false; } return true; @@ -734,8 +748,7 @@ int CmdHFiClassReader_Dump(const char *Cmd) { blocksRead = (sizeof(tag_data)/8) - blockno; } // response ok - now get bigbuf content of the dump - GetFromBigBuf(tag_data+(blockno*8), blocksRead*8, startindex); - WaitForResponse(CMD_ACK,NULL); + GetFromBigBuf(tag_data+(blockno*8), blocksRead*8, startindex, NULL, -1, false); size_t gotBytes = blocksRead*8 + blockno*8; // try AA2 @@ -777,8 +790,7 @@ int CmdHFiClassReader_Dump(const char *Cmd) { blocksRead = (sizeof(tag_data) - gotBytes)/8; } // get dumped data from bigbuf - GetFromBigBuf(tag_data+gotBytes, blocksRead*8, startindex); - WaitForResponse(CMD_ACK,NULL); + GetFromBigBuf(tag_data+gotBytes, blocksRead*8, startindex, NULL, -1, false); gotBytes += blocksRead*8; } else { //field is still on - turn it off... @@ -1699,10 +1711,152 @@ int CmdHFiClassManageKeys(const char *Cmd) { return 0; } +int CmdHFiClassCheckKeys(const char *Cmd) { + + uint8_t mac[4] = {0x00,0x00,0x00,0x00}; + uint8_t key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; + uint8_t div_key[8] = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; + + // elite key, raw key, standard key + bool use_elite = false; + bool use_raw = false; + bool found_debit = false; + bool found_credit = false; + bool errors = false; + uint8_t cmdp = 0x00; + FILE * f; + char filename[FILE_PATH_SIZE] = {0}; + uint8_t fileNameLen = 0; + char buf[17]; + uint8_t *keyBlock = NULL, *p; + int keyitems = 0, keycnt = 0; + + while (param_getchar(Cmd, cmdp) != 0x00 && !errors) { + switch (param_getchar(Cmd, cmdp)) { + case 'h': + case 'H': + return usage_hf_iclass_chk(); + case 'f': + case 'F': + fileNameLen = param_getstr(Cmd, cmdp+1, filename, sizeof(filename)); + if (fileNameLen < 1) { + PrintAndLog("No filename found after f"); + errors = true; + } + cmdp += 2; + break; + case 'e': + case 'E': + use_elite = true; + cmdp++; + break; + case 'r': + case 'R': + use_raw = true; + cmdp++; + break; + default: + PrintAndLog("Unknown parameter '%c'\n", param_getchar(Cmd, cmdp)); + errors = true; + break; + } + } + if (errors) return usage_hf_iclass_chk(); + + if ( !(f = fopen( filename , "r")) ) { + PrintAndLog("File: %s: not found or locked.", filename); + return 1; + } + + while( fgets(buf, sizeof(buf), f) ){ + if (strlen(buf) < 16 || buf[15] == '\n') + continue; + + while (fgetc(f) != '\n' && !feof(f)) ; //goto next line + + if( buf[0]=='#' ) continue; //The line start with # is comment, skip + + if (!isxdigit(buf[0])){ + PrintAndLog("File content error. '%s' must include 16 HEX symbols",buf); + continue; + } + + buf[16] = 0; + + p = realloc(keyBlock, 8 * (keyitems += 64)); + if (!p) { + PrintAndLog("Cannot allocate memory for default keys"); + free(keyBlock); + fclose(f); + return 2; + } + keyBlock = p; + + memset(keyBlock + 8 * keycnt, 0, 8); + num_to_bytes(strtoull(buf, NULL, 16), 8, keyBlock + 8 * keycnt); + + //PrintAndLog("check key[%2d] %016" PRIx64, keycnt, bytes_to_num(keyBlock + 8*keycnt, 8)); + keycnt++; + memset(buf, 0, sizeof(buf)); + } + fclose(f); + PrintAndLog("Loaded %2d keys from %s", keycnt, filename); + + // time + uint64_t t1 = msclock(); + + for (uint32_t c = 0; c < keycnt; c += 1) { + printf("."); fflush(stdout); + if (ukbhit()) { + int gc = getchar(); (void)gc; + printf("\naborted via keyboard!\n"); + break; + } + + memcpy(key, keyBlock + 8 * c , 8); + + // debit key. try twice + for (int foo = 0; foo < 2 && !found_debit; foo++) { + if (!select_and_auth(key, mac, div_key, false, use_elite, use_raw, false)) + continue; + + // key found. + PrintAndLog("\n--------------------------------------------------------"); + PrintAndLog(" Found AA1 debit key\t\t[%s]", sprint_hex(key, 8)); + found_debit = true; + } + + // credit key. try twice + for (int foo = 0; foo < 2 && !found_credit; foo++) { + if (!select_and_auth(key, mac, div_key, true, use_elite, use_raw, false)) + continue; + + // key found + PrintAndLog("\n--------------------------------------------------------"); + PrintAndLog(" Found AA2 credit key\t\t[%s]", sprint_hex(key, 8)); + found_credit = true; + } + + // both keys found. + if ( found_debit && found_credit ) + break; + } + + t1 = msclock() - t1; + + PrintAndLog("\nTime in iclass checkkeys: %.0f seconds\n", (float)t1/1000.0); + + DropField(); + free(keyBlock); + PrintAndLog(""); + return 0; +} + static command_t CommandTable[] = { {"help", CmdHelp, 1, "This help"}, {"calcnewkey", CmdHFiClassCalcNewKey, 1, "[options..] Calc Diversified keys (blocks 3 & 4) to write new keys"}, + {"chk", CmdHFiClassCheckKeys, 0, " Check keys"}, {"clone", CmdHFiClassCloneTag, 0, "[options..] Authenticate and Clone from iClass bin file"}, {"decrypt", CmdHFiClassDecrypt, 1, "[f ] Decrypt tagdump" }, {"dump", CmdHFiClassReader_Dump, 0, "[options..] Authenticate and Dump iClass tag's AA1"}, @@ -1723,6 +1877,7 @@ static command_t CommandTable[] = int CmdHFiClass(const char *Cmd) { + clearCommandBuffer(); CmdsParse(CommandTable, Cmd); return 0; }