[proxmark3-svn] / client / cmdhfmfdes.c

//-----------------------------------------------------------------------------
// Copyright (C) 2014 Iceman
//
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
//-----------------------------------------------------------------------------
// High frequency MIFARE Desfire commands
//-----------------------------------------------------------------------------

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
//#include <openssl/des.h>
#include "loclass/des.h"
#include "cmdmain.h"
#include "proxmark3.h"
#include "../include/common.h"
#include "../include/mifare.h"
#include "../common/iso14443crc.h"
#include "data.h"
#include "ui.h"
#include "cmdparser.h"
#include "util.h"
#include "cmdhfmfdes.h"

uint8_t CMDPOS = 0;
uint8_t LENPOS = 1;

uint8_t key_zero_data[16] = { 0x00 };
uint8_t key_ones_data[16] = { 0x01 };
uint8_t key_defa_data[16] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f };
uint8_t key_picc_data[16] = { 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f };

static int CmdHelp(const char *Cmd);
static void xor(unsigned char * dst, unsigned char * src, size_t len);
static int32_t le24toh (uint8_t data[3]);


int CmdHF14ADesWb(const char *Cmd)
{
/* 	uint8_t blockNo = 0;
	uint8_t keyType = 0;
	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
	uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
	
	char cmdp	= 0x00;

	if (strlen(Cmd)<3) {
		PrintAndLog("Usage:  hf mf wrbl    <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
		PrintAndLog("        sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
		return 0;
	}	

	blockNo = param_get8(Cmd, 0);
	cmdp = param_getchar(Cmd, 1);
	if (cmdp == 0x00) {
		PrintAndLog("Key type must be A or B");
		return 1;
	}
	if (cmdp != 'A' && cmdp != 'a') keyType = 1;
	if (param_gethex(Cmd, 2, key, 12)) {
		PrintAndLog("Key must include 12 HEX symbols");
		return 1;
	}
	if (param_gethex(Cmd, 3, bldata, 32)) {
		PrintAndLog("Block data must include 32 HEX symbols");
		return 1;
	}
	PrintAndLog("--block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6));
	PrintAndLog("--data: %s", sprint_hex(bldata, 16));
	
  UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
	memcpy(c.d.asBytes, key, 6);
	memcpy(c.d.asBytes + 10, bldata, 16);
  SendCommand(&c);

	UsbCommand resp;
	if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
		uint8_t isOK  = resp.arg[0] & 0xff;
		PrintAndLog("isOk:%02x", isOK);
	} else {
		PrintAndLog("Command execute timeout");
	}
 */
	return 0;
}

int CmdHF14ADesRb(const char *Cmd)
{
	// uint8_t blockNo = 0;
	// uint8_t keyType = 0;
	// uint8_t key[6] = {0, 0, 0, 0, 0, 0};
	
	// char cmdp	= 0x00;


	// if (strlen(Cmd)<3) {
		// PrintAndLog("Usage:  hf mf rdbl    <block number> <key A/B> <key (12 hex symbols)>");
		// PrintAndLog("        sample: hf mf rdbl 0 A FFFFFFFFFFFF ");
		// return 0;
	// }	
	
	// blockNo = param_get8(Cmd, 0);
	// cmdp = param_getchar(Cmd, 1);
	// if (cmdp == 0x00) {
		// PrintAndLog("Key type must be A or B");
		// return 1;
	// }
	// if (cmdp != 'A' && cmdp != 'a') keyType = 1;
	// if (param_gethex(Cmd, 2, key, 12)) {
		// PrintAndLog("Key must include 12 HEX symbols");
		// return 1;
	// }
	// PrintAndLog("--block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6));
	
  // UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
	// memcpy(c.d.asBytes, key, 6);
  // SendCommand(&c);

	// UsbCommand resp;
	// if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
		// uint8_t                isOK  = resp.arg[0] & 0xff;
		// uint8_t              * data  = resp.d.asBytes;

		// if (isOK)
			// PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
		// else
			// PrintAndLog("isOk:%02x", isOK);
	// } else {
		// PrintAndLog("Command execute timeout");
	// }

  return 0;
}

int CmdHF14ADesInfo(const char *Cmd){

	UsbCommand c = {CMD_MIFARE_DESFIRE_INFO};
    SendCommand(&c);
	UsbCommand resp;
	
	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
		PrintAndLog("Command execute timeout");
		return 0;
	}
	uint8_t isOK  = resp.arg[0] & 0xff;
	if ( !isOK ){
		PrintAndLog("Command unsuccessful");
		return 0;
	}  
	PrintAndLog("");
	PrintAndLog("-- Desfire Information --------------------------------------");
	PrintAndLog("-------------------------------------------------------------");
	PrintAndLog("  UID                : %s",sprint_hex(resp.d.asBytes, 7));
	PrintAndLog("  Batch number       : %s",sprint_hex(resp.d.asBytes+28,5));
	PrintAndLog("  Production date    : week %02x, 20%02x",resp.d.asBytes[33], resp.d.asBytes[34]);
	PrintAndLog("  -----------------------------------------------------------");
	PrintAndLog("  Hardware Information");
	PrintAndLog("      Vendor Id      : %s", GetVendorStr(resp.d.asBytes[7]));
	PrintAndLog("      Type           : 0x%02X",resp.d.asBytes[8]);
	PrintAndLog("      Subtype        : 0x%02X",resp.d.asBytes[9]);
	PrintAndLog("      Version        : %d.%d",resp.d.asBytes[10], resp.d.asBytes[11]);
	PrintAndLog("      Storage size   : %s",GetCardSizeStr(resp.d.asBytes[12]));
	PrintAndLog("      Protocol       : %s",GetProtocolStr(resp.d.asBytes[13]));
	PrintAndLog("  -----------------------------------------------------------");
	PrintAndLog("  Software Information");
	PrintAndLog("      Vendor Id      : %s",GetVendorStr(resp.d.asBytes[14]));
	PrintAndLog("      Type           : 0x%02X",resp.d.asBytes[15]);
	PrintAndLog("      Subtype        : 0x%02X",resp.d.asBytes[16]);
	PrintAndLog("      Version        : %d.%d",resp.d.asBytes[17], resp.d.asBytes[18]);
	PrintAndLog("      storage size   : %s", GetCardSizeStr(resp.d.asBytes[19]));
	PrintAndLog("      Protocol       : %s", GetProtocolStr(resp.d.asBytes[20]));
	PrintAndLog("-------------------------------------------------------------");
	
	// Master Key settings
	GetKeySettings(NULL);
	
	// Free memory on card
	c.cmd = CMD_MIFARE_DESFIRE;
	c.arg[0] = (INIT | DISCONNECT);
	c.arg[1] = 0x01;
	c.d.asBytes[0] = GET_FREE_MEMORY;
    SendCommand(&c);
	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
		return 0;
	}  
	
	uint8_t tmp[3];
	memcpy(tmp, resp.d.asBytes+3,3); 

	PrintAndLog("   Available free memory on card       : %d bytes", le24toh( tmp ));
	PrintAndLog("-------------------------------------------------------------");

	/*
		Card Master key (CMK)        0x00 AID = 00 00 00 (card level)
		Application Master Key (AMK) 0x00 AID != 00 00 00
		Application keys (APK)       0x01-0x0D
		Application free             0x0E
		Application never            0x0F
		
		ACCESS RIGHTS:
		keys 0,1,2,3     C
		keys 4,5,6,7     RW
		keys 8,9,10,11   W
		keys 12,13,14,15 R
	
	*/
	
    return 1;
}

char * GetVendorStr( uint8_t id){
 	static char buf[30];
	char *retStr = buf;
	
	if ( id == 0x04 )
		sprintf(retStr, "0x%02X (NXP)",id);
	else 
		sprintf(retStr,"0x%02X (Unknown)",id);
	return buf;
}

/*
  The 7 MSBits (= n) code the storage size itself based on 2^n, 
  the LSBit is set to '0' if the size is exactly 2^n
	and set to '1' if the storage size is between 2^n and 2^(n+1). 
	For this version of DESFire the 7 MSBits are set to 0x0C (2^12 = 4096) and the LSBit is '0'.
*/
char * GetCardSizeStr( uint8_t fsize ){
 
 	static char buf[30];
	char *retStr = buf;

	uint16_t usize = 1 << ((fsize >>1) + 1);
	uint16_t lsize = 1 << (fsize >>1);
	
	// is  LSB set?
	if (  fsize & 1 )
		sprintf(retStr, "0x%02X (%d - %d bytes)",fsize, usize, lsize);
	else 
		sprintf(retStr, "0x%02X (%d bytes)", fsize, lsize);		
	return buf;
}

char * GetProtocolStr(uint8_t id){

 	static char buf[30];
	char *retStr = buf;

	if ( id == 0x05)
		sprintf(retStr,"0x%02X (ISO 14443-3, 14443-4)", id);
	else
		sprintf(retStr,"0x%02X (Unknown)", id);	
	return buf;
}

void GetKeySettings( uint8_t *aid){
	
	char messStr[512] = {0x00};
	char *str = messStr;
	uint8_t isOK = 0;
	uint32_t options = NONE;
	UsbCommand c;
	UsbCommand resp;

	//memset(messStr, 0x00, 512);
	
	c.cmd = CMD_MIFARE_DESFIRE;
	
	if ( aid == NULL ){
		PrintAndLog(" CMK - PICC, Card Master Key settings ");
		PrintAndLog("");
		c.arg[CMDPOS] = (INIT | DISCONNECT);
		c.arg[LENPOS] =  0x01;
		c.d.asBytes[0] = GET_KEY_SETTINGS;  // 0x45
		SendCommand(&c);
		if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {return;}  
		isOK  = resp.arg[0] & 0xff;
		if ( !isOK ){
			PrintAndLog("   Can't select master application");	
			return;
		}	

		str = (resp.d.asBytes[3] & (1 << 3 )) ? "YES":"NO";	
		PrintAndLog("   [0x08] Configuration changeable       : %s", str);
		str = (resp.d.asBytes[3] & (1 << 2 )) ? "NO":"YES";
		PrintAndLog("   [0x04] CMK required for create/delete : %s",str);
		str = (resp.d.asBytes[3] & (1 << 1 )) ? "NO":"YES";
		PrintAndLog("   [0x02] Directory list access with CMK : %s",str);
		str = (resp.d.asBytes[3] & (1 << 0 )) ? "YES" : "NO";
		PrintAndLog("   [0x01] CMK is changeable              : %s", str);
			
		c.arg[LENPOS] = 0x02; //LEN
		c.d.asBytes[0] = GET_KEY_VERSION; //0x64
		c.d.asBytes[1] = 0x00;
		SendCommand(&c);
		if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {
			return;
		}
		isOK  = resp.arg[0] & 0xff;
		if ( !isOK ){
			PrintAndLog("   Can't read key-version");
			return;
		}
		PrintAndLog("");
		PrintAndLog("   Max number of keys       : %d", resp.d.asBytes[4]);
		PrintAndLog("   Master key Version       : %d (0x%02x)", resp.d.asBytes[3], resp.d.asBytes[3]);
		PrintAndLog("   ----------------------------------------------------------");
		
		c.arg[LENPOS] = 0x02; //LEN
		c.d.asBytes[0] = AUTHENTICATE; //0x0A
		c.d.asBytes[1] = 0x00; // KEY 0
		SendCommand(&c);
		if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {return;}
		isOK  = resp.d.asBytes[2] & 0xff;
		PrintAndLog("   [0x0A] Authenticate      : %s", ( isOK==0xAE ) ? "NO":"YES");

		c.d.asBytes[0] = AUTHENTICATE_ISO; //0x1A
		SendCommand(&c);
		if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {return;}
		isOK  = resp.d.asBytes[2] & 0xff;
		PrintAndLog("   [0x1A] Authenticate ISO  : %s", ( isOK==0xAE ) ? "NO":"YES");
		
		c.d.asBytes[0] = AUTHENTICATE_AES; //0xAA
		SendCommand(&c);
		if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {return;}
		isOK  = resp.d.asBytes[2] & 0xff;
		PrintAndLog("   [0xAA] Authenticate AES  : %s", ( isOK==0xAE ) ? "NO":"YES");
		PrintAndLog("");
		PrintAndLog("   ----------------------------------------------------------");
		
	} else {
		PrintAndLog(" AMK - Application Master Key settings");
		
		// SELECT AID
		c.arg[0] = (INIT | CLEARTRACE);
		c.arg[LENPOS] = 0x04;
		c.d.asBytes[0] = SELECT_APPLICATION;  // 0x5a
		memcpy(c.d.asBytes+1, aid, 3);
		SendCommand(&c);
		
		if (!WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
			PrintAndLog("   Timed-out");
			return;
		} 
		isOK  = resp.arg[0] & 0xff;
		if ( !isOK ){
			PrintAndLog("   Can't select AID: %s",sprint_hex(aid,3));	
			return;
		}		
		
		// KEY SETTINGS
		options = NONE;
		c.arg[0] = options;
		c.arg[LENPOS] = 0x01;
		c.d.asBytes[0] = GET_KEY_SETTINGS; // 0x45		
		SendCommand(&c);
		if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
			return;
		}
		isOK  = resp.arg[0] & 0xff;
		if ( !isOK ){
			PrintAndLog("   Can't read Application Master key settings");
		} else {
			// Access rights.
			uint8_t rights = (resp.d.asBytes[3] >> 4 && 0xff);
			switch (rights){
				case 0x00:
					str = "AMK authentication is necessary to change any key (default)";
					break;
				case 0x0e:
					str = "Authentication with the key to be changed (same KeyNo) is necessary to change a key";
					break;
				case 0x0f:
					str = "All keys (except AMK,see Bit0) within this application are frozen";
					break;
				default:
					str = "Authentication with the specified key is necessary to change any ley. A change key and a PICC master key (CMK) can only be changed after authentication with the master key. For keys other then the master or change key, an authentication with the same key is needed.";
					break;
			}
			PrintAndLog("Changekey Access rights");
			PrintAndLog("-- %s",str);
			PrintAndLog("");	
			// same as CMK
			str = (resp.d.asBytes[3] & (1 << 3 )) ? "YES":"NO";	
			PrintAndLog("   0x08 Configuration changeable       : %s", str);
			str = (resp.d.asBytes[3] & (1 << 2 )) ? "NO":"YES";
			PrintAndLog("   0x04 AMK required for create/delete : %s",str);
			str = (resp.d.asBytes[3] & (1 << 1 )) ? "NO":"YES";
			PrintAndLog("   0x02 Directory list access with AMK : %s",str);
			str = (resp.d.asBytes[3] & (1 << 0 )) ? "YES" : "NO";
			PrintAndLog("   0x01 AMK is changeable              : %s", str);
		}
		
		// KEY VERSION  - AMK 
		c.arg[0] = NONE;
		c.arg[LENPOS] = 0x02;
		c.d.asBytes[0] = GET_KEY_VERSION; //0x64
		c.d.asBytes[1] = 0x00;
		SendCommand(&c);
		if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
			PrintAndLog("   Timed-out");
			return;
		}
		
		int numOfKeys;
		
		isOK  = resp.arg[0] & 0xff;
		if ( !isOK ){
			PrintAndLog("   Can't read Application Master key version. Trying all keys");
			numOfKeys = MAX_NUM_KEYS;
		}
		else{
			numOfKeys = resp.d.asBytes[4];
			PrintAndLog("");
			PrintAndLog("     Max number of keys  : %d", numOfKeys );
			PrintAndLog("     Application Master key Version  : %d (0x%02x)", resp.d.asBytes[3], resp.d.asBytes[3]);
			PrintAndLog("-------------------------------------------------------------");			
		}
		
		// LOOP over numOfKeys that we got before. 
		// From 0x01 to numOfKeys.  We already got 0x00. (AMK)
		for(int i=0x01; i<=0x0f; ++i){
					
		}
		
		
	}
}

int CmdHF14ADesEnumApplications(const char *Cmd){
	
	uint8_t isOK = 0x00;
	uint8_t aid[3];
	uint32_t options = (INIT | DISCONNECT);
	
	UsbCommand c = {CMD_MIFARE_DESFIRE, {options , 0x01 }};
	c.d.asBytes[0] = GET_APPLICATION_IDS;  //0x6a
	
    SendCommand(&c);
	UsbCommand resp;
		
	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
		return 0;
	}  
	isOK  = resp.arg[0] & 0xff;
	if ( !isOK ){
		PrintAndLog("Command unsuccessful");
		return 0;
	} 
	PrintAndLog("");	
	PrintAndLog("-- Desfire Enumerate Applications ---------------------------");
	PrintAndLog("-------------------------------------------------------------");

	UsbCommand respAid;
	UsbCommand respFiles;
	
	uint8_t num = 0;
	int max = resp.arg[1] -3 -2;
	
	for(int i=3; i<=max; i+=3){
		PrintAndLog(" Aid %d : %02X %02X %02X ",num ,resp.d.asBytes[i],resp.d.asBytes[i+1],resp.d.asBytes[i+2]);
		num++;
		
		aid[0] = resp.d.asBytes[i];
		aid[1] = resp.d.asBytes[i+1];
		aid[2] = resp.d.asBytes[i+2];
		GetKeySettings(aid);
		
		// Select Application
		c.arg[CMDPOS] = INIT;
		c.arg[LENPOS] = 0x04; 
		c.d.asBytes[0] = SELECT_APPLICATION;  // 0x5a
		c.d.asBytes[1] = resp.d.asBytes[i];
		c.d.asBytes[2] = resp.d.asBytes[i+1];		
		c.d.asBytes[3] = resp.d.asBytes[i+2];
		SendCommand(&c);
		
		if (!WaitForResponseTimeout(CMD_ACK,&respAid,1500) ) {
			PrintAndLog("   Timed-out");
			continue;
		} 
		isOK  = respAid.d.asBytes[2] & 0xff;
		if ( isOK != 0x00 ){
			PrintAndLog("   Can't select AID: %s",sprint_hex(resp.d.asBytes+i,3));	
			continue;
		}
	
		// Get File IDs
		c.arg[CMDPOS] = NONE;
		c.arg[LENPOS] = 0x01;
		c.d.asBytes[0] = GET_FILE_IDS; // 0x6f
		SendCommand(&c);
		
		if ( !WaitForResponseTimeout(CMD_ACK,&respFiles,1500) ) {
			PrintAndLog("   Timed-out");
			continue;
		} else {
			isOK  = respFiles.d.asBytes[2] & 0xff;
			if ( !isOK ){
				PrintAndLog("   Can't get file ids ");
			} else {			
				int respfileLen = resp.arg[1]-3-2;			
				for (int j=0; j< respfileLen; ++j){
					PrintAndLog("   Fileid %d :", resp.d.asBytes[j+3]);
				}
			}
		}
		
		// Get ISO File IDs
		c.arg[CMDPOS] = DISCONNECT;
		c.arg[LENPOS] = 0x01;
		c.d.asBytes[0] = GET_ISOFILE_IDS; // 0x61
		SendCommand(&c);
		
		if ( !WaitForResponseTimeout(CMD_ACK,&respFiles,1500) ) {
			PrintAndLog("   Timed-out");
			continue;
		} else {
			isOK  = respFiles.d.asBytes[2] & 0xff;
			if ( !isOK ){
				PrintAndLog("   Can't get ISO file ids ");
			} else {			
				int respfileLen = resp.arg[1]-3-2;			
				for (int j=0; j< respfileLen; ++j){
					PrintAndLog(" ISO  Fileid %d :", resp.d.asBytes[j+3]);
				}
			}
		}
		
		
	}
	PrintAndLog("-------------------------------------------------------------");
	
	
	return 1;
}

// MIAFRE DesFire Authentication
//
#define BUFSIZE 256 
int CmdHF14ADesAuth(const char *Cmd){
    
	// NR  DESC		KEYLENGHT
	// ------------------------
	// 1 = DES		8
	// 2 = 3DES		16
	// 3 = 3K 3DES	24
	// 4 = AES		16

	uint8_t keylength = 8;
	unsigned char key[24];	
	
    if (strlen(Cmd)<3) {
        PrintAndLog("Usage:  hf mfdes auth <1|2|3> <1|2|3|4> <keyno> <key> ");
		PrintAndLog("		    Auth modes");
		PrintAndLog("                 1 = normal, 2 = iso, 3 = aes");
		PrintAndLog("		    Crypto");
		PrintAndLog("                 1 = DES 2 = 3DES 3 = 3K3DES 4 = AES");
		PrintAndLog("");
        PrintAndLog("        sample: hf mfdes auth 1 1 0 11223344");
		PrintAndLog("        sample: hf mfdes auth 3 4 0 404142434445464748494a4b4c4d4e4f");
        return 0;
    } 
	uint8_t cmdAuthMode	= param_get8(Cmd,0);
	uint8_t cmdAuthAlgo	= param_get8(Cmd,1);
	uint8_t cmdKeyNo	= param_get8(Cmd,2);
	
	switch (cmdAuthMode)
	{
		case 1: 
			if ( cmdAuthAlgo != 1 && cmdAuthAlgo != 2) {
				PrintAndLog("Crypto algo not valid for the auth mode");
				return 1;
			}
			break;
		case 2:
			if ( cmdAuthAlgo != 1 && cmdAuthAlgo != 2 && cmdAuthAlgo != 3) {
				PrintAndLog("Crypto algo not valid for the auth mode");
				return 1;
			}
			break;
		case 3:
			if ( cmdAuthAlgo != 4) {
				PrintAndLog("Crypto algo not valid for the auth mode");
				return 1;
			}
			break;
		default:
			PrintAndLog("Wrong Auth mode");
			return 1;
			break;
	}
	
	switch (cmdAuthAlgo){
		case 2: 
			keylength = 16;
			PrintAndLog("3DES selected");
			break;
		case 3: 
			keylength = 24;
			PrintAndLog("3 key 3DES selected");
			break;
		case 4:
			keylength = 16;
			PrintAndLog("AES selected");
			break;
		default:
			cmdAuthAlgo = 1;
			keylength = 8;
			PrintAndLog("DES selected");
			break;
	}

	// key
	if (param_gethex(Cmd, 3, key, keylength*2)) {
		PrintAndLog("Key must include %d HEX symbols", keylength);
		return 1;
	}
Commit	Line	Data
f38a1528	1	//-----------------------------------------------------------------------------
	2	// Copyright (C) 2014 Iceman
	3	//
	4	// This code is licensed to you under the terms of the GNU GPL, version 2 or,
	5	// at your option, any later version. See the LICENSE.txt file for the text of
	6	// the license.
	7	//-----------------------------------------------------------------------------
	8	// High frequency MIFARE Desfire commands
	9	//-----------------------------------------------------------------------------
	10
	11	#include <stdio.h>
	12	#include <stdlib.h>
	13	#include <string.h>
	14	#include <ctype.h>
0ec548dc	15	//#include <openssl/des.h>
0ec548dc	16	#include "loclass/des.h"
f38a1528	17	#include "cmdmain.h"
	18	#include "proxmark3.h"
	19	#include "../include/common.h"
	20	#include "../include/mifare.h"
	21	#include "../common/iso14443crc.h"
	22	#include "data.h"
	23	#include "ui.h"
	24	#include "cmdparser.h"
	25	#include "util.h"
	26	#include "cmdhfmfdes.h"
	27
f6c18637	28	uint8_t CMDPOS = 0;
f6c18637	29	uint8_t LENPOS = 1;
f38a1528	30
95e63594	31	uint8_t key_zero_data[16] = { 0x00 };
95e63594	32	uint8_t key_ones_data[16] = { 0x01 };
f38a1528	33	uint8_t key_defa_data[16] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f };
f6c18637	34	uint8_t key_picc_data[16] = { 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f };
f38a1528	35
	36	static int CmdHelp(const char *Cmd);
	37	static void xor(unsigned char * dst, unsigned char * src, size_t len);
	38	static int32_t le24toh (uint8_t data[3]);
	39
	40
	41	int CmdHF14ADesWb(const char *Cmd)
	42	{
	43	/* uint8_t blockNo = 0;
	44	uint8_t keyType = 0;
	45	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
	46	uint8_t bldata[16] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
	47
	48	char cmdp = 0x00;
	49
	50	if (strlen(Cmd)<3) {
	51	PrintAndLog("Usage: hf mf wrbl <block number> <key A/B> <key (12 hex symbols)> <block data (32 hex symbols)>");
	52	PrintAndLog(" sample: hf mf wrbl 0 A FFFFFFFFFFFF 000102030405060708090A0B0C0D0E0F");
	53	return 0;
	54	}
	55
	56	blockNo = param_get8(Cmd, 0);
	57	cmdp = param_getchar(Cmd, 1);
	58	if (cmdp == 0x00) {
	59	PrintAndLog("Key type must be A or B");
	60	return 1;
	61	}
	62	if (cmdp != 'A' && cmdp != 'a') keyType = 1;
	63	if (param_gethex(Cmd, 2, key, 12)) {
	64	PrintAndLog("Key must include 12 HEX symbols");
	65	return 1;
	66	}
	67	if (param_gethex(Cmd, 3, bldata, 32)) {
	68	PrintAndLog("Block data must include 32 HEX symbols");
	69	return 1;
	70	}
	71	PrintAndLog("--block no:%02x key type:%02x key:%s", blockNo, keyType, sprint_hex(key, 6));
	72	PrintAndLog("--data: %s", sprint_hex(bldata, 16));
	73
	74	UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
	75	memcpy(c.d.asBytes, key, 6);
	76	memcpy(c.d.asBytes + 10, bldata, 16);
	77	SendCommand(&c);
	78
	79	UsbCommand resp;
	80	if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
	81	uint8_t isOK = resp.arg[0] & 0xff;
	82	PrintAndLog("isOk:%02x", isOK);
	83	} else {
	84	PrintAndLog("Command execute timeout");
	85	}
	86	*/
	87	return 0;
	88	}
	89
	90	int CmdHF14ADesRb(const char *Cmd)
	91	{
	92	// uint8_t blockNo = 0;
	93	// uint8_t keyType = 0;
	94	// uint8_t key[6] = {0, 0, 0, 0, 0, 0};
	95
	96	// char cmdp = 0x00;
	97
	98
99	// if (strlen(Cmd)<3) {
100	// PrintAndLog("Usage: hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>");
101	// PrintAndLog(" sample: hf mf rdbl 0 A FFFFFFFFFFFF ");
102	// return 0;
103	// }
104
105	// blockNo = param_get8(Cmd, 0);
106	// cmdp = param_getchar(Cmd, 1);
107	// if (cmdp == 0x00) {
108	// PrintAndLog("Key type must be A or B");
109	// return 1;
110	// }
111	// if (cmdp != 'A' && cmdp != 'a') keyType = 1;
112	// if (param_gethex(Cmd, 2, key, 12)) {
113	// PrintAndLog("Key must include 12 HEX symbols");
114	// return 1;
115	// }
116	// PrintAndLog("--block no:%02x key type:%02x key:%s ", blockNo, keyType, sprint_hex(key, 6));
117
118	// UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
119	// memcpy(c.d.asBytes, key, 6);
120	// SendCommand(&c);
121
122	// UsbCommand resp;
123	// if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
124	// uint8_t isOK = resp.arg[0] & 0xff;
125	// uint8_t * data = resp.d.asBytes;
126
127	// if (isOK)
128	// PrintAndLog("isOk:%02x data:%s", isOK, sprint_hex(data, 16));
129	// else
130	// PrintAndLog("isOk:%02x", isOK);
131	// } else {
132	// PrintAndLog("Command execute timeout");
133	// }
134
135	return 0;
136	}
137
138	int CmdHF14ADesInfo(const char *Cmd){
139
313ee67e	140	UsbCommand c = {CMD_MIFARE_DESFIRE_INFO};
f38a1528	141	SendCommand(&c);
	142	UsbCommand resp;
	143
313ee67e	144	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
f38a1528	145	PrintAndLog("Command execute timeout");
f38a1528	146	return 0;
313ee67e	147	}
	148	uint8_t isOK = resp.arg[0] & 0xff;
	149	if ( !isOK ){
3d93d4f9	150	PrintAndLog("Command unsuccessful");
313ee67e	151	return 0;
f38a1528	152	}
f6c18637	153	PrintAndLog("");
f6c18637	154	PrintAndLog("-- Desfire Information --------------------------------------");
f38a1528	155	PrintAndLog("-------------------------------------------------------------");
	156	PrintAndLog(" UID : %s",sprint_hex(resp.d.asBytes, 7));
	157	PrintAndLog(" Batch number : %s",sprint_hex(resp.d.asBytes+28,5));
	158	PrintAndLog(" Production date : week %02x, 20%02x",resp.d.asBytes[33], resp.d.asBytes[34]);
f6c18637	159	PrintAndLog(" -----------------------------------------------------------");
f38a1528	160	PrintAndLog(" Hardware Information");
	161	PrintAndLog(" Vendor Id : %s", GetVendorStr(resp.d.asBytes[7]));
	162	PrintAndLog(" Type : 0x%02X",resp.d.asBytes[8]);
	163	PrintAndLog(" Subtype : 0x%02X",resp.d.asBytes[9]);
	164	PrintAndLog(" Version : %d.%d",resp.d.asBytes[10], resp.d.asBytes[11]);
	165	PrintAndLog(" Storage size : %s",GetCardSizeStr(resp.d.asBytes[12]));
	166	PrintAndLog(" Protocol : %s",GetProtocolStr(resp.d.asBytes[13]));
f6c18637	167	PrintAndLog(" -----------------------------------------------------------");
f38a1528	168	PrintAndLog(" Software Information");
	169	PrintAndLog(" Vendor Id : %s",GetVendorStr(resp.d.asBytes[14]));
	170	PrintAndLog(" Type : 0x%02X",resp.d.asBytes[15]);
	171	PrintAndLog(" Subtype : 0x%02X",resp.d.asBytes[16]);
	172	PrintAndLog(" Version : %d.%d",resp.d.asBytes[17], resp.d.asBytes[18]);
	173	PrintAndLog(" storage size : %s", GetCardSizeStr(resp.d.asBytes[19]));
	174	PrintAndLog(" Protocol : %s", GetProtocolStr(resp.d.asBytes[20]));
	175	PrintAndLog("-------------------------------------------------------------");
	176
f6c18637	177	// Master Key settings
f6c18637	178	GetKeySettings(NULL);
313ee67e	179
f6c18637	180	// Free memory on card
	181	c.cmd = CMD_MIFARE_DESFIRE;
	182	c.arg[0] = (INIT \| DISCONNECT);
	183	c.arg[1] = 0x01;
	184	c.d.asBytes[0] = GET_FREE_MEMORY;
	185	SendCommand(&c);
313ee67e	186	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
	187	return 0;
	188	}
	189
f38a1528	190	uint8_t tmp[3];
313ee67e	191	memcpy(tmp, resp.d.asBytes+3,3);
f38a1528	192
f6c18637	193	PrintAndLog(" Available free memory on card : %d bytes", le24toh( tmp ));
f38a1528	194	PrintAndLog("-------------------------------------------------------------");
3d93d4f9	195
f38a1528	196	/*
75465377	197	Card Master key (CMK) 0x00 AID = 00 00 00 (card level)
	198	Application Master Key (AMK) 0x00 AID != 00 00 00
	199	Application keys (APK) 0x01-0x0D
	200	Application free 0x0E
	201	Application never 0x0F
f38a1528	202
	203	ACCESS RIGHTS:
	204	keys 0,1,2,3 C
	205	keys 4,5,6,7 RW
	206	keys 8,9,10,11 W
	207	keys 12,13,14,15 R
f6c18637	208
f38a1528	209	*/
f38a1528	210
f38a1528	211	return 1;
	212	}
	213
	214	char * GetVendorStr( uint8_t id){
	215	static char buf[30];
	216	char *retStr = buf;
	217
	218	if ( id == 0x04 )
	219	sprintf(retStr, "0x%02X (NXP)",id);
	220	else
	221	sprintf(retStr,"0x%02X (Unknown)",id);
	222	return buf;
	223	}
	224
	225	/*
	226	The 7 MSBits (= n) code the storage size itself based on 2^n,
	227	the LSBit is set to '0' if the size is exactly 2^n
	228	and set to '1' if the storage size is between 2^n and 2^(n+1).
	229	For this version of DESFire the 7 MSBits are set to 0x0C (2^12 = 4096) and the LSBit is '0'.
	230	*/
	231	char * GetCardSizeStr( uint8_t fsize ){
	232
	233	static char buf[30];
	234	char *retStr = buf;
	235
	236	uint16_t usize = 1 << ((fsize >>1) + 1);
	237	uint16_t lsize = 1 << (fsize >>1);
	238
	239	// is LSB set?
0ec548dc	240	if ( fsize & 1 )
f38a1528	241	sprintf(retStr, "0x%02X (%d - %d bytes)",fsize, usize, lsize);
	242	else
	243	sprintf(retStr, "0x%02X (%d bytes)", fsize, lsize);
	244	return buf;
	245	}
	246
	247	char * GetProtocolStr(uint8_t id){
	248
	249	static char buf[30];
	250	char *retStr = buf;
	251
	252	if ( id == 0x05)
	253	sprintf(retStr,"0x%02X (ISO 14443-3, 14443-4)", id);
	254	else
0ec548dc	255	sprintf(retStr,"0x%02X (Unknown)", id);
f38a1528	256	return buf;
	257	}
	258
f6c18637	259	void GetKeySettings( uint8_t *aid){
3d93d4f9	260
f6c18637	261	char messStr[512] = {0x00};
	262	char *str = messStr;
	263	uint8_t isOK = 0;
	264	uint32_t options = NONE;
	265	UsbCommand c;
	266	UsbCommand resp;
	267
	268	//memset(messStr, 0x00, 512);
75465377	269
f6c18637	270	c.cmd = CMD_MIFARE_DESFIRE;
	271
	272	if ( aid == NULL ){
	273	PrintAndLog(" CMK - PICC, Card Master Key settings ");
	274	PrintAndLog("");
	275	c.arg[CMDPOS] = (INIT \| DISCONNECT);
	276	c.arg[LENPOS] = 0x01;
	277	c.d.asBytes[0] = GET_KEY_SETTINGS; // 0x45
	278	SendCommand(&c);
	279	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {return;}
	280	isOK = resp.arg[0] & 0xff;
	281	if ( !isOK ){
	282	PrintAndLog(" Can't select master application");
	283	return;
	284	}
	285
	286	str = (resp.d.asBytes[3] & (1 << 3 )) ? "YES":"NO";
	287	PrintAndLog(" [0x08] Configuration changeable : %s", str);
	288	str = (resp.d.asBytes[3] & (1 << 2 )) ? "NO":"YES";
	289	PrintAndLog(" [0x04] CMK required for create/delete : %s",str);
	290	str = (resp.d.asBytes[3] & (1 << 1 )) ? "NO":"YES";
	291	PrintAndLog(" [0x02] Directory list access with CMK : %s",str);
	292	str = (resp.d.asBytes[3] & (1 << 0 )) ? "YES" : "NO";
	293	PrintAndLog(" [0x01] CMK is changeable : %s", str);
	294
	295	c.arg[LENPOS] = 0x02; //LEN
	296	c.d.asBytes[0] = GET_KEY_VERSION; //0x64
	297	c.d.asBytes[1] = 0x00;
	298	SendCommand(&c);
	299	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {
	300	return;
	301	}
	302	isOK = resp.arg[0] & 0xff;
	303	if ( !isOK ){
	304	PrintAndLog(" Can't read key-version");
	305	return;
	306	}
	307	PrintAndLog("");
	308	PrintAndLog(" Max number of keys : %d", resp.d.asBytes[4]);
	309	PrintAndLog(" Master key Version : %d (0x%02x)", resp.d.asBytes[3], resp.d.asBytes[3]);
	310	PrintAndLog(" ----------------------------------------------------------");
	311
	312	c.arg[LENPOS] = 0x02; //LEN
	313	c.d.asBytes[0] = AUTHENTICATE; //0x0A
	314	c.d.asBytes[1] = 0x00; // KEY 0
	315	SendCommand(&c);
	316	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {return;}
	317	isOK = resp.d.asBytes[2] & 0xff;
	318	PrintAndLog(" [0x0A] Authenticate : %s", ( isOK==0xAE ) ? "NO":"YES");
	319
	320	c.d.asBytes[0] = AUTHENTICATE_ISO; //0x1A
	321	SendCommand(&c);
	322	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {return;}
	323	isOK = resp.d.asBytes[2] & 0xff;
	324	PrintAndLog(" [0x1A] Authenticate ISO : %s", ( isOK==0xAE ) ? "NO":"YES");
	325
	326	c.d.asBytes[0] = AUTHENTICATE_AES; //0xAA
	327	SendCommand(&c);
	328	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1000) ) {return;}
	329	isOK = resp.d.asBytes[2] & 0xff;
	330	PrintAndLog(" [0xAA] Authenticate AES : %s", ( isOK==0xAE ) ? "NO":"YES");
	331	PrintAndLog("");
	332	PrintAndLog(" ----------------------------------------------------------");
	333
334	} else {
335	PrintAndLog(" AMK - Application Master Key settings");
336
337	// SELECT AID
338	c.arg[0] = (INIT \| CLEARTRACE);
339	c.arg[LENPOS] = 0x04;
340	c.d.asBytes[0] = SELECT_APPLICATION; // 0x5a
341	memcpy(c.d.asBytes+1, aid, 3);
342	SendCommand(&c);
343
344	if (!WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
345	PrintAndLog(" Timed-out");
346	return;
347	}
348	isOK = resp.arg[0] & 0xff;
349	if ( !isOK ){
350	PrintAndLog(" Can't select AID: %s",sprint_hex(aid,3));
351	return;
352	}
353
354	// KEY SETTINGS
355	options = NONE;
356	c.arg[0] = options;
357	c.arg[LENPOS] = 0x01;
358	c.d.asBytes[0] = GET_KEY_SETTINGS; // 0x45
359	SendCommand(&c);
360	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
361	return;
362	}
363	isOK = resp.arg[0] & 0xff;
364	if ( !isOK ){
365	PrintAndLog(" Can't read Application Master key settings");
366	} else {
367	// Access rights.
368	uint8_t rights = (resp.d.asBytes[3] >> 4 && 0xff);
369	switch (rights){
370	case 0x00:
371	str = "AMK authentication is necessary to change any key (default)";
372	break;
373	case 0x0e:
374	str = "Authentication with the key to be changed (same KeyNo) is necessary to change a key";
375	break;
376	case 0x0f:
377	str = "All keys (except AMK,see Bit0) within this application are frozen";
378	break;
379	default:
380	str = "Authentication with the specified key is necessary to change any ley. A change key and a PICC master key (CMK) can only be changed after authentication with the master key. For keys other then the master or change key, an authentication with the same key is needed.";
381	break;
382	}
383	PrintAndLog("Changekey Access rights");
384	PrintAndLog("-- %s",str);
385	PrintAndLog("");
386	// same as CMK
387	str = (resp.d.asBytes[3] & (1 << 3 )) ? "YES":"NO";
388	PrintAndLog(" 0x08 Configuration changeable : %s", str);
389	str = (resp.d.asBytes[3] & (1 << 2 )) ? "NO":"YES";
390	PrintAndLog(" 0x04 AMK required for create/delete : %s",str);
391	str = (resp.d.asBytes[3] & (1 << 1 )) ? "NO":"YES";
392	PrintAndLog(" 0x02 Directory list access with AMK : %s",str);
393	str = (resp.d.asBytes[3] & (1 << 0 )) ? "YES" : "NO";
394	PrintAndLog(" 0x01 AMK is changeable : %s", str);
395	}
396
397	// KEY VERSION - AMK
398	c.arg[0] = NONE;
399	c.arg[LENPOS] = 0x02;
400	c.d.asBytes[0] = GET_KEY_VERSION; //0x64
401	c.d.asBytes[1] = 0x00;
402	SendCommand(&c);
403	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
404	PrintAndLog(" Timed-out");
405	return;
406	}
407
408	int numOfKeys;
409
410	isOK = resp.arg[0] & 0xff;
411	if ( !isOK ){
412	PrintAndLog(" Can't read Application Master key version. Trying all keys");
413	numOfKeys = MAX_NUM_KEYS;
414	}
415	else{
416	numOfKeys = resp.d.asBytes[4];
417	PrintAndLog("");
418	PrintAndLog(" Max number of keys : %d", numOfKeys );
419	PrintAndLog(" Application Master key Version : %d (0x%02x)", resp.d.asBytes[3], resp.d.asBytes[3]);
420	PrintAndLog("-------------------------------------------------------------");
421	}
422
423	// LOOP over numOfKeys that we got before.
424	// From 0x01 to numOfKeys. We already got 0x00. (AMK)
425	for(int i=0x01; i<=0x0f; ++i){
426
427	}
428
429
430	}
431	}
432
433	int CmdHF14ADesEnumApplications(const char *Cmd){
434
435	uint8_t isOK = 0x00;
436	uint8_t aid[3];
437	uint32_t options = (INIT \| DISCONNECT);
75465377	438
	439	UsbCommand c = {CMD_MIFARE_DESFIRE, {options , 0x01 }};
	440	c.d.asBytes[0] = GET_APPLICATION_IDS; //0x6a
f6c18637	441
3d93d4f9	442	SendCommand(&c);
	443	UsbCommand resp;
	444
	445	if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
	446	return 0;
	447	}
f6c18637	448	isOK = resp.arg[0] & 0xff;
3d93d4f9	449	if ( !isOK ){
	450	PrintAndLog("Command unsuccessful");
	451	return 0;
	452	}
f6c18637	453	PrintAndLog("");
f6c18637	454	PrintAndLog("-- Desfire Enumerate Applications ---------------------------");
3d93d4f9	455	PrintAndLog("-------------------------------------------------------------");
3d93d4f9	456
75465377	457	UsbCommand respAid;
75465377	458	UsbCommand respFiles;
3d93d4f9	459
	460	uint8_t num = 0;
	461	int max = resp.arg[1] -3 -2;
	462
	463	for(int i=3; i<=max; i+=3){
75465377	464	PrintAndLog(" Aid %d : %02X %02X %02X ",num ,resp.d.asBytes[i],resp.d.asBytes[i+1],resp.d.asBytes[i+2]);
3d93d4f9	465	num++;
3d93d4f9	466
f6c18637	467	aid[0] = resp.d.asBytes[i];
	468	aid[1] = resp.d.asBytes[i+1];
	469	aid[2] = resp.d.asBytes[i+2];
	470	GetKeySettings(aid);
	471
	472	// Select Application
	473	c.arg[CMDPOS] = INIT;
	474	c.arg[LENPOS] = 0x04;
	475	c.d.asBytes[0] = SELECT_APPLICATION; // 0x5a
	476	c.d.asBytes[1] = resp.d.asBytes[i];
	477	c.d.asBytes[2] = resp.d.asBytes[i+1];
	478	c.d.asBytes[3] = resp.d.asBytes[i+2];
	479	SendCommand(&c);
75465377	480
	481	if (!WaitForResponseTimeout(CMD_ACK,&respAid,1500) ) {
	482	PrintAndLog(" Timed-out");
	483	continue;
	484	}
f6c18637	485	isOK = respAid.d.asBytes[2] & 0xff;
f6c18637	486	if ( isOK != 0x00 ){
75465377	487	PrintAndLog(" Can't select AID: %s",sprint_hex(resp.d.asBytes+i,3));
	488	continue;
	489	}
	490
f6c18637	491	// Get File IDs
	492	c.arg[CMDPOS] = NONE;
	493	c.arg[LENPOS] = 0x01;
	494	c.d.asBytes[0] = GET_FILE_IDS; // 0x6f
	495	SendCommand(&c);
75465377	496
	497	if ( !WaitForResponseTimeout(CMD_ACK,&respFiles,1500) ) {
	498	PrintAndLog(" Timed-out");
	499	continue;
	500	} else {
f6c18637	501	isOK = respFiles.d.asBytes[2] & 0xff;
75465377	502	if ( !isOK ){
f6c18637	503	PrintAndLog(" Can't get file ids ");
	504	} else {
	505	int respfileLen = resp.arg[1]-3-2;
	506	for (int j=0; j< respfileLen; ++j){
	507	PrintAndLog(" Fileid %d :", resp.d.asBytes[j+3]);
	508	}
75465377	509	}
f6c18637	510	}
	511
	512	// Get ISO File IDs
	513	c.arg[CMDPOS] = DISCONNECT;
	514	c.arg[LENPOS] = 0x01;
	515	c.d.asBytes[0] = GET_ISOFILE_IDS; // 0x61
	516	SendCommand(&c);
3d93d4f9	517
f6c18637	518	if ( !WaitForResponseTimeout(CMD_ACK,&respFiles,1500) ) {
	519	PrintAndLog(" Timed-out");
	520	continue;
	521	} else {
	522	isOK = respFiles.d.asBytes[2] & 0xff;
	523	if ( !isOK ){
	524	PrintAndLog(" Can't get ISO file ids ");
	525	} else {
	526	int respfileLen = resp.arg[1]-3-2;
	527	for (int j=0; j< respfileLen; ++j){
	528	PrintAndLog(" ISO Fileid %d :", resp.d.asBytes[j+3]);
	529	}
75465377	530	}
75465377	531	}
3d93d4f9	532
f6c18637	533
3d93d4f9	534	}
	535	PrintAndLog("-------------------------------------------------------------");
	536
	537
f38a1528	538	return 1;
	539	}
	540
f38a1528	541	// MIAFRE DesFire Authentication
f38a1528	542	//
f6c18637	543	#define BUFSIZE 256
f38a1528	544	int CmdHF14ADesAuth(const char *Cmd){
	545
	546	// NR DESC KEYLENGHT
	547	// ------------------------
	548	// 1 = DES 8
	549	// 2 = 3DES 16
	550	// 3 = 3K 3DES 24
	551	// 4 = AES 16
f6c18637	552
f38a1528	553	uint8_t keylength = 8;
f6c18637	554	unsigned char key[24];
f38a1528	555
	556	if (strlen(Cmd)<3) {
	557	PrintAndLog("Usage: hf mfdes auth <1\|2\|3> <1\|2\|3\|4> <keyno> <key> ");
f6c18637	558	PrintAndLog(" Auth modes");
	559	PrintAndLog(" 1 = normal, 2 = iso, 3 = aes");
	560	PrintAndLog(" Crypto");
	561	PrintAndLog(" 1 = DES 2 = 3DES 3 = 3K3DES 4 = AES");
	562	PrintAndLog("");
f38a1528	563	PrintAndLog(" sample: hf mfdes auth 1 1 0 11223344");
f6c18637	564	PrintAndLog(" sample: hf mfdes auth 3 4 0 404142434445464748494a4b4c4d4e4f");
f38a1528	565	return 0;
	566	}
	567	uint8_t cmdAuthMode = param_get8(Cmd,0);
	568	uint8_t cmdAuthAlgo = param_get8(Cmd,1);
	569	uint8_t cmdKeyNo = param_get8(Cmd,2);
	570
	571	switch (cmdAuthMode)
	572	{
	573	case 1:
	574	if ( cmdAuthAlgo != 1 && cmdAuthAlgo != 2) {
	575	PrintAndLog("Crypto algo not valid for the auth mode");
	576	return 1;
	577	}
	578	break;
	579	case 2:
	580	if ( cmdAuthAlgo != 1 && cmdAuthAlgo != 2 && cmdAuthAlgo != 3) {
	581	PrintAndLog("Crypto algo not valid for the auth mode");
	582	return 1;
	583	}
	584	break;
	585	case 3:
	586	if ( cmdAuthAlgo != 4) {
	587	PrintAndLog("Crypto algo not valid for the auth mode");
	588	return 1;
	589	}
	590	break;
	591	default:
	592	PrintAndLog("Wrong Auth mode");
	593	return 1;
	594	break;
	595	}
	596
	597	switch (cmdAuthAlgo){
	598	case 2:
	599	keylength = 16;
	600	PrintAndLog("3DES selected");
	601	break;
	602	case 3:
	603	keylength = 24;
	604	PrintAndLog("3 key 3DES selected");
	605	break;
	606	case 4:
	607	keylength = 16;
	608	PrintAndLog("AES selected");
	609	break;
	610	default:
	611	cmdAuthAlgo = 1;
	612	keylength = 8;
	613	PrintAndLog("DES selected");
	614	break;
	615	}
	616
	617	// key
	618	if (param_gethex(Cmd, 3, key, keylength*2)) {
	619	PrintAndLog("Key must include %d HEX symbols", keylength);
	620	return 1;
	621	}
	622