search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
recover_pk.py: replace secp192r1 by prime192v1
[RRG-proxmark3.git] / client / src / mifare / mad.c
blob54f67a6a4dbb3a965c5bb2a9571274cf80fcdbe2
1 //-----------------------------------------------------------------------------
2 // Copyright (C) Proxmark3 contributors. See AUTHORS.md for details.
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // See LICENSE.txt for the text of the license.
15 //-----------------------------------------------------------------------------
16 // MIFARE Application Directory (MAD) functions
17 //-----------------------------------------------------------------------------
18
19 #include "mad.h"
20 #include "ui.h"
21 #include "commonutil.h" // ARRAYLEN
22 #include "pm3_cmd.h"
23 #include "crc.h"
24 #include "util.h"
25 #include "fileutils.h"
26 #include "jansson.h"
27 #include "mifaredefault.h"
28
29 // https://www.nxp.com/docs/en/application-note/AN10787.pdf
30 static json_t *mad_known_aids = NULL;
31
32 static const char *holder_info_type[] = {
33 "Surname",
34 "Given name",
35 "Sex",
36 "Other"
37 };
38
39 static const char *aid_admin[] = {
40 "free",
41 "defect",
42 "reserved",
43 "additional directory info",
44 "card holder info",
45 "not applicable"
46 };
47
48 static int open_mad_file(json_t **root, bool verbose) {
49
50 char *path;
51 int res = searchFile(&path, RESOURCES_SUBDIR, "mad", ".json", true);
52 if (res != PM3_SUCCESS) {
53 return PM3_EFILE;
54 }
55
56 int retval = PM3_SUCCESS;
57 json_error_t error;
58
59 *root = json_load_file(path, 0, &error);
60 if (!*root) {
61 PrintAndLogEx(ERR, "json (%s) error on line %d: %s", path, error.line, error.text);
62 retval = PM3_ESOFT;
63 goto out;
64 }
65
66 if (!json_is_array(*root)) {
67 PrintAndLogEx(ERR, "Invalid json (%s) format. root must be an array.", path);
68 retval = PM3_ESOFT;
69 goto out;
70 }
71
72 if (verbose)
73 PrintAndLogEx(SUCCESS, "Loaded file " _YELLOW_("`%s`") " (%s) %zu records.", path, _GREEN_("ok"), json_array_size(*root));
74 out:
75 free(path);
76 return retval;
77 }
78
79 static int close_mad_file(json_t *root) {
80 json_decref(root);
81 return PM3_SUCCESS;
82 }
83
84 static const char *mad_json_get_str(json_t *data, const char *name) {
85
86 json_t *jstr = json_object_get(data, name);
87 if (jstr == NULL)
88 return NULL;
89
90 if (!json_is_string(jstr)) {
91 PrintAndLogEx(WARNING, _YELLOW_("`%s`") " is not a string", name);
92 return NULL;
93 }
94
95 const char *cstr = json_string_value(jstr);
96 if (strlen(cstr) == 0)
97 return NULL;
98
99 return cstr;
100 }
101
102 static int print_aid_description(json_t *root, uint16_t aid, char *fmt, bool verbose) {
103 char lmad[7] = {0};
104 snprintf(lmad, sizeof(lmad), "0x%04x", aid); // must be lowercase
105
106 json_t *elm = NULL;
107
108 for (uint32_t idx = 0; idx < json_array_size(root); idx++) {
109 json_t *data = json_array_get(root, idx);
110 if (!json_is_object(data)) {
111 PrintAndLogEx(ERR, "data [%d] is not an object\n", idx);
112 continue;
113 }
114 const char *fmad = mad_json_get_str(data, "mad");
115 char lfmad[strlen(fmad) + 1];
116 strcpy(lfmad, fmad);
117 str_lower(lfmad);
118 if (strcmp(lmad, lfmad) == 0) {
119 elm = data;
120 break;
121 }
122 }
123
124 if (elm == NULL) {
125 PrintAndLogEx(INFO, fmt, " (unknown)");
126 return PM3_ENODATA;
127 }
128
129 const char *vmad = mad_json_get_str(elm, "mad");
130 const char *application = mad_json_get_str(elm, "application");
131 const char *company = mad_json_get_str(elm, "company");
132 const char *provider = mad_json_get_str(elm, "service_provider");
133 const char *integrator = mad_json_get_str(elm, "system_integrator");
134
135 if (application && company) {
136 size_t result_len = 6 + strlen(application) + strlen(company);
137 char result[result_len];
138 snprintf(result, result_len, " %s [%s]", application, company);
139 PrintAndLogEx(INFO, fmt, result);
140 }
141
142 if (verbose) {
143 PrintAndLogEx(SUCCESS, " MAD: %s", vmad);
144 if (application)
145 PrintAndLogEx(SUCCESS, " Application: %s", application);
146 if (company)
147 PrintAndLogEx(SUCCESS, " Company: %s", company);
148 if (provider)
149 PrintAndLogEx(SUCCESS, " Service provider: %s", provider);
150 if (integrator)
151 PrintAndLogEx(SUCCESS, " System integrator: %s", integrator);
152 }
153 return PM3_SUCCESS;
154 }
155
156 static int madCRCCheck(uint8_t *sector, bool verbose, int MADver) {
157 if (MADver == 1) {
158 uint8_t crc = CRC8Mad(&sector[16 + 1], 15 + 16);
159 if (crc != sector[16]) {
160 PrintAndLogEx(WARNING, _RED_("Wrong MAD %d CRC") " calculated: 0x%02x != 0x%02x", MADver, crc, sector[16]);
161 return PM3_ESOFT;
162 };
163 } else {
164 uint8_t crc = CRC8Mad(&sector[1], 15 + 16 + 16);
165 if (crc != sector[0]) {
166 PrintAndLogEx(WARNING, _RED_("Wrong MAD %d CRC") " calculated: 0x%02x != 0x%02x", MADver, crc, sector[0]);
167 return PM3_ESOFT;
168 };
169 }
170 return PM3_SUCCESS;
171 }
172
173 static uint16_t madGetAID(const uint8_t *sector, bool swapmad, int MADver, int sectorNo) {
174 uint16_t mad;
175 if (MADver == 1)
176 mad = (sector[16 + 2 + (sectorNo - 1) * 2 + 1] << 8) + (sector[16 + 2 + (sectorNo - 1) * 2]);
177 else
178 mad = (sector[2 + (sectorNo - 1) * 2 + 1] << 8) + (sector[2 + (sectorNo - 1) * 2]);
179 if (swapmad) {
180 return BSWAP_16(mad);
181 } else {
182 return mad;
183 }
184 }
185
186 int MADCheck(uint8_t *sector0, uint8_t *sector10, bool verbose, bool *haveMAD2) {
187
188 if (sector0 == NULL)
189 return PM3_EINVARG;
190
191 uint8_t GPB = sector0[(3 * 16) + 9];
192 if (verbose)
193 PrintAndLogEx(SUCCESS, "GPB....... " _GREEN_("0x%02X"), GPB);
194
195 // DA (MAD available)
196 if (!(GPB & 0x80)) {
197 PrintAndLogEx(ERR, "DA = 0! MAD not available");
198 return PM3_ESOFT;
199 }
200
201 uint8_t mad_ver = GPB & 0x03;
202 if (verbose)
203 PrintAndLogEx(SUCCESS, "Version... " _GREEN_("%d"), mad_ver);
204
205 // MAD version
206 if ((mad_ver != 0x01) && (mad_ver != 0x02)) {
207 PrintAndLogEx(ERR, "Wrong MAD version " _RED_("0x%02X"), mad_ver);
208 return PM3_ESOFT;
209 };
210
211 if (haveMAD2) {
212 *haveMAD2 = (mad_ver == 2);
213 }
214
215 int res = madCRCCheck(sector0, true, 1);
216 if (verbose && res == PM3_SUCCESS) {
217 PrintAndLogEx(SUCCESS, "CRC8...... 0x%02X ( %s )", sector0[16], _GREEN_("ok"));
218 }
219
220 if (mad_ver == 2 && sector10) {
221 int res2 = madCRCCheck(sector10, true, 2);
222 if (res == PM3_SUCCESS)
223 res = res2;
224
225 if (verbose && !res2)
226 PrintAndLogEx(SUCCESS, "CRC8...... 0x%02X ( %s )", sector10[0], _GREEN_("ok"));
227 }
228
229 // MA (multi-application card)
230 if (verbose) {
231 if (GPB & 0x40)
232 PrintAndLogEx(SUCCESS, "Multi application card");
233 else
234 PrintAndLogEx(SUCCESS, "Single application card");
235 }
236 return res;
237 }
238
239 int MADDecode(uint8_t *sector0, uint8_t *sector10, uint16_t *mad, size_t *madlen, bool swapmad) {
240 *madlen = 0;
241 bool haveMAD2 = false;
242 int res = MADCheck(sector0, sector10, false, &haveMAD2);
243 if (res != PM3_SUCCESS) {
244 PrintAndLogEx(WARNING, "Not a valid MAD");
245 return res;
246 }
247
248 for (int i = 1; i < 16; i++) {
249 mad[*madlen] = madGetAID(sector0, swapmad, 1, i);
250 (*madlen)++;
251 }
252
253 if (haveMAD2) {
254 // mad2 sector (0x10 == 16dec) here
255 mad[*madlen] = 0x0005;
256 (*madlen)++;
257
258 for (int i = 1; i < 24; i++) {
259 mad[*madlen] = madGetAID(sector10, swapmad, 2, i);
260 (*madlen)++;
261 }
262 }
263 return PM3_SUCCESS;
264 }
265
266 int MADCardHolderInfoDecode(uint8_t *data, size_t datalen, bool verbose) {
267 size_t idx = 0;
268 while (idx < datalen) {
269 uint8_t len = data[idx] & 0x3f;
270 uint8_t type = data[idx] >> 6;
271 idx++;
272 if (len > 0) {
273 PrintAndLogEx(INFO, "%14s " _GREEN_("%.*s"), holder_info_type[type], len, &data[idx]);
274 idx += len;
275 } else {
276 break;
277 }
278 }
279 return PM3_SUCCESS;
280 }
281
282 static int MADInfoByteDecode(const uint8_t *sector, bool swapmad, int mad_ver, bool verbose) {
283 uint8_t info;
284 if (mad_ver == 1) {
285 info = sector[16 + 1] & 0x3f;
286 if (info >= 0xF) {
287 PrintAndLogEx(WARNING, "Invalid Info byte (MAD1) value " _YELLOW_("0x%02x"), info);
288 if (verbose) {
289 // I understand the spec in a way that MAD1 InfoByte should not point into MAD2 sectors, @lukaskuzmiak
290 PrintAndLogEx(WARNING, "MAD1 Info byte points outside of MAD1 sector space (0x%02x), report a bug?", info);
291 }
292 return PM3_ESOFT;
293 }
294 } else {
295 info = sector[1] & 0x3f;
296 if (info == 0x10 || info >= 0x28) {
297 PrintAndLogEx(WARNING, "Invalid Info byte (MAD2) value " _YELLOW_("0x%02x"), info);
298 return PM3_ESOFT;
299 }
300 }
301
302 return info;
303 }
304
305 void MADPrintHeader(void) {
306 PrintAndLogEx(NORMAL, "");
307 PrintAndLogEx(INFO, "--- " _CYAN_("MIFARE App Directory Information") " ----------------");
308 PrintAndLogEx(INFO, "-----------------------------------------------------");
309 }
310
311 int MAD1DecodeAndPrint(uint8_t *sector, bool swapmad, bool verbose, bool *haveMAD2) {
312 open_mad_file(&mad_known_aids, verbose);
313
314 PrintAndLogEx(NORMAL, "");
315 PrintAndLogEx(INFO, "------------ " _CYAN_("MAD v1 details") " -------------");
316
317 // check MAD1 only
318 MADCheck(sector, NULL, verbose, haveMAD2);
319
320 int ibs = MADInfoByteDecode(sector, swapmad, 1, verbose);
321
322 if (ibs > 0) {
323 PrintAndLogEx(SUCCESS, "Card publisher sector " _MAGENTA_("0x%02X"), ibs);
324 } else {
325 PrintAndLogEx(WARNING, "Card publisher " _RED_("not") " present " _YELLOW_("0x%02x"), ibs);
326 }
327
328 PrintAndLogEx(NORMAL, "");
329 PrintAndLogEx(INFO, "---------------- " _CYAN_("Listing") " ----------------");
330
331 PrintAndLogEx(INFO, " 00 MAD v1");
332 uint32_t prev_aid = 0xFFFFFFFF;
333 for (int i = 1; i < 16; i++) {
334 uint16_t aid = madGetAID(sector, swapmad, 1, i);
335 if (aid < 6) {
336 PrintAndLogEx(INFO,
337 (ibs == i) ? _MAGENTA_(" %02d [%04X] %s") : " %02d [" _GREEN_("%04X") "] %s",
338 i,
339 aid,
340 aid_admin[aid]
341 );
342
343 } else if (prev_aid == aid) {
344 PrintAndLogEx(INFO,
345 (ibs == i) ? _MAGENTA_(" %02d [%04X] continuation") : " %02d [" _YELLOW_("%04X") "] continuation",
346 i,
347 aid
348 );
349 } else {
350 char fmt[60];
351 snprintf(fmt, sizeof(fmt), (ibs == i) ? _MAGENTA_(" %02d [%04X]%s") : " %02d [" _GREEN_("%04X") "]%s", i, aid, "%s");
352 print_aid_description(mad_known_aids, aid, fmt, verbose);
353 prev_aid = aid;
354 }
355 }
356 close_mad_file(mad_known_aids);
357 return PM3_SUCCESS;
358 }
359
360 int MAD2DecodeAndPrint(uint8_t *sector, bool swapmad, bool verbose) {
361 open_mad_file(&mad_known_aids, false);
362
363 PrintAndLogEx(NORMAL, "");
364 PrintAndLogEx(INFO, "------------ " _CYAN_("MAD v2 details") " -------------");
365
366 int res = madCRCCheck(sector, true, 2);
367 if (verbose) {
368 if (res == PM3_SUCCESS)
369 PrintAndLogEx(SUCCESS, "CRC8...... 0x%02X ( " _GREEN_("%s") " )", sector[0], "ok");
370 else
371 PrintAndLogEx(SUCCESS, "CRC8...... 0x%02X ( " _RED_("%s") " )", sector[0], "fail");
372 }
373
374 int ibs = MADInfoByteDecode(sector, swapmad, 2, verbose);
375 if (ibs > 0) {
376 PrintAndLogEx(SUCCESS, "Card publisher sector " _MAGENTA_("0x%02X"), ibs);
377 } else {
378 PrintAndLogEx(WARNING, "Card publisher " _RED_("not") " present " _YELLOW_("0x%02x"), ibs);
379 }
380
381 PrintAndLogEx(NORMAL, "");
382 PrintAndLogEx(INFO, "---------------- " _CYAN_("Listing") " ----------------");
383
384 PrintAndLogEx(INFO, " 16 MAD v2");
385
386 uint32_t prev_aid = 0xFFFFFFFF;
387 for (int i = 1; i < 8 + 8 + 7 + 1; i++) {
388 uint16_t aid = madGetAID(sector, swapmad, 2, i);
389 if (aid < 6) {
390 PrintAndLogEx(INFO,
391 (ibs == i) ? _MAGENTA_(" %02d [%04X] %s") : " %02d [" _GREEN_("%04X") "] %s",
392 i + 16,
393 aid,
394 aid_admin[aid]
395 );
396 } else if (prev_aid == aid) {
397 PrintAndLogEx(INFO,
398 (ibs == i) ? _MAGENTA_(" %02d [%04X] continuation") : " %02d [" _YELLOW_("%04X") "] continuation",
399 i + 16,
400 aid
401 );
402 } else {
403 char fmt[60];
404 snprintf(fmt, sizeof(fmt), (ibs == i) ? _MAGENTA_(" %02d [%04X]%s") : " %02d [" _GREEN_("%04X") "]%s", i + 16, aid, "%s");
405 print_aid_description(mad_known_aids, aid, fmt, verbose);
406 prev_aid = aid;
407 }
408 }
409 close_mad_file(mad_known_aids);
410
411 return PM3_SUCCESS;
412 }
413
414 int MADDFDecodeAndPrint(uint32_t short_aid, bool verbose) {
415 open_mad_file(&mad_known_aids, false);
416
417 char fmt[128];
418 snprintf(fmt, sizeof(fmt), " MAD AID Function 0x%04X :" _YELLOW_("%s"), short_aid, "%s");
419 print_aid_description(mad_known_aids, short_aid, fmt, verbose);
420 close_mad_file(mad_known_aids);
421 return PM3_SUCCESS;
422 }
423
424 bool HasMADKey(uint8_t *d) {
425 if (d == NULL)
426 return false;
427
428 return (memcmp(d + (3 * MFBLOCK_SIZE), g_mifare_mad_key, sizeof(g_mifare_mad_key)) == 0);
429 }
430
431 int DetectHID(uint8_t *d, uint16_t manufacture) {
432 if (d == NULL)
433 return -1;
434
435 // find HID
436 for (int i = 1; i < 16; i++) {
437 uint16_t aid = madGetAID(d, false, 1, i);
438 if (aid == manufacture) {
439 return i;
440 }
441 }
442
443 return -1;
444 }
445
446 int convert_mad_to_arr(uint8_t *in, uint16_t ilen, uint8_t *out, uint16_t *olen) {
447
448 if (in == NULL || out == NULL || ilen == 0) {
449 return PM3_EINVARG;
450 }
451
452 // MAD detection
453 if (HasMADKey(in) == false) {
454 PrintAndLogEx(FAILED, "No MAD key was detected in the dump file");
455 return PM3_ESOFT;
456 }
457
458 uint8_t sector0[MFBLOCK_SIZE * 4] = {0};
459 uint8_t sector10[MFBLOCK_SIZE * 4] = {0};
460
461 memcpy(sector0, in, sizeof(sector0));
462 if (ilen == MIFARE_4K_MAX_BYTES) {
463 memcpy(sector10, in + (MF_MAD2_SECTOR * 4 * MFBLOCK_SIZE), sizeof(sector10));
464 }
465
466 uint16_t mad[7 + 8 + 8 + 8 + 8] = {0};
467 size_t madlen = 0;
468 if (MADDecode(sector0, sector10, mad, &madlen, false)) {
469 PrintAndLogEx(ERR, "can't decode MAD");
470 return PM3_ESOFT;
471 }
472
473 uint16_t ndef_aid = 0xE103;
474 for (int i = 0; i < madlen; i++) {
475 if (ndef_aid == mad[i]) {
476 uint8_t tmp[MFBLOCK_SIZE * 4] = {0};
477 memset(tmp, 0x00, sizeof(tmp));
478
479 // sector i dump (skip first sector +1)
480 memcpy(tmp, in + (i + 1) * sizeof(tmp), sizeof(tmp));
481
482 // debug print
483 // print_hex_noascii_break(tmp, sizeof(tmp) - MFBLOCK_SIZE, MFBLOCK_SIZE);
484
485 // copy to out (skip ST)
486 memcpy(out, tmp, sizeof(tmp) - MFBLOCK_SIZE);
487 out += sizeof(tmp) - MFBLOCK_SIZE;
488 *olen += sizeof(tmp) - MFBLOCK_SIZE;
489 }
490 }
491 return PM3_SUCCESS;
492 }
Proxmark3 - the RFID research Swiss army knife. Iceman firmware