Skip to content

Commit

Permalink
Remove unused MF1_DETECT_DARKSIDE, reallocate 2003 to MF1_STATIC_NEST…
Browse files Browse the repository at this point in the history
…ED_ACQUIRE

MF1_DETECT_DARKSIDE was actually runnign the full attack, as there is no quick way to detect Darkside
So if you want to check for Darkside, just run directly MF1_DARKSIDE_ACQUIRE.
  • Loading branch information
doegox committed Sep 19, 2023
1 parent 624e96a commit 5a9d49d
Show file tree
Hide file tree
Showing 6 changed files with 7 additions and 47 deletions.
8 changes: 4 additions & 4 deletions docs/protocol.md
Original file line number Diff line number Diff line change
Expand Up @@ -211,10 +211,10 @@ Notes:
* Command: no data
* Response: 1 byte, according to `mf1_nested_type_t` enum
* CLI: cf `hf 14a info`
### 2003: MF1_DETECT_DARKSIDE
* Command: no data
* Response: 1 byte, according to `mf1_darkside_status_t` enum
* CLI: unused
### 2003: MF1_STATIC_NESTED_ACQUIRE
* Command: 10 bytes: `type_known|block_known|key_known[6]|type_target|block_target`. Key as 6 bytes.
* Response: 4+N*8 bytes: `uid[4]` followed by N tuples of `nt[4]|nt_enc[4]`. All values as U32.
* CLI: cf `hf mf nested` on static nonce tag
### 2004: MF1_DARKSIDE_ACQUIRE
* Command: 4 bytes: `type_target|block_target|first_recover|sync_max`
* Response: 1 byte if Darkside failed, according to `mf1_darkside_status_t` enum,
Expand Down
13 changes: 1 addition & 12 deletions firmware/application/src/app_cmd.c
Original file line number Diff line number Diff line change
Expand Up @@ -256,15 +256,6 @@ static data_frame_tx_t *cmd_processor_mf1_detect_prng(uint16_t cmd, uint16_t sta
return data_frame_make(cmd, HF_TAG_OK, sizeof(type), &type);
}

static data_frame_tx_t *cmd_processor_mf1_detect_darkside(uint16_t cmd, uint16_t status, uint16_t length, uint8_t *data) {
uint8_t darkside_status;
status = check_darkside_support((mf1_darkside_status_t *)&darkside_status);
if (status != HF_TAG_OK) {
return data_frame_make(cmd, status, 0, NULL);
}
return data_frame_make(cmd, HF_TAG_OK, sizeof(darkside_status), &darkside_status);
}

static data_frame_tx_t *cmd_processor_mf1_darkside_acquire(uint16_t cmd, uint16_t status, uint16_t length, uint8_t *data) {
if (length != 4) {
return data_frame_make(cmd, STATUS_PAR_ERR, 0, NULL);
Expand Down Expand Up @@ -938,16 +929,14 @@ static cmd_data_map_t m_data_cmd_map[] = {
{ DATA_CMD_HF14A_SCAN, before_hf_reader_run, cmd_processor_hf14a_scan, after_hf_reader_run },
{ DATA_CMD_MF1_DETECT_SUPPORT, before_hf_reader_run, cmd_processor_mf1_detect_support, after_hf_reader_run },
{ DATA_CMD_MF1_DETECT_PRNG, before_hf_reader_run, cmd_processor_mf1_detect_prng, after_hf_reader_run },
{ DATA_CMD_MF1_DETECT_DARKSIDE, before_hf_reader_run, cmd_processor_mf1_detect_darkside, after_hf_reader_run },

{ DATA_CMD_MF1_STATIC_NESTED_ACQUIRE, before_hf_reader_run, cmd_processor_mf1_static_nested_acquire, after_hf_reader_run },
{ DATA_CMD_MF1_DARKSIDE_ACQUIRE, before_hf_reader_run, cmd_processor_mf1_darkside_acquire, after_hf_reader_run },
{ DATA_CMD_MF1_DETECT_NT_DIST, before_hf_reader_run, cmd_processor_mf1_detect_nt_dist, after_hf_reader_run },
{ DATA_CMD_MF1_NESTED_ACQUIRE, before_hf_reader_run, cmd_processor_mf1_nested_acquire, after_hf_reader_run },

{ DATA_CMD_MF1_AUTH_ONE_KEY_BLOCK, before_hf_reader_run, cmd_processor_mf1_auth_one_key_block, after_hf_reader_run },
{ DATA_CMD_MF1_READ_ONE_BLOCK, before_hf_reader_run, cmd_processor_mf1_read_one_block, after_hf_reader_run },
{ DATA_CMD_MF1_WRITE_ONE_BLOCK, before_hf_reader_run, cmd_processor_mf1_write_one_block, after_hf_reader_run },
{ DATA_CMD_MF1_STATIC_NESTED_ACQUIRE, before_hf_reader_run, cmd_processor_mf1_static_nested_acquire, after_hf_reader_run },

{ DATA_CMD_EM410X_SCAN, before_reader_run, cmd_processor_em410x_scan, NULL },
{ DATA_CMD_EM410X_WRITE_TO_T55XX, before_reader_run, cmd_processor_em410x_write_to_t55XX, NULL },
Expand Down
3 changes: 1 addition & 2 deletions firmware/application/src/data_cmd.h
Original file line number Diff line number Diff line change
Expand Up @@ -57,14 +57,13 @@
#define DATA_CMD_HF14A_SCAN (2000)
#define DATA_CMD_MF1_DETECT_SUPPORT (2001)
#define DATA_CMD_MF1_DETECT_PRNG (2002)
#define DATA_CMD_MF1_DETECT_DARKSIDE (2003)
#define DATA_CMD_MF1_STATIC_NESTED_ACQUIRE (2003)
#define DATA_CMD_MF1_DARKSIDE_ACQUIRE (2004)
#define DATA_CMD_MF1_DETECT_NT_DIST (2005)
#define DATA_CMD_MF1_NESTED_ACQUIRE (2006)
#define DATA_CMD_MF1_AUTH_ONE_KEY_BLOCK (2007)
#define DATA_CMD_MF1_READ_ONE_BLOCK (2008)
#define DATA_CMD_MF1_WRITE_ONE_BLOCK (2009)
#define DATA_CMD_MF1_STATIC_NESTED_ACQUIRE (2010)
//
// ******************************************************************

Expand Down
14 changes: 0 additions & 14 deletions firmware/application/src/rfid/reader/hf/mf1_toolbox.c
Original file line number Diff line number Diff line change
Expand Up @@ -569,20 +569,6 @@ void antenna_switch_delay(uint32_t delay_ms) {
g_ant_reset_delay = delay_ms;
}

/**
* @brief :Determine whether this card supports DARKSIDE attack
* @retval : If support, return hf_tag_ok and darkside_status = OK. If it is not supported,
* Return to the results of abnormal results during the detection process in darkside_status
* Or other card -related communication errors, the most common is loss card HF_TAG_NO
*
*/
uint8_t check_darkside_support(mf1_darkside_status_t *darkside_status) {
// Instantiated parameter
DarksideCore_t dc;
//Determine and return the result directly
return darkside_recover_key(0x03, PICC_AUTHENT1A, true, 0x15, &dc, darkside_status);
}

/**
* @brief : Determine whether this card supports M1 verification steps
* @retval : If support, it will return hf_tag_ok,
Expand Down
1 change: 0 additions & 1 deletion firmware/application/src/rfid/reader/hf/mf1_toolbox.h
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,6 @@ uint8_t nested_distance_detect(
uint8_t nested_recover_key(NESTED_CORE_PARAM_DEF, mf1_nested_core_t ncs[SETS_NR]);
uint8_t static_nested_recover_key(NESTED_CORE_PARAM_DEF, mf1_static_nested_core_t* sncs);

uint8_t check_darkside_support(mf1_darkside_status_t *darkside_status);
uint8_t check_prng_type(mf1_prng_type_t *type);
uint8_t check_std_mifare_nt_support(bool *support);
void antenna_switch_delay(uint32_t delay_ms);
Expand Down
15 changes: 1 addition & 14 deletions software/script/chameleon_cmd.py
Original file line number Diff line number Diff line change
Expand Up @@ -61,15 +61,13 @@
DATA_CMD_HF14A_SCAN = 2000
DATA_CMD_MF1_DETECT_SUPPORT = 2001
DATA_CMD_MF1_DETECT_PRNG = 2002
# FIXME: implemented but unused in CLI commands
DATA_CMD_MF1_DETECT_DARKSIDE = 2003
DATA_CMD_MF1_STATIC_NESTED_ACQUIRE = 2003
DATA_CMD_MF1_DARKSIDE_ACQUIRE = 2004
DATA_CMD_MF1_DETECT_NT_DIST = 2005
DATA_CMD_MF1_NESTED_ACQUIRE = 2006
DATA_CMD_MF1_AUTH_ONE_KEY_BLOCK = 2007
DATA_CMD_MF1_READ_ONE_BLOCK = 2008
DATA_CMD_MF1_WRITE_ONE_BLOCK = 2009
DATA_CMD_MF1_STATIC_NESTED_ACQUIRE = 2010

DATA_CMD_EM410X_SCAN = 3000
DATA_CMD_EM410X_WRITE_TO_T55XX = 3001
Expand Down Expand Up @@ -465,17 +463,6 @@ def mf1_detect_prng(self):
resp.data = resp.data[0]
return resp

@expect_response(chameleon_status.Device.HF_TAG_OK)
def mf1_detect_darkside_support(self):
"""
Check if the card is vulnerable to mifare classic darkside attack
:return:
"""
resp = self.device.send_cmd_sync(DATA_CMD_MF1_DETECT_DARKSIDE, timeout=20)
if resp.status == chameleon_status.Device.HF_TAG_OK:
resp.data = resp.data[0]
return resp

@expect_response(chameleon_status.Device.HF_TAG_OK)
def mf1_detect_nt_dist(self, block_known, type_known, key_known):
"""
Expand Down

0 comments on commit 5a9d49d

Please sign in to comment.