From 5a9d49ddb421e400760bfff9c24bca1dacc82a5a Mon Sep 17 00:00:00 2001 From: Philippe Teuwen Date: Tue, 19 Sep 2023 16:03:17 +0200 Subject: [PATCH] Remove unused MF1_DETECT_DARKSIDE, reallocate 2003 to MF1_STATIC_NESTED_ACQUIRE MF1_DETECT_DARKSIDE was actually runnign the full attack, as there is no quick way to detect Darkside So if you want to check for Darkside, just run directly MF1_DARKSIDE_ACQUIRE. --- docs/protocol.md | 8 ++++---- firmware/application/src/app_cmd.c | 13 +------------ firmware/application/src/data_cmd.h | 3 +-- .../application/src/rfid/reader/hf/mf1_toolbox.c | 14 -------------- .../application/src/rfid/reader/hf/mf1_toolbox.h | 1 - software/script/chameleon_cmd.py | 15 +-------------- 6 files changed, 7 insertions(+), 47 deletions(-) diff --git a/docs/protocol.md b/docs/protocol.md index ef476e58..d3199398 100644 --- a/docs/protocol.md +++ b/docs/protocol.md @@ -211,10 +211,10 @@ Notes: * Command: no data * Response: 1 byte, according to `mf1_nested_type_t` enum * CLI: cf `hf 14a info` -### 2003: MF1_DETECT_DARKSIDE -* Command: no data -* Response: 1 byte, according to `mf1_darkside_status_t` enum -* CLI: unused +### 2003: MF1_STATIC_NESTED_ACQUIRE +* Command: 10 bytes: `type_known|block_known|key_known[6]|type_target|block_target`. Key as 6 bytes. +* Response: 4+N*8 bytes: `uid[4]` followed by N tuples of `nt[4]|nt_enc[4]`. All values as U32. +* CLI: cf `hf mf nested` on static nonce tag ### 2004: MF1_DARKSIDE_ACQUIRE * Command: 4 bytes: `type_target|block_target|first_recover|sync_max` * Response: 1 byte if Darkside failed, according to `mf1_darkside_status_t` enum, diff --git a/firmware/application/src/app_cmd.c b/firmware/application/src/app_cmd.c index 1fbd36f8..93518efc 100644 --- a/firmware/application/src/app_cmd.c +++ b/firmware/application/src/app_cmd.c @@ -256,15 +256,6 @@ static data_frame_tx_t *cmd_processor_mf1_detect_prng(uint16_t cmd, uint16_t sta return data_frame_make(cmd, HF_TAG_OK, sizeof(type), &type); } -static data_frame_tx_t *cmd_processor_mf1_detect_darkside(uint16_t cmd, uint16_t status, uint16_t length, uint8_t *data) { - uint8_t darkside_status; - status = check_darkside_support((mf1_darkside_status_t *)&darkside_status); - if (status != HF_TAG_OK) { - return data_frame_make(cmd, status, 0, NULL); - } - return data_frame_make(cmd, HF_TAG_OK, sizeof(darkside_status), &darkside_status); -} - static data_frame_tx_t *cmd_processor_mf1_darkside_acquire(uint16_t cmd, uint16_t status, uint16_t length, uint8_t *data) { if (length != 4) { return data_frame_make(cmd, STATUS_PAR_ERR, 0, NULL); @@ -938,8 +929,7 @@ static cmd_data_map_t m_data_cmd_map[] = { { DATA_CMD_HF14A_SCAN, before_hf_reader_run, cmd_processor_hf14a_scan, after_hf_reader_run }, { DATA_CMD_MF1_DETECT_SUPPORT, before_hf_reader_run, cmd_processor_mf1_detect_support, after_hf_reader_run }, { DATA_CMD_MF1_DETECT_PRNG, before_hf_reader_run, cmd_processor_mf1_detect_prng, after_hf_reader_run }, - { DATA_CMD_MF1_DETECT_DARKSIDE, before_hf_reader_run, cmd_processor_mf1_detect_darkside, after_hf_reader_run }, - + { DATA_CMD_MF1_STATIC_NESTED_ACQUIRE, before_hf_reader_run, cmd_processor_mf1_static_nested_acquire, after_hf_reader_run }, { DATA_CMD_MF1_DARKSIDE_ACQUIRE, before_hf_reader_run, cmd_processor_mf1_darkside_acquire, after_hf_reader_run }, { DATA_CMD_MF1_DETECT_NT_DIST, before_hf_reader_run, cmd_processor_mf1_detect_nt_dist, after_hf_reader_run }, { DATA_CMD_MF1_NESTED_ACQUIRE, before_hf_reader_run, cmd_processor_mf1_nested_acquire, after_hf_reader_run }, @@ -947,7 +937,6 @@ static cmd_data_map_t m_data_cmd_map[] = { { DATA_CMD_MF1_AUTH_ONE_KEY_BLOCK, before_hf_reader_run, cmd_processor_mf1_auth_one_key_block, after_hf_reader_run }, { DATA_CMD_MF1_READ_ONE_BLOCK, before_hf_reader_run, cmd_processor_mf1_read_one_block, after_hf_reader_run }, { DATA_CMD_MF1_WRITE_ONE_BLOCK, before_hf_reader_run, cmd_processor_mf1_write_one_block, after_hf_reader_run }, - { DATA_CMD_MF1_STATIC_NESTED_ACQUIRE, before_hf_reader_run, cmd_processor_mf1_static_nested_acquire, after_hf_reader_run }, { DATA_CMD_EM410X_SCAN, before_reader_run, cmd_processor_em410x_scan, NULL }, { DATA_CMD_EM410X_WRITE_TO_T55XX, before_reader_run, cmd_processor_em410x_write_to_t55XX, NULL }, diff --git a/firmware/application/src/data_cmd.h b/firmware/application/src/data_cmd.h index e04e93c7..ce8efc8a 100644 --- a/firmware/application/src/data_cmd.h +++ b/firmware/application/src/data_cmd.h @@ -57,14 +57,13 @@ #define DATA_CMD_HF14A_SCAN (2000) #define DATA_CMD_MF1_DETECT_SUPPORT (2001) #define DATA_CMD_MF1_DETECT_PRNG (2002) -#define DATA_CMD_MF1_DETECT_DARKSIDE (2003) +#define DATA_CMD_MF1_STATIC_NESTED_ACQUIRE (2003) #define DATA_CMD_MF1_DARKSIDE_ACQUIRE (2004) #define DATA_CMD_MF1_DETECT_NT_DIST (2005) #define DATA_CMD_MF1_NESTED_ACQUIRE (2006) #define DATA_CMD_MF1_AUTH_ONE_KEY_BLOCK (2007) #define DATA_CMD_MF1_READ_ONE_BLOCK (2008) #define DATA_CMD_MF1_WRITE_ONE_BLOCK (2009) -#define DATA_CMD_MF1_STATIC_NESTED_ACQUIRE (2010) // // ****************************************************************** diff --git a/firmware/application/src/rfid/reader/hf/mf1_toolbox.c b/firmware/application/src/rfid/reader/hf/mf1_toolbox.c index 61f1a61a..358d1b55 100644 --- a/firmware/application/src/rfid/reader/hf/mf1_toolbox.c +++ b/firmware/application/src/rfid/reader/hf/mf1_toolbox.c @@ -569,20 +569,6 @@ void antenna_switch_delay(uint32_t delay_ms) { g_ant_reset_delay = delay_ms; } -/** -* @brief :Determine whether this card supports DARKSIDE attack -* @retval : If support, return hf_tag_ok and darkside_status = OK. If it is not supported, -* Return to the results of abnormal results during the detection process in darkside_status -* Or other card -related communication errors, the most common is loss card HF_TAG_NO -* -*/ -uint8_t check_darkside_support(mf1_darkside_status_t *darkside_status) { - // Instantiated parameter - DarksideCore_t dc; - //Determine and return the result directly - return darkside_recover_key(0x03, PICC_AUTHENT1A, true, 0x15, &dc, darkside_status); -} - /** * @brief : Determine whether this card supports M1 verification steps * @retval : If support, it will return hf_tag_ok, diff --git a/firmware/application/src/rfid/reader/hf/mf1_toolbox.h b/firmware/application/src/rfid/reader/hf/mf1_toolbox.h index 40b35ac9..5f336ae3 100644 --- a/firmware/application/src/rfid/reader/hf/mf1_toolbox.h +++ b/firmware/application/src/rfid/reader/hf/mf1_toolbox.h @@ -90,7 +90,6 @@ uint8_t nested_distance_detect( uint8_t nested_recover_key(NESTED_CORE_PARAM_DEF, mf1_nested_core_t ncs[SETS_NR]); uint8_t static_nested_recover_key(NESTED_CORE_PARAM_DEF, mf1_static_nested_core_t* sncs); -uint8_t check_darkside_support(mf1_darkside_status_t *darkside_status); uint8_t check_prng_type(mf1_prng_type_t *type); uint8_t check_std_mifare_nt_support(bool *support); void antenna_switch_delay(uint32_t delay_ms); diff --git a/software/script/chameleon_cmd.py b/software/script/chameleon_cmd.py index 2f8ef128..a4dcd2ce 100644 --- a/software/script/chameleon_cmd.py +++ b/software/script/chameleon_cmd.py @@ -61,15 +61,13 @@ DATA_CMD_HF14A_SCAN = 2000 DATA_CMD_MF1_DETECT_SUPPORT = 2001 DATA_CMD_MF1_DETECT_PRNG = 2002 -# FIXME: implemented but unused in CLI commands -DATA_CMD_MF1_DETECT_DARKSIDE = 2003 +DATA_CMD_MF1_STATIC_NESTED_ACQUIRE = 2003 DATA_CMD_MF1_DARKSIDE_ACQUIRE = 2004 DATA_CMD_MF1_DETECT_NT_DIST = 2005 DATA_CMD_MF1_NESTED_ACQUIRE = 2006 DATA_CMD_MF1_AUTH_ONE_KEY_BLOCK = 2007 DATA_CMD_MF1_READ_ONE_BLOCK = 2008 DATA_CMD_MF1_WRITE_ONE_BLOCK = 2009 -DATA_CMD_MF1_STATIC_NESTED_ACQUIRE = 2010 DATA_CMD_EM410X_SCAN = 3000 DATA_CMD_EM410X_WRITE_TO_T55XX = 3001 @@ -465,17 +463,6 @@ def mf1_detect_prng(self): resp.data = resp.data[0] return resp - @expect_response(chameleon_status.Device.HF_TAG_OK) - def mf1_detect_darkside_support(self): - """ - Check if the card is vulnerable to mifare classic darkside attack - :return: - """ - resp = self.device.send_cmd_sync(DATA_CMD_MF1_DETECT_DARKSIDE, timeout=20) - if resp.status == chameleon_status.Device.HF_TAG_OK: - resp.data = resp.data[0] - return resp - @expect_response(chameleon_status.Device.HF_TAG_OK) def mf1_detect_nt_dist(self, block_known, type_known, key_known): """