From: Oleg Moiseenko <olegmsn@gmail.com>
Date: Fri, 12 Oct 2018 12:13:58 +0000 (+0300)
Subject: small improvements in auth (#694)
X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/54e3cfcb74fbc02f7d1d16be8cd5338529acd58e

small improvements in auth (#694)
---

diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c
index a5de2e2a..63b1cda6 100644
--- a/client/cmdhf14a.c
+++ b/client/cmdhf14a.c
@@ -649,10 +649,12 @@ void DropField() {
 }
 
 int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leaveSignalON, uint8_t *dataout, int maxdataoutlen, int *dataoutlen) {
+	static bool responseNum = false;
 	uint16_t cmdc = 0;
 	*dataoutlen = 0;
 	
 	if (activateField) {
+		responseNum = false;
 		UsbCommand resp;
 
 		// Anticollision + SELECT card
@@ -695,8 +697,11 @@ int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leav
 	if (leaveSignalON)
 		cmdc |= ISO14A_NO_DISCONNECT;
 
-	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_APPEND_CRC | cmdc, (datainlen & 0xFFFF), 0}}; 
-	memcpy(c.d.asBytes, datain, datainlen);
+	UsbCommand c = {CMD_READER_ISO_14443a, {ISO14A_RAW | ISO14A_APPEND_CRC | cmdc, (datainlen & 0xFFFF) + 2, 0}}; 
+	uint8_t header[] = {0x0a | responseNum, 0x00};
+	responseNum ^= 1;
+	memcpy(c.d.asBytes, header, 2);
+	memcpy(&c.d.asBytes[2], datain, datainlen);
 	SendCommand(&c);
 	
     uint8_t *recv;
@@ -715,7 +720,12 @@ int ExchangeRAW14a(uint8_t *datain, int datainlen, bool activateField, bool leav
 			return 2;
 		}
 		
-		memcpy(dataout, recv, *dataoutlen);
+		if (recv[0] != header[0]) {
+			PrintAndLog("14aRAW ERROR: iso14443-4 framing error. Card send %2x must be %2x", dataout[0], header[0]);
+			return 2;
+		}
+		
+		memcpy(dataout, &recv[2], *dataoutlen);
 		
         if(!iLen) {
 			PrintAndLog("14aRAW ERROR: No card response.");
diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 5efb4a41..eb85b8c5 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -2708,7 +2708,7 @@ int CmdHF14AMfAuth4(const char *cmd) {
 		return 1;
 	}
 
-	uint8_t cmd1[] = {0x0a, 0x00, 0x70, keyn[1], keyn[0], 0x00};
+	uint8_t cmd1[] = {0x70, keyn[1], keyn[0], 0x00};
 	int res = ExchangeRAW14a(cmd1, sizeof(cmd1), true, true, data, sizeof(data), &datalen);
 	if (res) {
 		PrintAndLog("ERROR exchande raw error: %d", res);
@@ -2718,45 +2718,37 @@ int CmdHF14AMfAuth4(const char *cmd) {
 	
 	PrintAndLog("<phase1: %s", sprint_hex(data, datalen));
 		
-	if (datalen < 3) {
+	if (datalen < 1) {
 		PrintAndLog("ERROR: card response length: %d", datalen);
 		DropField();
 		return 3;
 	}
 	
-	if (data[0] != 0x0a || data[1] != 0x00) {
-		PrintAndLog("ERROR: card response. Framing error. :%s", sprint_hex(data, 2));
-		DropField();
-		return 3;
-	}
-
-	if (data[2] != 0x90) {
+	if (data[0] != 0x90) {
 		PrintAndLog("ERROR: card response error: %02x", data[2]);
 		DropField();
 		return 3;
 	}
 
-	if (datalen != 19) {
-		PrintAndLog("ERROR: card response must be 16 bytes long instead of: %d", datalen);
+	if (datalen != 19) { // code 1b + 16b + crc 2b
+		PrintAndLog("ERROR: card response must be 19 bytes long instead of: %d", datalen);
 		DropField();
 		return 3;
 	}
 	
-    aes_decode(NULL, key, &data[3], Rnd2, 16);
+    aes_decode(NULL, key, &data[1], Rnd2, 16);
 	Rnd2[16] = Rnd2[0];
 	PrintAndLog("Rnd2: %s", sprint_hex(Rnd2, 16));
 
-	uint8_t cmd2[35] = {0};
-	cmd2[0] = 0x0b;
-	cmd2[1] = 0x00;
-	cmd2[2] = 0x72;
+	uint8_t cmd2[33] = {0};
+	cmd2[0] = 0x72;
 
 	uint8_t raw[32] = {0};
 	memmove(raw, Rnd1, 16);
 	memmove(&raw[16], &Rnd2[1], 16);
 
-    aes_encode(NULL, key, raw, &cmd2[3], 32);
-	PrintAndLog(">phase2: %s", sprint_hex(cmd2, 35));
+    aes_encode(NULL, key, raw, &cmd2[1], 32);
+	PrintAndLog(">phase2: %s", sprint_hex(cmd2, 33));
 	
 	res = ExchangeRAW14a(cmd2, sizeof(cmd2), false, false, data, sizeof(data), &datalen);
 	if (res) {
@@ -2767,7 +2759,7 @@ int CmdHF14AMfAuth4(const char *cmd) {
 	
 	PrintAndLog("<phase2: %s", sprint_hex(data, datalen));
 
-    aes_decode(NULL, key, &data[3], raw, 32);
+    aes_decode(NULL, key, &data[1], raw, 32);
 	PrintAndLog("res: %s", sprint_hex(raw, 32));
 	
 	PrintAndLog("Rnd1`: %s", sprint_hex(&raw[4], 16));