X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/a07a448220f85c4e27a9b50f412d376474ea4f69..46e14b0f960dcd84fc41df32c74fb3fd89c0ac5c:/armsrc/mifaredesfire.c diff --git a/armsrc/mifaredesfire.c b/armsrc/mifaredesfire.c index 66fe00bd..b7c1bc5b 100644 --- a/armsrc/mifaredesfire.c +++ b/armsrc/mifaredesfire.c @@ -218,15 +218,24 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain // des, nyckel 0, switch (mode){ case 1:{ + if (algo == 1) { + uint8_t keybytes[8]; + uint8_t RndA[8] = {0x00}; + uint8_t RndB[8] = {0x00}; + if (datain[1] == 0xff){ memcpy(keybytes,null_key_data8,8); } else{ memcpy(keybytes, datain+1, datalen); } + struct desfire_key defaultkey = {0}; + desfirekey_t key = &defaultkey; + Desfire_des_key_new(keybytes, key); + cmd[0] = AUTHENTICATE; - cmd[1] = 0x00; //keynumber + cmd[1] = keyno; //keynumber len = DesfireAPDU(cmd, 2, resp); if ( !len ) { if (MF_DBGLEVEL >= 1) { @@ -236,15 +245,25 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain return; } + if ( resp[2] == 0xaf ){ + } else { + DbpString("Authetication failed. Invalid key number."); + OnError(); + return; + } + memcpy( encRndB, resp+3, 8); - des_dec(&decRndB, &encRndB, &keybytes); + des_dec(&decRndB, &encRndB, key->data); + memcpy(RndB, decRndB, 8); rol(decRndB,8); + // This should be random uint8_t decRndA[8] = {0x00}; + memcpy(RndA, decRndA, 8); uint8_t encRndA[8] = {0x00}; - des_dec(&encRndA, &decRndA, &keybytes); + des_dec(&encRndA, &decRndA, key->data); memcpy(both, encRndA, 8); @@ -253,7 +272,7 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain } - des_dec(&encRndB, &decRndB, &keybytes); + des_dec(&encRndB, &decRndB, key->data); memcpy(both + 8, encRndB, 8); @@ -270,15 +289,76 @@ void MifareDES_Auth1(uint8_t mode, uint8_t algo, uint8_t keyno, uint8_t *datain } if ( resp[2] == 0x00 ){ - // TODO: Create session key. + + struct desfire_key sessionKey = {0}; + desfirekey_t skey = &sessionKey; + Desfire_session_key_new( RndA, RndB , key, skey ); + //print_result("SESSION : ", skey->data, 8); + + memcpy(encRndA, resp+3, 8); + des_dec(&encRndA, &encRndA, key->data); + rol(decRndA,8); + for (int x = 0; x < 8; x++) { + if (decRndA[x] != encRndA[x]) { + DbpString("Authetication failed. Cannot varify PICC."); + OnError(); + return; + } + } + + //Change the selected key to a new value. + /* + + cmd[0] = 0xc4; + cmd[1] = keyno; + + uint8_t newKey[16] = {0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77}; + + uint8_t first, second; + uint8_t buff1[8] = {0x00}; + uint8_t buff2[8] = {0x00}; + uint8_t buff3[8] = {0x00}; + + memcpy(buff1,newKey, 8); + memcpy(buff2,newKey + 8, 8); + + ComputeCrc14443(CRC_14443_A, newKey, 16, &first, &second); + memcpy(buff3, &first, 1); + memcpy(buff3 + 1, &second, 1); + + des_dec(&buff1, &buff1, skey->data); + memcpy(cmd+2,buff1,8); + + for (int x = 0; x < 8; x++) { + buff2[x] = buff2[x] ^ buff1[x]; + } + des_dec(&buff2, &buff2, skey->data); + memcpy(cmd+10,buff2,8); + + for (int x = 0; x < 8; x++) { + buff3[x] = buff3[x] ^ buff2[x]; + } + des_dec(&buff3, &buff3, skey->data); + memcpy(cmd+18,buff3,8); + + // The command always times out on the first attempt, this will retry until a response + // is recieved. + len = 0; + while(!len) { + len = DesfireAPDU(cmd,26,resp); + } + */ + + OnSuccess(); + cmd_send(CMD_ACK,1,0,0,skey->data,8); + } else { DbpString("Authetication failed."); OnError(); return; } - // TOD: Optionally, confirm ek0RndA' = RndA' to varify PICC - + } } break; case 2: