search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
recover_pk.py: replace secp192r1 by prime192v1
[RRG-proxmark3.git] / client / src / cmdhfgallagher.c
blobbe27c72fe9a9ee012b5e2f95f24704fe2e011b4c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 // High frequency GALLAGHER tag commands.
17 // MIFARE DESFire, AIDs 2081F4-2F81F4
18 //-----------------------------------------------------------------------------
19
20 #include "cmdhfgallagher.h"
21 #include "generator.h"
22 #include "mifare.h"
23 #include "mifare/desfirecore.h"
24 #include "mifare/gallaghercore.h"
25 #include <stdio.h>
26 #include <string.h>
27 #include "common.h"
28 #include "commonutil.h"
29 #include "cmdparser.h"
30 #include "cliparser.h"
31 #include "ui.h"
32
33 static int CmdHelp(const char *cmd);
34
35 // Application ID for the Gallagher Card Application Directory
36 static const uint32_t CAD_AID = 0x2F81F4;
37
38 // Default MIFARE site key (16 bytes)
39 static const uint8_t DEFAULT_SITE_KEY[] = {
40 0x31, 0x12, 0xB7, 0x38, 0xD8, 0x86, 0x2C, 0xCD,
41 0x34, 0x30, 0x2E, 0xB2, 0x99, 0xAA, 0xB4, 0x56,
42 };
43
44 /**
45 * @brief Create Gallagher Application Master Key by diversifying
46 * the MIFARE Site Key with card UID, key number, and application ID.
47 *
48 * @param site_key MIFARE Site Key (16 bytes).
49 * @param uid Card unique ID (4 or 7 bytes).
50 * @param uid_len Length of UID.
51 * @param key_num Key number (0 <= key_num <= 2).
52 * @param aid Application ID (3 bytes, e.g. 0x2081F4).
53 * @param key_output Buffer to copy the diversified key into (must be 16 bytes).
54 * @return PM3_SUCCESS if successful, PM3_EINVARG if an argument is invalid.
55 */
56 int hfgal_diversify_key(uint8_t *site_key, uint8_t *uid, uint8_t uid_len,
57 uint8_t key_num, uint32_t aid, uint8_t *key_output) {
58 // Generate diversification input
59 uint8_t kdf_input_len = 11;
60 int res = mfdes_kdf_input_gallagher(uid, uid_len, key_num, aid, key_output, &kdf_input_len);
61 PM3_RET_IF_ERR_WITH_MSG(res, "Failed generating Gallagher key diversification input");
62
63 uint8_t key[sizeof(DEFAULT_SITE_KEY)];
64 if (site_key == NULL) {
65 PrintAndLogEx(INFO, "hfgal_diversify_key is using default site key");
66 memcpy(key, DEFAULT_SITE_KEY, sizeof(key));
67 } else {
68 memcpy(key, site_key, sizeof(key));
69 }
70
71 // Make temporary DesfireContext
72 DesfireContext_t dctx = {0};
73 DesfireSetKey(&dctx, 0, T_AES, key);
74
75 // Diversify input & copy to output buffer
76 MifareKdfAn10922(&dctx, DCOMasterKey, key_output, kdf_input_len);
77 memcpy(key_output, dctx.key, CRYPTO_AES128_KEY_SIZE);
78
79 return PM3_SUCCESS;
80 }
81
82 /**
83 * @brief Reverses the bytes in AID. Used when parsing CLI args
84 * (because Proxmark displays AIDs in reverse byte order).
85 */
86 // iceman todo: use commonutil.c fct
87 static void reverse_aid(uint8_t *aid) {
88 uint8_t tmp = aid[0];
89 aid[0] = aid[2];
90 aid[2] = tmp;
91 }
92
93 /**
94 * @brief Converts a Card Application Directory format application ID to an integer.
95 * Note: the CAD stores AIDs in reverse order, so this is different to DesfireAIDByteToUint().
96 */
97
98 // iceman todo: use commonutil.c fct
99 static uint32_t cad_aid_byte_to_uint(const uint8_t *data) {
100 return data[2] + (data[1] << 8) + (data[0] << 16);
101 }
102
103 /**
104 * @brief Converts an integer application ID to Card Application Directory format.
105 * Note: the CAD stores AIDs in reverse order, so this is different to DesfireAIDUintToByte().
106 */
107 // iceman todo: use commonutil.c fct
108 static void cad_aid_uint_to_byte(uint32_t aid, uint8_t *data) {
109 data[2] = aid & 0xff;
110 data[1] = (aid >> 8) & 0xff;
111 data[0] = (aid >> 16) & 0xff;
112 }
113
114 /**
115 * @brief Returns true if the Card Application Directory entry
116 * is for the specified region & facility, false otherwise.
117 */
118 static bool cad_facility_match(const uint8_t *entry, uint8_t region_code, uint16_t facility_code) {
119 return (entry[0] == region_code) &&
120 ((entry[1] << 8) + entry[2] == facility_code);
121 }
122
123 /**
124 * @brief Select application ID.
125 */
126 static int select_aid(DesfireContext_t *ctx, uint32_t aid, bool verbose) {
127 // TODO: do these both need to be set?
128 DesfireSetCommMode(ctx, DCMPlain);
129 DesfireSetCommandSet(ctx, DCCNativeISO);
130
131 int res = DesfireSelectEx(ctx, true, ISW6bAID, aid, NULL);
132 if (res != PM3_SUCCESS) {
133 PrintAndLogEx(ERR, "Desfire AID %06X select " _RED_("error"), aid);
134 return 202;
135 }
136
137 if (verbose) {
138 PrintAndLogEx(INFO, "Selected AID %06X", aid);
139 }
140
141 return PM3_SUCCESS;
142 }
143
144 /**
145 * @brief Authenticate to application. Uses existing authentication keys in context.
146 */
147 static int authenticate(DesfireContext_t *ctx, bool verbose) {
148 // TODO: do these both need to be set?
149 DesfireSetCommMode(ctx, DCMPlain);
150 DesfireSetCommandSet(ctx, DCCNativeISO);
151 DesfireClearSession(ctx);
152
153 int res = DesfireAuthenticate(ctx, DACEV1, false);
154 if (res != PM3_SUCCESS) {
155 PrintAndLogEx(ERR, "Desfire authenticate " _RED_("error") ". Result: [%d] %s",
156 res,
157 DesfireAuthErrorToStr(res)
158 );
159 return res;
160 }
161
162 if (DesfireIsAuthenticated(ctx)) {
163 if (verbose) {
164 PrintAndLogEx(INFO, "Authenticated to AID " _YELLOW_("%06X"), ctx->selectedAID);
165 }
166 } else {
167 return 201;
168 }
169
170 return PM3_SUCCESS;
171 }
172
173 /**
174 * @brief Select application ID & authenticate.
175 * Uses existing authentication keys in context.
176 */
177 static int select_aid_and_auth(DesfireContext_t *ctx, uint32_t aid, bool verbose) {
178 int res = select_aid(ctx, aid, verbose);
179 PM3_RET_IF_ERR(res);
180
181 res = authenticate(ctx, verbose);
182 PM3_RET_IF_ERR(res);
183
184 return PM3_SUCCESS;
185 }
186
187 /**
188 * @brief Select application ID & authenticate with specified AES key.
189 */
190 static int select_aid_and_auth_with_key(DesfireContext_t *ctx, uint32_t aid, uint8_t *key,
191 uint8_t key_num, bool should_diversify, bool verbose) {
192 int res = select_aid(ctx, aid, verbose);
193 PM3_RET_IF_ERR(res);
194
195 // Set key & diversification algorithm.
196 uint8_t kdf_algo = should_diversify ? MFDES_KDF_ALGO_GALLAGHER : MFDES_KDF_ALGO_NONE;
197 DesfireSetKeyNoClear(ctx, key_num, T_AES, key);
198 DesfireSetKdf(ctx, kdf_algo, NULL, 0);
199
200 res = authenticate(ctx, verbose);
201 PM3_RET_IF_ERR(res);
202
203 return PM3_SUCCESS;
204 }
205
206 /**
207 * @brief Returns true if the specified application exists, false otherwise.
208 */
209 static bool aid_exists(DesfireContext_t *ctx, uint32_t aid, bool verbose) {
210 // TODO: do these both need to be set?
211 DesfireSetCommMode(ctx, DCMPlain);
212 DesfireSetCommandSet(ctx, DCCNativeISO);
213
214 int res = DesfireSelectAIDHex(ctx, aid, false, 0);
215 if (res != PM3_SUCCESS && res != PM3_EAPDU_FAIL) {
216 PM3_RET_ERR(false, "Select failed with error %d, assuming AID %06X does not exist", res, aid);
217 }
218
219 if (verbose) {
220 PrintAndLogEx(INFO, "AID %06X %s",
221 aid,
222 res == PM3_SUCCESS ? "exists" : "does not exist"
223 );
224 }
225
226 return (res == PM3_SUCCESS);
227 }
228
229 /**
230 * @brief Returns the lowest available Gallagher application ID.
231 * @return The lowest available AID in the range 0x??81F4, where ?? >= 0x20.
232 */
233 static uint32_t find_available_gallagher_aid(DesfireContext_t *ctx, bool verbose) {
234 // Select PICC
235 int res = select_aid(ctx, 0x000000, verbose);
236 PM3_RET_IF_ERR(res);
237
238 // Retrieve the AID list
239 uint8_t aid_buf[DESFIRE_BUFFER_SIZE] = {0};
240 size_t aid_buf_len = 0;
241
242 res = DesfireGetAIDList(ctx, aid_buf, &aid_buf_len);
243 if (res != PM3_SUCCESS) {
244 PM3_RET_ERR(0, "Failed retrieving AID list");
245 }
246
247 if (verbose) {
248 // Print what we got
249 PrintAndLogEx(INFO, "Retrieved AID list:" NOLF);
250
251 for (int i = 0; i < aid_buf_len; i += 3) {
252 PrintAndLogEx(NORMAL, "%s %06X" NOLF,
253 (i == 0) ? "" : ",",
254 DesfireAIDByteToUint(&aid_buf[i])
255 );
256 }
257 PrintAndLogEx(NORMAL, "");
258 }
259
260 // Find lowest available in range F48120 -> F481FE, excluding the CAD
261 for (uint8_t aid_increment = 0x20; aid_increment < 0xFF; aid_increment++) {
262
263 uint32_t aid = 0x0081F4 | (aid_increment << 16);
264 if (aid == CAD_AID) {
265 continue;
266 }
267
268 // Check if AID exists in aid_buf
269 bool found = false;
270 for (size_t idx = 0; idx < aid_buf_len; idx += 3) {
271
272 if (DesfireAIDByteToUint(&aid_buf[idx]) == aid) {
273 found = true;
274 break;
275 }
276 }
277
278 if (found == false) {
279 return aid;
280 }
281 }
282
283 // Failed to find an available AID. This is very unlikely to occur as
284 // DESFire cards rarely have more than 1 application on them
285 PM3_RET_ERR(0, "Checked 200+ AIDs and all exist, abandoning search");
286 }
287
288 /**
289 * @brief Delete the CAD or an application that contains cardholder credentials.
290 *
291 * @param site_key MIFARE site key.
292 * @param aid Application ID to remove.
293 */
294 static int hfgal_delete_app(DesfireContext_t *ctx, uint8_t *site_key,
295 uint32_t aid, bool verbose) {
296 // Select application & authenticate
297 int res = select_aid_and_auth_with_key(ctx, aid, site_key, 0, true, verbose);
298 PM3_RET_IF_ERR(res);
299
300 // Delete application
301 DesfireSetCommMode(ctx, DCMMACed);
302 res = DesfireDeleteApplication(ctx, aid);
303 PM3_RET_IF_ERR_WITH_MSG(res, "Failed deleting AID %06X", aid);
304
305 PrintAndLogEx(INFO, "Successfully deleted AID " _YELLOW_("%06X"), aid);
306 return PM3_SUCCESS;
307 }
308
309 /**
310 * @brief Read credentials from a single AID.
311 *
312 * @param aid Application ID to read.
313 * @param site_key MIFARE site key.
314 * @param creds Decoded credentials will be stored in this structure.
315 */
316 static int hfgal_read_creds_app(DesfireContext_t *ctx, uint32_t aid, uint8_t *site_key,
317 GallagherCredentials_t *creds, bool verbose) {
318 // Check that card UID has been set
319 if (ctx->uidlen == 0) {
320 PM3_RET_ERR(PM3_EINVARG, "Card UID must be set in DesfireContext (required for key div)");
321 }
322
323 // Select application & authenticate
324 int res = select_aid_and_auth_with_key(ctx, aid, site_key, 0, true, verbose);
325 PM3_RET_IF_ERR_WITH_MSG(res, "Failed selecting/authenticating to AID %06X", aid);
326
327 // Read file 0 (contains credentials)
328 uint8_t buf[16] = {0};
329 size_t read_len = 0;
330 DesfireSetCommMode(ctx, DCMEncrypted);
331 res = DesfireReadFile(ctx, 0, 0, 16, buf, &read_len);
332 PM3_RET_IF_ERR_WITH_MSG(res, "Failed reading file 0 in AID %06X", aid);
333
334 // Check file contained 16 bytes of data
335 if (read_len != 16) {
336 PM3_RET_ERR(PM3_EFAILED, "Failed reading file 0 in AID %06X, expected 16 bytes, got %zu bytes",
337 aid,
338 read_len
339 );
340 }
341
342 // Check second half of file is the bitwise inverse of the first half
343 for (uint8_t i = 8; i < 16; i++) {
344 buf[i] ^= 0xFF;
345 }
346
347 if (memcmp(buf, &buf[8], 8) != 0) {
348 PM3_RET_ERR(PM3_EFAILED, "Invalid cardholder data in file 0 in AID %06X. Received %s",
349 aid,
350 sprint_hex_inrow(buf, 16)
351 );
352 }
353
354 gallagher_decode_creds(buf, creds);
355
356 // TODO: read MIFARE Enhanced Security file
357 // https://github.com/megabug/gallagher-research/blob/master/formats/mes.md
358
359 return PM3_SUCCESS;
360 }
361
362 /**
363 * @brief Create a new application to store Gallagher cardholder credentials.
364 *
365 * @param site_key MIFARE site key.
366 * @param aid New application ID. 3 bytes, e.g. 0x2081F4.
367 */
368 static int hfgal_create_creds_app(DesfireContext_t *ctx, uint8_t *site_key, uint32_t aid, bool verbose) {
369 // Select application & authenticate
370 int res = select_aid_and_auth(ctx, 0x000000, verbose);
371 PM3_RET_IF_ERR(res);
372
373 // UID is required for key diversification
374 if (ctx->uidlen == 0) {
375 PM3_RET_ERR(PM3_EINVARG, "UID is required for key diversification. "
376 "Please fetch it before calling `hfgal_create_creds_app`");
377 }
378
379 // Create application
380 DesfireCryptoAlgorithm app_algo = T_AES;
381 uint8_t num_keys = 3;
382 uint8_t ks1 = 0x0B;
383 uint8_t ks2 = (DesfireKeyAlgoToType(app_algo) << 6) | num_keys;
384
385 uint8_t data[5] = {0};
386 DesfireAIDUintToByte(aid, &data[0]);
387 data[3] = ks1;
388 data[4] = ks2;
389
390 DesfireSetCommMode(ctx, DCMMACed);
391 res = DesfireCreateApplication(ctx, data, ARRAYLEN(data));
392 PM3_RET_IF_ERR_WITH_MSG(res, "Failed creating application %06X. Does it already exist?", aid);
393
394 if (verbose) {
395 PrintAndLogEx(INFO, "Created application " _YELLOW_("%06X") " (empty contents & blank keys)", aid);
396 }
397
398 // Select the new application
399 res = select_aid(ctx, aid, verbose);
400 PM3_RET_IF_ERR_WITH_MSG(res, "Failed selecting application %06X", aid);
401
402 // Add key 2, then key 0 (we must authenticate with key 0 in order to make changes)
403 for (int i = 2; i >= 0; i -= 2) {
404 // Diversify key
405 uint8_t buf[CRYPTO_AES128_KEY_SIZE] = {0};
406 res = hfgal_diversify_key(site_key, ctx->uid, ctx->uidlen, i, aid, buf);
407 PM3_RET_IF_ERR_WITH_MSG(res, "Failed diversifying key %d for AID %06X", i, aid);
408
409 PrintAndLogEx(INFO, "Diversified key %d for AID %06X: " _GREEN_("%s"),
410 i,
411 aid,
412 sprint_hex_inrow(buf, ARRAYLEN(buf))
413 );
414
415 // Authenticate
416 uint8_t blank_key[CRYPTO_AES128_KEY_SIZE] = {0};
417 DesfireSetKeyNoClear(ctx, 0, T_AES, blank_key);
418 DesfireSetKdf(ctx, MFDES_KDF_ALGO_NONE, NULL, 0);
419 res = authenticate(ctx, verbose);
420 PM3_RET_IF_ERR_WITH_MSG(res, "Desfire authenticate error. Result: [%d] %s", res, DesfireAuthErrorToStr(res));
421
422 // Change key
423 DesfireSetCommMode(ctx, DCMEncryptedPlain);
424 res = DesfireChangeKey(ctx, false, i, app_algo, 1, buf, app_algo, blank_key, verbose);
425 PM3_RET_IF_ERR_WITH_MSG(res, "Failed setting key %d for AID %06X", i, aid);
426
427 if (verbose) {
428 PrintAndLogEx(INFO, "Successfully set key " _YELLOW_("%d") " for AID " _YELLOW_("%06X"), i, aid);
429 }
430 }
431
432 PrintAndLogEx(INFO, "Successfully created credentials application " _YELLOW_("%06X"), aid);
433 return PM3_SUCCESS;
434 }
435
436 /**
437 * @brief Create a new file containing Gallagher cardholder credentials.
438 *
439 * @param site_key MIFARE site key.
440 * @param aid Application ID to put the new file in.
441 * @param creds Gallagher cardholder credentials.
442 */
443 static int hfgal_create_creds_file(DesfireContext_t *ctx, uint8_t *site_key, uint32_t aid,
444 GallagherCredentials_t *creds, bool verbose) {
445 // Select application & authenticate
446 int res = select_aid_and_auth_with_key(ctx, aid, site_key, 0, true, verbose);
447 PM3_RET_IF_ERR(res);
448
449 // Prepare create file command
450 uint8_t file_type = 0; // standard data file
451 uint8_t file_id = 0x00;
452 uint8_t file_size = 16;
453 uint8_t file_access_mode = 0x03; // encrypted
454 uint32_t file_rights = 0x2000; // key 0 has God mode, key 2 can read
455
456 uint8_t data[7] = {0};
457 data[0] = file_id;
458 data[1] = file_access_mode;
459 data[2] = file_rights & 0xff;
460 data[3] = (file_rights >> 8) & 0xff;
461 Uint3byteToMemLe(&data[4], file_size);
462
463 // Create file
464 res = DesfireCreateFile(ctx, file_type, data, ARRAYLEN(data), false);
465 PM3_RET_IF_ERR_WITH_MSG(res, "Failed creating file 0 in AID %06X", aid);
466
467 if (verbose) {
468 PrintAndLogEx(INFO, "Created file 0 in AID " _YELLOW_("%06X") " (empty contents)", aid);
469 }
470
471 // Create file contents (2nd half is the bitwise inverse of the encoded creds)
472 uint8_t contents[16] = {0};
473 gallagher_encode_creds(contents, creds);
474 for (int i = 0; i < 8; i++) {
475 contents[i + 8] = contents[i] ^ 0xFF;
476 }
477
478 // Write file
479 DesfireSetCommMode(ctx, DCMEncrypted);
480 res = DesfireWriteFile(ctx, file_id, 0, ARRAYLEN(contents), contents);
481 PM3_RET_IF_ERR_WITH_MSG(res, "Failed writing data to file 0 in AID %06X", aid);
482
483 PrintAndLogEx(INFO, "Successfully wrote cardholder credentials to file " _YELLOW_("0") " in AID " _YELLOW_("%06X"), aid);
484 return PM3_SUCCESS;
485 }
486
487 /**
488 * @brief Read Gallagher Card Application Directory (CAD) from card.
489 *
490 * @param dest_buf Buffer to copy Card Application Directory into.
491 * @param dest_buf_len Size of dest_buf. Must be at least 108 bytes.
492 * @param num_entries Will be set to the number of entries in the CAD.
493 */
494 static int hfgal_read_cad(DesfireContext_t *ctx, uint8_t *dest_buf,
495 uint8_t dest_buf_len, uint8_t *num_entries_out, bool verbose) {
496 if (dest_buf_len < 3 * 36) {
497 PrintAndLogEx(ERR, "hfgal_read_cad destination buffer is incorrectly sized. Received len %d, must be at least %d",
498 dest_buf_len,
499 3 * 36
500 );
501 return PM3_EINVARG;
502 }
503
504 // Get card AIDs from Card Application Directory (which contains 1 to 3 files)
505 int res = select_aid(ctx, CAD_AID, verbose);
506 PM3_RET_IF_ERR_WITH_MSG(res, "Failed selecting Card Application Directory, does AID %06X exist?", CAD_AID);
507
508 // Read up to 3 files with 6x 6-byte entries each
509 for (uint8_t i = 0; i < 3; i++) {
510 size_t read_len;
511 res = DesfireReadFile(ctx, i, 0, 36, &dest_buf[i * 36], &read_len);
512 if (res != PM3_SUCCESS && res != PM3_EAPDU_FAIL) {
513 PM3_RET_ERR(res, "Failed reading file %d in Card Application Directory (AID %06X)", i, CAD_AID);
514 }
515
516 // end if the last entry is NULL
517 if (memcmp(&dest_buf[36 * i + 30], "\0\0\0\0\0\0", 6) == 0) {
518 break;
519 }
520 }
521
522 // Count number of entries (i.e. count until we hit a NULL entry)
523 uint8_t num_entries = 0;
524 for (uint8_t i = 0; i < dest_buf_len; i += 6) {
525 if (memcmp(&dest_buf[i], "\0\0\0\0\0\0", 6) == 0) {
526 break;
527 }
528 num_entries++;
529 }
530 *num_entries_out = num_entries;
531
532 if (num_entries == 0) {
533 PrintAndLogEx(WARNING, "Card Application Directory is empty");
534 } else if (verbose) {
535 // Print what we found
536 // iceman maybe on seperate lines for easier reading.
537 PrintAndLogEx(SUCCESS, "Card Application Directory contains:" NOLF);
538 for (int i = 0; i < num_entries; i++) {
539 PrintAndLogEx(NORMAL, "%s %06X" NOLF,
540 (i == 0) ? "" : ",",
541 cad_aid_byte_to_uint(&dest_buf[i * 6 + 3])
542 );
543 }
544 PrintAndLogEx(NORMAL, "");
545 }
546
547 return PM3_SUCCESS;
548 }
549
550 /**
551 * @brief Create the Gallagher Card Application Directory.
552 *
553 * @param key MIFARE site key, or custom CAD key.
554 * @param should_diversify True if using a site_key, false if using a custom CAD key.
555 */
556 static int hfgal_create_cad(DesfireContext_t *ctx, uint8_t *key,
557 bool should_diversify, bool verbose) {
558 // Check that card UID has been set
559 if (ctx->uidlen == 0) {
560 PM3_RET_ERR(PM3_EINVARG, "Card UID must be set in DesfireContext (required for key div)");
561 }
562
563 // Select application & authenticate
564 int res = select_aid_and_auth(ctx, 0x000000, verbose);
565 PM3_RET_IF_ERR(res);
566
567 // Create application
568 DesfireCryptoAlgorithm app_algo = T_AES;
569 uint8_t num_keys = 1;
570 uint8_t ks1 = 0x0B;
571 uint8_t ks2 = (DesfireKeyAlgoToType(app_algo) << 6) | num_keys;;
572
573 uint8_t data[5] = {0};
574 DesfireAIDUintToByte(CAD_AID, &data[0]);
575 data[3] = ks1;
576 data[4] = ks2;
577
578 DesfireSetCommMode(ctx, DCMMACed);
579 res = DesfireCreateApplication(ctx, data, ARRAYLEN(data));
580 PM3_RET_IF_ERR_WITH_MSG(res, "Failed creating Card Application Directory (AID " _YELLOW_("%06X")"). Does it already exist?", CAD_AID);
581
582 if (verbose) {
583 PrintAndLogEx(INFO, "Created Card Application Directory (AID " _YELLOW_("%06X") ", empty contents & blank keys)",
584 CAD_AID
585 );
586 }
587
588 // Select application & authenticate
589 uint8_t blank_key[DESFIRE_MAX_KEY_SIZE] = {0};
590 res = select_aid_and_auth_with_key(ctx, CAD_AID, blank_key, 0, false, verbose);
591 PM3_RET_IF_ERR(res);
592
593 uint8_t buf[CRYPTO_AES128_KEY_SIZE] = {0};
594 if (should_diversify) {
595 // Diversify key
596 res = hfgal_diversify_key(key, ctx->uid, ctx->uidlen, 0, CAD_AID, buf);
597 PM3_RET_IF_ERR_WITH_MSG(res, "Failed diversifying key 0 for AID %06X", CAD_AID);
598
599 PrintAndLogEx(INFO, "Diversified key " _YELLOW_("0") " for CAD (AID " _YELLOW_("%06X") "): " _GREEN_("%s"),
600 CAD_AID,
601 sprint_hex_inrow(buf, ARRAYLEN(buf))
602 );
603 key = buf;
604 } else if (verbose) {
605 PrintAndLogEx(INFO, "Using provided key " _YELLOW_("0") " for CAD (AID " _YELLOW_("%06X") "): " _GREEN_("%s"),
606 CAD_AID,
607 sprint_hex_inrow(key, CRYPTO_AES128_KEY_SIZE)
608 );
609 }
610
611 // Change key
612 DesfireSetCommMode(ctx, DCMEncryptedPlain);
613 res = DesfireChangeKey(ctx, false, 0, app_algo, 1, buf, app_algo, blank_key, verbose);
614 PM3_RET_IF_ERR_WITH_MSG(res, "Failed setting key 0 for CAD");
615
616 if (verbose) {
617 PrintAndLogEx(INFO, "Successfully set key " _YELLOW_("0") " for CAD");
618 }
619
620 PrintAndLogEx(INFO, "Successfully created Card Application Directory (AID " _YELLOW_("%06X") ")", CAD_AID);
621 return PM3_SUCCESS;
622 }
623
624 /**
625 * @brief Update the Gallagher Card Application Directory with a new entry.
626 *
627 * @param key MIFARE site key, or custom CAD key.
628 * @param should_diversify True if using a site_key, false if using a custom CAD key.
629 * @param aid Application ID to add to the CAD.
630 * @param creds Gallagher cardholder credentials (region_code & facility_code are required).
631 */
632 static int hfgal_add_aid_to_cad(DesfireContext_t *ctx, uint8_t *key, bool should_diversify,
633 uint32_t aid, GallagherCredentials_t *creds, bool verbose) {
634 // Check if CAD exists
635 uint8_t cad[36 * 3] = {0};
636 uint8_t num_entries = 0;
637 if (aid_exists(ctx, CAD_AID, false)) {
638 if (verbose) {
639 PrintAndLogEx(INFO, "Card Application Directory exists, reading entries...");
640 }
641
642 int res = hfgal_read_cad(ctx, cad, ARRAYLEN(cad), &num_entries, verbose);
643 PM3_RET_IF_ERR(res);
644
645 // Check that there is space for the new entry
646 if (num_entries >= 18) {
647 PM3_RET_ERR(PM3_EFATAL, "Card application directory is full");
648 }
649
650 } else {
651 // CAD doesn't exist, we need to create it
652 if (verbose) {
653 PrintAndLogEx(INFO, "Card Application Directory does not exist, creating it now...");
654 }
655
656 int res = hfgal_create_cad(ctx, key, should_diversify, verbose);
657 PM3_RET_IF_ERR(res);
658 }
659
660 // 6 entries per file
661 uint8_t file_id = num_entries / 6;
662 uint8_t entry_num = num_entries % 6;
663
664 // Check if facility already exists in CAD.
665 for (uint8_t i = 0; i < ARRAYLEN(cad); i += 6) {
666 if (cad_facility_match(&cad[i], creds->region_code, creds->facility_code)) {
667 PM3_RET_ERR(PM3_EFATAL, "Facility already exists in CAD, delete or update AID %06X",
668 cad_aid_byte_to_uint(&cad[i + 3])
669 );
670 }
671 }
672
673 // Create entry
674 uint8_t *entry = &cad[num_entries * 6];
675 entry[0] = creds->region_code;
676 entry[1] = (creds->facility_code >> 8) & 0xFF;
677 entry[2] = creds->facility_code & 0xFF;
678 cad_aid_uint_to_byte(aid, &entry[3]);
679
680 if (verbose) {
681 PrintAndLogEx(INFO, "Adding entry to CAD (position " _YELLOW_("%d") " in file " _YELLOW_("%d") "): %s",
682 entry_num,
683 file_id,
684 sprint_hex_inrow(entry, 6)
685 );
686 }
687
688 // Select application & authenticate
689 int res = select_aid_and_auth_with_key(ctx, CAD_AID, key, 0, should_diversify, verbose);
690 PM3_RET_IF_ERR(res);
691
692 // Create file if necessary
693 if (entry_num == 0) {
694 if (verbose) {
695 PrintAndLogEx(INFO, "Creating new file in CAD");
696 }
697
698 // Prepare create file command
699 uint8_t file_type = 0; // standard data file
700 uint8_t file_size = 36;
701 uint8_t file_access_mode = 0x00; // plain
702 uint32_t file_rights = 0xE000; // key 0 has God mode, everyone can read
703
704 uint8_t data[7] = {0};
705 data[0] = file_id;
706 data[1] = file_access_mode;
707 data[2] = file_rights & 0xff;
708 data[3] = (file_rights >> 8) & 0xff;
709 Uint3byteToMemLe(&data[4], file_size);
710
711 // Create file
712 res = DesfireCreateFile(ctx, file_type, data, ARRAYLEN(data), false);
713 PM3_RET_IF_ERR_WITH_MSG(res, "Failed creating file %d in CAD (AID %06X)", file_id, CAD_AID);
714
715 if (verbose) {
716 PrintAndLogEx(INFO, "Created file " _YELLOW_("%d") " in CAD (empty contents)", file_id);
717 }
718
719 // Write file
720 res = DesfireWriteFile(ctx, file_id, 0, 36, &cad[file_id * 36]);
721 } else {
722 // Write file
723 res = DesfireWriteFile(ctx, file_id, entry_num * 6, 6, entry);
724 }
725 PM3_RET_IF_ERR_WITH_MSG(res, "Failed writing data to file %d in CAD AID %06X)", file_id, CAD_AID);
726
727 PrintAndLogEx(INFO, "Successfully added new entry for " _YELLOW_("%06X") " to the Card Application Directory", aid);
728 return PM3_SUCCESS;
729 }
730
731 /**
732 * @brief Remove an entry from the Gallagher Card Application Directory.
733 *
734 * @param key MIFARE site key, or custom CAD key.
735 * @param should_diversify True if using a site_key, false if using a custom CAD key.
736 * @param aid Application ID to remove from the CAD.
737 */
738 static int hfgal_remove_aid_from_cad(DesfireContext_t *ctx, uint8_t *key,
739 bool should_diversify, uint32_t aid, bool verbose) {
740 // Read CAD
741 uint8_t cad[36 * 3] = {0};
742 uint8_t num_entries = 0;
743 int res = hfgal_read_cad(ctx, cad, ARRAYLEN(cad), &num_entries, verbose);
744 PM3_RET_IF_ERR(res);
745
746 // Check if facility already exists in CAD
747 uint8_t entry_idx;
748 for (entry_idx = 0; entry_idx < num_entries; entry_idx++) {
749 if (aid > 0 && aid == cad_aid_byte_to_uint(&cad[entry_idx * 6 + 3])) {
750 break;
751 }
752 }
753 if (entry_idx >= num_entries) {
754 PM3_RET_ERR(PM3_EINVARG, "Specified facility or AID does not exist in the Card Application Directory");
755 }
756
757 // Remove entry (shift all entries left, then clear the last entry)
758 memmove(
759 &cad[entry_idx * 6],
760 &cad[(entry_idx + 1) * 6],
761 ARRAYLEN(cad) - (entry_idx + 1) * 6
762 );
763 memset(&cad[ARRAYLEN(cad) - 6], 0, 6);
764
765 // Select application & authenticate
766 res = select_aid_and_auth_with_key(ctx, CAD_AID, key, 0, should_diversify, verbose);
767 PM3_RET_IF_ERR(res);
768
769 // Determine what files we need to update
770 uint8_t file_id_start = entry_idx / 6;
771 uint8_t file_id_stop = (num_entries - 1) / 6;
772 bool delete_last_file = (num_entries - 1) % 6 == 0;
773
774 for (uint8_t file_id = file_id_start; file_id <= file_id_stop - delete_last_file; file_id++) {
775 // Write file
776 res = DesfireWriteFile(ctx, file_id, 0, 36, &cad[file_id * 36]);
777 PM3_RET_IF_ERR_WITH_MSG(res, "Failed writing data to file %d in CAD (AID %06X)", file_id, CAD_AID);
778
779 if (verbose) {
780 PrintAndLogEx(INFO, "Updated file " _YELLOW_("%d") " in CAD", file_id);
781 }
782 }
783
784 // Delete empty file if necessary
785 if (delete_last_file) {
786 uint8_t file_id = file_id_stop;
787
788 DesfireSetCommMode(ctx, DCMMACed);
789 res = DesfireDeleteFile(ctx, file_id);
790 PM3_RET_IF_ERR_WITH_MSG(res, "Failed deleting file %d from CAD (AID %06X)", file_id, CAD_AID);
791
792 if (verbose) {
793 PrintAndLogEx(INFO, "Deleted unnecessary file " _YELLOW_("%d") " from CAD (AID " _YELLOW_("%06X")")",
794 file_id,
795 CAD_AID
796 );
797 }
798 }
799
800 PrintAndLogEx(INFO, "Successfully removed " _YELLOW_("%06X") " from the Card Application Directory", aid);
801 return PM3_SUCCESS;
802 }
803
804 /**
805 * @brief Read credentials from a Gallagher card.
806 *
807 * @param aid Application ID to read. If 0, then the Card Application Directory
808 * will be queried and all entries will be read.
809 * @param site_key MIFARE site key.
810 * @param quiet Suppress error messages. Used when in continuous reader mode.
811 */
812 // iceman, verbose and quiet... one should be enough.
813 static int hfgal_read_card(uint32_t aid, uint8_t *site_key, bool verbose, bool quiet) {
814 DropField();
815 clearCommandBuffer();
816
817 // Set up context
818 DesfireContext_t dctx = {0};
819 DesfireClearContext(&dctx);
820
821 // Get card UID (for key diversification)
822 int res = DesfireGetCardUID(&dctx);
823 PM3_RET_IF_ERR_MAYBE_MSG(res, !quiet, "Failed retrieving card UID");
824
825 // Find AIDs to process (from CLI args or the Card Application Directory)
826 uint8_t cad[36 * 3] = {0};
827 uint8_t num_entries = 0;
828 if (aid != 0) {
829 cad_aid_uint_to_byte(aid, &cad[3]);
830 num_entries = 1;
831 } else {
832 res = hfgal_read_cad(&dctx, cad, ARRAYLEN(cad), &num_entries, verbose);
833 PM3_RET_IF_ERR_MAYBE_MSG(res, !quiet, "Failed reading Card Application Directory");
834 }
835
836 // Loop through each application in the CAD
837 for (uint16_t i = 0; i < num_entries * 6; i += 6) {
838 uint16_t region_code = cad[i + 0];
839 uint16_t facility_code = (cad[i + 1] << 8) + cad[i + 2];
840 uint32_t current_aid = cad_aid_byte_to_uint(&cad[i + 3]);
841
842 if (verbose) {
843 if (region_code > 0 || facility_code > 0 || current_aid > 0) {
844 PrintAndLogEx(INFO, "Reading AID: " _YELLOW_("%06X") ", region: " _YELLOW_("%c") " ( " _YELLOW_("%u") " ), facility: " _YELLOW_("%u"),
845 current_aid,
846 'A' + region_code,
847 region_code,
848 facility_code
849 );
850 } else {
851 PrintAndLogEx(INFO, "Reading AID: " _YELLOW_("%06X"), current_aid);
852 }
853 }
854
855 // Read & decode credentials
856 GallagherCredentials_t creds = {0};
857 res = hfgal_read_creds_app(&dctx, current_aid, site_key, &creds, verbose);
858 if (res == HFGAL_AUTH_FAIL) {
859 PrintAndLogEx(WARNING, "Invalid site key for AID %06X", current_aid);
860 continue;
861 }
862 PM3_RET_IF_ERR_MAYBE_MSG(res, !quiet, "Failed reading card application credentials");
863
864 PrintAndLogEx(SUCCESS, "Gallagher (AID %06X) - region: " _GREEN_("%c") " ( " _GREEN_("%u") " )"
865 ", facility: " _GREEN_("%u")
866 ", card number: " _GREEN_("%u")
867 ", issue level: " _GREEN_("%u"),
868 current_aid,
869 'A' + creds.region_code,
870 creds.region_code,
871 creds.facility_code,
872 creds.card_number,
873 creds.issue_level
874 );
875 }
876 return PM3_SUCCESS;
877 }
878
879 static int CmdGallagherReader(const char *cmd) {
880 CLIParserContext *ctx;
881 CLIParserInit(&ctx, "hf gallagher reader",
882 "Read a Gallagher DESFire tag from the Card Application Directory, CAD\n"
883 "Specify site key is required if using non-default key\n",
884 "hf gallagher reader -@ -> continuous reader mode\n"
885 "hf gallagher reader --aid 2081f4 --sitekey 00112233445566778899aabbccddeeff -> skip CAD\n"
886 );
887
888 void *argtable[] = {
889 arg_param_begin,
890 arg_str0(NULL, "aid", "<hex>", "Application ID to read (3 bytes). If specified, the CAD is not used"),
891 arg_str0(NULL, "sitekey", "<hex>", "Site key to compute diversified keys (16 bytes)"),
892 arg_lit0("@", "continuous", "Continuous reader mode"),
893 arg_lit0(NULL, "apdu", "Show APDU requests and responses"),
894 arg_lit0("v", "verbose", "Verbose output"),
895 arg_param_end
896 };
897 CLIExecWithReturn(ctx, cmd, argtable, true);
898
899 int aid_len = 0;
900 uint8_t aid_buf[3] = {0};
901 CLIGetHexWithReturn(ctx, 1, aid_buf, &aid_len);
902 if (aid_len > 0 && aid_len != 3) {
903 PM3_RET_ERR_FREE(PM3_EINVARG, "--aid must be 3 bytes");
904 }
905
906 reverse_aid(aid_buf); // PM3 displays AIDs backwards
907 uint32_t aid = DesfireAIDByteToUint(aid_buf);
908
909 int site_key_len = 0;
910 uint8_t site_key[16] = {0};
911 memcpy(site_key, DEFAULT_SITE_KEY, ARRAYLEN(site_key));
912 CLIGetHexWithReturn(ctx, 2, site_key, &site_key_len);
913 if (site_key_len > 0 && site_key_len != 16) {
914 PM3_RET_ERR_FREE(PM3_EINVARG, "--sitekey must be 16 bytes");
915 }
916
917 bool continuous_mode = arg_get_lit(ctx, 3);
918 SetAPDULogging(arg_get_lit(ctx, 4));
919 bool verbose = arg_get_lit(ctx, 5);
920 CLIParserFree(ctx);
921
922 if (continuous_mode == false) {
923 // Read single card
924 return hfgal_read_card(aid, site_key, verbose, false);
925 }
926
927 // Loop until <Enter> is pressed
928 PrintAndLogEx(INFO, "Press " _GREEN_("<Enter>") " to exit");
929 while (kbd_enter_pressed() == false) {
930 hfgal_read_card(aid, site_key, verbose, !verbose);
931 }
932 return PM3_SUCCESS;
933 }
934
935 static int CmdGallagherClone(const char *cmd) {
936 CLIParserContext *ctx;
937 CLIParserInit(&ctx, "hf gallagher clone",
938 "Clone Gallagher credentials to a writable DESFire card\n"
939 "Specify site key is required if using non-default key\n"
940 "Key, lengths for the different crypto: \n"
941 " DES 8 bytes\n"
942 " 2TDEA or AES 16 bytes\n"
943 " 3TDEA 24 bytes\n"
944 "AID, default finds lowest available in range 0x??81F4, where ?? >= 0x20.",
945 "hf gallagher clone --rc 1 --fc 22 --cn 3333 --il 4 --sitekey 00112233445566778899aabbccddeeff"
946 );
947
948 void *argtable[] = {
949 arg_param_begin,
950 arg_int0("n", "keynum", "<dec>", "PICC key number [default = 0]"),
951 arg_str0("t", "algo", "<DES|2TDEA|3TDEA|AES>", "PICC crypt algo: DES, 2TDEA, 3TDEA, AES"),
952 arg_str0("k", "key", "<hex>", "Key for authentication to the PICC to create applications"),
953 arg_u64_1(NULL, "rc", "<dec>", "Region code. 4 bits max"),
954 arg_u64_1(NULL, "fc", "<dec>", "Facility code. 2 bytes max"),
955 arg_u64_1(NULL, "cn", "<dec>", "Card number. 3 bytes max"),
956 arg_u64_1(NULL, "il", "<dec>", "Issue level. 4 bits max"),
957 arg_str0(NULL, "aid", "<hex>", "Application ID to write (3 bytes) [default automatically chooses]"),
958 arg_str0(NULL, "sitekey", "<hex>", "Site key to compute diversified keys (16 bytes)"),
959 arg_str0(NULL, "cadkey", "<hex>", "Custom AES key 0 to modify the Card Application Directory (16 bytes)"),
960 arg_lit0(NULL, "nocadupdate", "Don't modify the Card Application Directory (only creates the app)"),
961 arg_lit0(NULL, "noappcreate", "Don't create the application (only modifies the CAD)"),
962 arg_lit0(NULL, "apdu", "Show APDU requests and responses"),
963 arg_lit0("v", "verbose", "Verbose output"),
964 arg_param_end
965 };
966 CLIExecWithReturn(ctx, cmd, argtable, false);
967 uint8_t arg = 1;
968
969 int picc_key_num = arg_get_int_def(ctx, arg++, 0);
970
971 int picc_key_algo = T_DES;
972 if (CLIGetOptionList(arg_get_str(ctx, arg++), DesfireAlgoOpts, &picc_key_algo)) {
973 CLIParserFree(ctx);
974 return PM3_EINVARG;
975 }
976
977 int picc_key_len = 0;
978 uint8_t picc_key[DESFIRE_MAX_KEY_SIZE] = {0};
979 CLIGetHexWithReturn(ctx, arg++, picc_key, &picc_key_len);
980 if (picc_key_len && picc_key_len != desfire_get_key_length(picc_key_algo)) {
981 PM3_RET_ERR_FREE(PM3_EINVARG, "%s key must have %d bytes length instead of %d",
982 CLIGetOptionListStr(DesfireAlgoOpts, picc_key_algo),
983 desfire_get_key_length(picc_key_algo),
984 picc_key_len
985 );
986 }
987 if (picc_key_len == 0) {
988 // Default to a key of all zeros
989 picc_key_len = desfire_get_key_length(picc_key_algo);
990 }
991
992 uint64_t region_code = arg_get_u64(ctx, arg++); // uint4, input will be validated later
993 uint64_t facility_code = arg_get_u64(ctx, arg++); // uint16
994 uint64_t card_number = arg_get_u64(ctx, arg++); // uint24
995 uint64_t issue_level = arg_get_u64(ctx, arg++); // uint4
996
997 int aid_len = 0;
998 uint8_t aid_buf[3] = {0};
999 CLIGetHexWithReturn(ctx, arg++, aid_buf, &aid_len);
1000 if (aid_len > 0 && aid_len != 3) {
1001 PM3_RET_ERR_FREE(PM3_EINVARG, "--aid must be 3 bytes");
1002 }
1003 reverse_aid(aid_buf); // PM3 displays AIDs backwards
1004 uint32_t aid = DesfireAIDByteToUint(aid_buf);
1005
1006 int site_key_len = 0;
1007 uint8_t site_key[16] = {0};
1008 memcpy(site_key, DEFAULT_SITE_KEY, ARRAYLEN(site_key));
1009 CLIGetHexWithReturn(ctx, arg++, site_key, &site_key_len);
1010 if (site_key_len > 0 && site_key_len != 16) {
1011 PM3_RET_ERR_FREE(PM3_EINVARG, "--sitekey must be 16 bytes");
1012 }
1013
1014 int cad_key_len = 0;
1015 uint8_t cad_key[16] = {0};
1016 CLIGetHexWithReturn(ctx, arg++, cad_key, &cad_key_len);
1017 if (cad_key_len > 0 && cad_key_len != 16) {
1018 PM3_RET_ERR_FREE(PM3_EINVARG, "--cadkey must be 16 bytes");
1019 }
1020
1021 bool no_cad_update = arg_get_lit(ctx, arg++);
1022 bool no_app_create = arg_get_lit(ctx, arg++);
1023
1024 SetAPDULogging(arg_get_lit(ctx, arg++));
1025 bool verbose = arg_get_lit(ctx, arg++);
1026 CLIParserFree(ctx);
1027
1028 if (gallagher_is_valid_creds(region_code, facility_code, card_number, issue_level) == false) {
1029 return PM3_EINVARG;
1030 }
1031
1032 GallagherCredentials_t creds = {
1033 .region_code = region_code,
1034 .facility_code = facility_code,
1035 .card_number = card_number,
1036 .issue_level = issue_level,
1037 };
1038
1039 // Set up context
1040 DropField();
1041 DesfireContext_t dctx = {0};
1042 DesfireClearContext(&dctx);
1043
1044 // Get card UID (for key diversification)
1045 int res = DesfireGetCardUID(&dctx);
1046 PM3_RET_IF_ERR_WITH_MSG(res, "Failed retrieving card UID");
1047
1048 if (aid_len == 0) {
1049 // Find available Gallagher AID if the user did not specify one
1050 aid = find_available_gallagher_aid(&dctx, verbose);
1051 if (aid == 0) {
1052 PM3_RET_ERR(PM3_EFATAL, "Could not find an available AID, please specify with --aid");
1053 }
1054 if (verbose) {
1055 PrintAndLogEx(INFO, "Using available AID: %06X", aid);
1056 }
1057 } else if (no_app_create == false && aid_exists(&dctx, aid, verbose)) {
1058 // AID was specified but is not available
1059 PM3_RET_ERR(PM3_EINVARG, "AID already exists: %06X", aid);
1060 }
1061
1062 // Update Card Application Directory
1063 if (no_cad_update == false) {
1064 // Set keys so that hfgal_add_aid_to_cad can auth to 0x000000
1065 // if it needs to create the CAD application.
1066 DesfireSetKeyNoClear(&dctx, picc_key_num, picc_key_algo, picc_key);
1067 DesfireSetKdf(&dctx, MFDES_KDF_ALGO_NONE, NULL, 0);
1068
1069 bool should_diversify = cad_key_len == 0;
1070 uint8_t *key = should_diversify ? site_key : cad_key;
1071 res = hfgal_add_aid_to_cad(&dctx, key, should_diversify, aid, &creds, verbose);
1072 PM3_RET_IF_ERR_WITH_MSG(res, "Failed updating Gallagher Card Application Directory");
1073 }
1074
1075 // Create application
1076 if (no_app_create == false) {
1077 // Set keys so that hfgal_create_creds_app can auth to 0x000000
1078 // when it creates the application.
1079 DesfireSetKeyNoClear(&dctx, picc_key_num, picc_key_algo, picc_key);
1080 DesfireSetKdf(&dctx, MFDES_KDF_ALGO_NONE, NULL, 0);
1081
1082 res = hfgal_create_creds_app(&dctx, site_key, aid, verbose);
1083 PM3_RET_IF_ERR_WITH_MSG(res, "Failed creating Gallagher application");
1084
1085 // Create credential files
1086 // Don't need to set keys here, they're generated automatically
1087 res = hfgal_create_creds_file(&dctx, site_key, aid, &creds, verbose);
1088 PM3_RET_IF_ERR_WITH_MSG(res, "Failed creating Gallagher credential file");
1089 }
1090
1091 PrintAndLogEx(SUCCESS, "Done!");
1092 PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`hf gallagher reader`") " to verify");
1093 return PM3_SUCCESS;
1094 }
1095
1096 static int CmdGallagherDelete(const char *cmd) {
1097 CLIParserContext *ctx;
1098 CLIParserInit(&ctx, "hf gallagher delete",
1099 "Delete Gallagher application from a DESFire card\n"
1100 "Specify site key is required if using non-default key",
1101 "hf gallagher delete --aid 2081f4 --sitekey 00112233445566778899aabbccddeeff"
1102 );
1103
1104 void *argtable[] = {
1105 arg_param_begin,
1106 arg_str1(NULL, "aid", "<hex>", "Application ID to delete (3 bytes)"),
1107 arg_str0(NULL, "sitekey", "<hex>", "Site key to compute diversified keys (16 bytes)"),
1108 arg_str0(NULL, "cadkey", "<hex>", "Custom AES key 0 to modify the Card Application Directory (16 bytes)"),
1109 arg_lit0(NULL, "nocadupdate", "Don't modify the Card Application Directory (only deletes the app)"),
1110 arg_lit0(NULL, "noappdelete", "Don't delete the application (only modifies the CAD)"),
1111 arg_lit0(NULL, "apdu", "Show APDU requests and responses"),
1112 arg_lit0("v", "verbose", "Verbose output"),
1113 arg_param_end
1114 };
1115 CLIExecWithReturn(ctx, cmd, argtable, false);
1116 uint8_t arg = 1;
1117
1118 int aid_len = 0;
1119 uint8_t aid_buf[3] = {0};
1120 CLIGetHexWithReturn(ctx, arg++, aid_buf, &aid_len);
1121 if (aid_len != 3) {
1122 PM3_RET_ERR_FREE(PM3_EINVARG, "--aid must be 3 bytes");
1123 }
1124 reverse_aid(aid_buf); // PM3 displays AIDs backwards
1125 uint32_t aid = DesfireAIDByteToUint(aid_buf);
1126
1127 int site_key_len = 0;
1128 uint8_t site_key[16] = {0};
1129 memcpy(site_key, DEFAULT_SITE_KEY, ARRAYLEN(site_key));
1130 CLIGetHexWithReturn(ctx, arg++, site_key, &site_key_len);
1131 if (site_key_len > 0 && site_key_len != 16) {
1132 PM3_RET_ERR_FREE(PM3_EINVARG, "--sitekey must be 16 bytes");
1133 }
1134
1135 int cad_key_len = 0;
1136 uint8_t cad_key[16] = {0};
1137 CLIGetHexWithReturn(ctx, arg++, cad_key, &cad_key_len);
1138 if (cad_key_len > 0 && cad_key_len != 16) {
1139 PM3_RET_ERR_FREE(PM3_EINVARG, "--cadkey must be 16 bytes");
1140 }
1141
1142 bool no_cad_update = arg_get_lit(ctx, arg++);
1143 bool no_app_delete = arg_get_lit(ctx, arg++);
1144
1145 SetAPDULogging(arg_get_lit(ctx, arg++));
1146 bool verbose = arg_get_lit(ctx, arg++);
1147 CLIParserFree(ctx);
1148
1149 // Set up context
1150 DropField();
1151 DesfireContext_t dctx = {0};
1152 DesfireClearContext(&dctx);
1153
1154 // Get card UID (for key diversification)
1155 int res = DesfireGetCardUID(&dctx);
1156 PM3_RET_IF_ERR_WITH_MSG(res, "Failed retrieving card UID");
1157
1158 // Update Card Application Directory
1159 if (no_cad_update == false) {
1160 bool should_diversify = cad_key_len == 0;
1161 uint8_t *key = should_diversify ? site_key : cad_key;
1162 res = hfgal_remove_aid_from_cad(&dctx, key, should_diversify, aid, verbose);
1163 PM3_RET_IF_ERR_WITH_MSG(res, "Failed removing %06X from the Card Application Directory", aid);
1164 }
1165
1166 // Delete application
1167 if (no_app_delete == false) {
1168 res = hfgal_delete_app(&dctx, site_key, aid, verbose);
1169 PM3_RET_IF_ERR_WITH_MSG(res, "Failed deleting Gallagher application");
1170 }
1171
1172 PrintAndLogEx(SUCCESS, "Done!");
1173 PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`hf gallagher reader`") " to verify");
1174 return PM3_SUCCESS;
1175 }
1176
1177 static int CmdGallagherDiversify(const char *cmd) {
1178 CLIParserContext *ctx;
1179 CLIParserInit(&ctx, "hf gallagher diversify",
1180 "Diversify Gallagher key\n"
1181 "Specify site key is required if using non-default key",
1182 "hf gallagher diversify --uid 11223344556677 --aid 2081f4"
1183 );
1184
1185 void *argtable[] = {
1186 arg_param_begin,
1187 arg_str1(NULL, "aid", "<hex>", "Application ID for diversification (3 bytes)"),
1188 arg_int0(NULL, "keynum", "<dec>", "Key number [default = 0]"),
1189 arg_str0(NULL, "uid", "<hex>", "Card UID to delete (4 or 7 bytes)"),
1190 arg_str0(NULL, "sitekey", "<hex>", "Site key to compute diversified keys (16 bytes)"),
1191 arg_lit0(NULL, "apdu", "Show APDU requests and responses"),
1192 arg_param_end
1193 };
1194 CLIExecWithReturn(ctx, cmd, argtable, false);
1195
1196 int aid_len = 0;
1197 uint8_t aid_buf[3] = {0};
1198 CLIGetHexWithReturn(ctx, 1, aid_buf, &aid_len);
1199 if (aid_len != 3) {
1200 PM3_RET_ERR_FREE(PM3_EINVARG, "--aid must be 3 bytes");
1201 }
1202 reverse_aid(aid_buf); // PM3 displays AIDs backwards
1203 uint32_t aid = DesfireAIDByteToUint(aid_buf);
1204
1205 int key_num = arg_get_int_def(ctx, 2, 0);
1206
1207 int uid_len = 0;
1208 uint8_t uid[7] = {0};
1209 CLIGetHexWithReturn(ctx, 3, uid, &uid_len);
1210 if (uid_len > 0 && uid_len != 4 && uid_len != 7) {
1211 PM3_RET_ERR_FREE(PM3_EINVARG, "--uid must be 4 or 7 bytes");
1212 }
1213
1214 int site_key_len = 0;
1215 uint8_t site_key[16] = {0};
1216 memcpy(site_key, DEFAULT_SITE_KEY, ARRAYLEN(site_key));
1217 CLIGetHexWithReturn(ctx, 4, site_key, &site_key_len);
1218 if (site_key_len > 0 && site_key_len != 16) {
1219 PM3_RET_ERR_FREE(PM3_EINVARG, "--sitekey must be 16 bytes");
1220 }
1221
1222 SetAPDULogging(arg_get_lit(ctx, 5));
1223 CLIParserFree(ctx);
1224
1225 if (uid_len == 0) {
1226 // Set up context
1227 DropField();
1228 DesfireContext_t dctx = {0};
1229 DesfireClearContext(&dctx);
1230
1231 // Get card UID (for key diversification)
1232 int res = DesfireGetCardUID(&dctx);
1233 PM3_RET_IF_ERR_WITH_MSG(res, "Failed retrieving card UID");
1234
1235 uid_len = dctx.uidlen;
1236 memcpy(uid, dctx.uid, uid_len);
1237 }
1238
1239 // Diversify key
1240 uint8_t key[CRYPTO_AES128_KEY_SIZE] = {0};
1241 int res = hfgal_diversify_key(site_key, uid, uid_len, key_num, aid, key);
1242 PM3_RET_IF_ERR_WITH_MSG(res, "Failed diversifying key");
1243
1244 char *key_str = sprint_hex_inrow(key, ARRAYLEN(key));
1245 PrintAndLogEx(SUCCESS, "Successfully diversified key: " _GREEN_("%s"), key_str);
1246
1247 if (IfPm3Iso14443()) {
1248 PrintAndLogEx(HINT, "Hint: try " _YELLOW_("`hf mfdes auth --aid %06X --keyno %d --algo AES --key %s`") " to verify",
1249 aid,
1250 key_num,
1251 key_str
1252 );
1253 }
1254 return PM3_SUCCESS;
1255 }
1256
1257 static int CmdGallagherDecode(const char *cmd) {
1258 CLIParserContext *ctx;
1259 CLIParserInit(&ctx, "hf gallagher decode",
1260 "Decode Gallagher credential block\n"
1261 "Credential block can be specified with or without the bitwise inverse.",
1262 "hf gallagher decode --data A3B4B0C151B0A31B"
1263 );
1264
1265 void *argtable[] = {
1266 arg_param_begin,
1267 arg_str1(NULL, "data", "<hex>", "Credential block (8 or 16 bytes)"),
1268 arg_param_end
1269 };
1270 CLIExecWithReturn(ctx, cmd, argtable, false);
1271
1272 int data_len = 0;
1273 uint8_t data_buf[16] = {0};
1274 CLIGetHexWithReturn(ctx, 1, data_buf, &data_len);
1275 if (data_len != 8 && data_len != 16) {
1276 PM3_RET_ERR_FREE(PM3_EINVARG, "--data must be 8 or 16 bytes");
1277 }
1278 CLIParserFree(ctx);
1279
1280 if (data_len == 16) {
1281 // Check second half of file is the bitwise inverse of the first half
1282 for (uint8_t i = 8; i < 16; i++) {
1283 data_buf[i] ^= 0xFF;
1284 }
1285
1286 if (memcmp(data_buf, &data_buf[8], 8) != 0) {
1287 PM3_RET_ERR(PM3_EFAILED, "Invalid cardholder data, last 8 bytes should be bitwise inverse of first 16 bytes. Received %s",
1288 sprint_hex_inrow(data_buf, 16)
1289 );
1290 }
1291 } else {
1292 for (uint8_t i = 0; i < 8; i++) {
1293 data_buf[i + 8] = data_buf[i] ^ 0xFF;
1294 }
1295 PrintAndLogEx(INFO, "Full credential block with bitwise inverse: " _YELLOW_("%s"), sprint_hex_inrow(data_buf, 16));
1296 }
1297
1298 GallagherCredentials_t creds = {0};
1299 gallagher_decode_creds(data_buf, &creds);
1300
1301 PrintAndLogEx(SUCCESS, "Gallagher - region: " _GREEN_("%c") " ( " _GREEN_("%u") " )"
1302 ", facility: " _GREEN_("%u")
1303 ", card number: " _GREEN_("%u")
1304 ", issue level: " _GREEN_("%u"),
1305 'A' + creds.region_code,
1306 creds.region_code,
1307 creds.facility_code,
1308 creds.card_number,
1309 creds.issue_level
1310 );
1311
1312 return PM3_SUCCESS;
1313 }
1314 static int CmdGallagherEncode(const char *cmd) {
1315 CLIParserContext *ctx;
1316 CLIParserInit(&ctx, "hf gallagher encode",
1317 "Encode a Gallagher credential block\n"
1318 "Credential block can be specified with or without the bitwise inverse.",
1319 "hf gallagher encode --rc 1 --fc 22153 --cn 1253518 --il 1"
1320 );
1321
1322 void *argtable[] = {
1323 arg_param_begin,
1324 arg_u64_1("r", "rc", "<dec>", "Region code. 4 bits max"),
1325 arg_u64_1("f", "fc", "<dec>", "Facility code. 2 bytes max"),
1326 arg_u64_1("c", "cn", "<dec>", "Card number. 3 bytes max"),
1327 arg_u64_1("i", "il", "<dec>", "Issue level. 4 bits max"),
1328 arg_param_end
1329 };
1330 CLIExecWithReturn(ctx, cmd, argtable, false);
1331
1332 uint64_t region_code = arg_get_u64(ctx, 1); // uint4, input will be validated later
1333 uint64_t facility_code = arg_get_u64(ctx, 2); // uint16
1334 uint64_t card_number = arg_get_u64(ctx, 3); // uint24
1335 uint64_t issue_level = arg_get_u64(ctx, 4); // uint4
1336
1337 CLIParserFree(ctx);
1338
1339 GallagherCredentials_t creds = {
1340 .region_code = region_code,
1341 .facility_code = facility_code,
1342 .card_number = card_number,
1343 .issue_level = issue_level,
1344 };
1345
1346
1347 uint8_t contents[16] = {0};
1348
1349 gallagher_encode_creds(contents, &creds);
1350 for (int i = 0; i < 8; i++) {
1351 contents[i + 8] = contents[i] ^ 0xFF;
1352 }
1353
1354 PrintAndLogEx(SUCCESS, "Raw: " _YELLOW_("%s"), sprint_hex_inrow(contents, ARRAYLEN(contents) / 2));
1355 PrintAndLogEx(SUCCESS, "Bitwise: " _YELLOW_("%s"), sprint_hex_inrow(contents, ARRAYLEN(contents)));
1356
1357 return PM3_SUCCESS;
1358 }
1359
1360
1361 static command_t CommandTable[] = {
1362 {"help", CmdHelp, AlwaysAvailable, "This help"},
1363 {"reader", CmdGallagherReader, IfPm3Iso14443, "Read & decode all Gallagher credentials on a DESFire card"},
1364 {"clone", CmdGallagherClone, IfPm3Iso14443, "Add Gallagher credentials to a DESFire card"},
1365 {"delete", CmdGallagherDelete, IfPm3Iso14443, "Delete Gallagher credentials from a DESFire card"},
1366 {"diversifykey", CmdGallagherDiversify, AlwaysAvailable, "Diversify Gallagher key"},
1367 {"decode", CmdGallagherDecode, AlwaysAvailable, "Decode Gallagher credential block"},
1368 {"encode", CmdGallagherEncode, AlwaysAvailable, "Encode Gallagher credential block"},
1369 {NULL, NULL, NULL, NULL}
1370 };
1371
1372 static int CmdHelp(const char *cmd) {
1373 (void) cmd; // cmd is not used so far
1374 CmdsHelp(CommandTable);
1375 return PM3_SUCCESS;
1376 }
1377
1378 int CmdHFGallagher(const char *cmd) {
1379 clearCommandBuffer();
1380 return CmdsParse(CommandTable, cmd);
1381 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware