- uint8_t cmd1[] = {0x70, keyn[1], keyn[0], 0x00};\r
- int res = ExchangeRAW14a(cmd1, sizeof(cmd1), true, true, data, sizeof(data), &datalen);\r
- if (res) {\r
- PrintAndLog("ERROR exchande raw error: %d", res);\r
- DropField();\r
- return 2;\r
- }\r
- \r
- PrintAndLog("<phase1: %s", sprint_hex(data, datalen));\r
- \r
- if (datalen < 1) {\r
- PrintAndLog("ERROR: card response length: %d", datalen);\r
- DropField();\r
- return 3;\r
- }\r
- \r
- if (data[0] != 0x90) {\r
- PrintAndLog("ERROR: card response error: %02x", data[2]);\r
- DropField();\r
- return 3;\r
- }\r
-\r
- if (datalen != 19) { // code 1b + 16b + crc 2b\r
- PrintAndLog("ERROR: card response must be 19 bytes long instead of: %d", datalen);\r
- DropField();\r
- return 3;\r
- }\r
- \r
- aes_decode(NULL, key, &data[1], Rnd2, 16);\r
- Rnd2[16] = Rnd2[0];\r
- PrintAndLog("Rnd2: %s", sprint_hex(Rnd2, 16));\r
-\r
- uint8_t cmd2[33] = {0};\r
- cmd2[0] = 0x72;\r
-\r
- uint8_t raw[32] = {0};\r
- memmove(raw, Rnd1, 16);\r
- memmove(&raw[16], &Rnd2[1], 16);\r
-\r
- aes_encode(NULL, key, raw, &cmd2[1], 32);\r
- PrintAndLog(">phase2: %s", sprint_hex(cmd2, 33));\r
- \r
- res = ExchangeRAW14a(cmd2, sizeof(cmd2), false, false, data, sizeof(data), &datalen);\r
- if (res) {\r
- PrintAndLog("ERROR exchande raw error: %d", res);\r
- DropField();\r
- return 4;\r
- }\r
- \r
- PrintAndLog("<phase2: %s", sprint_hex(data, datalen));\r
-\r
- aes_decode(NULL, key, &data[1], raw, 32);\r
- PrintAndLog("res: %s", sprint_hex(raw, 32));\r
- \r
- PrintAndLog("Rnd1`: %s", sprint_hex(&raw[4], 16));\r
- if (memcmp(&raw[4], &Rnd1[1], 16)) {\r
- PrintAndLog("\nERROR: Authentication FAILED. rnd not equal");\r
- PrintAndLog("rnd1 reader: %s", sprint_hex(&Rnd1[1], 16));\r
- PrintAndLog("rnd1 card: %s", sprint_hex(&raw[4], 16));\r
- DropField();\r
- return 5;\r
- }\r
-\r
- DropField();\r
- PrintAndLog("\nAuthentication OK");\r
- \r
- return 0;\r