Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Desfire adpu processing for real iso-8716 #313

Closed
lvandenb opened this issue Jan 11, 2022 · 77 comments
Closed

Desfire adpu processing for real iso-8716 #313

lvandenb opened this issue Jan 11, 2022 · 77 comments

Comments

@lvandenb
Copy link

lvandenb commented Jan 11, 2022

module MifareDesfireProcess
will not work for real iso - 8716 apdu like

00  A4  04  00  0b     a0 00 00 03 97 43 49 44 5f 01 00 9e 32
CLA INS P1  P2  LE

right now, it is only testing "wrapped desfire" or "native". and it fails or the first command...

if(ByteCount >= 8 && DesfireCLA(Buffer[0]) && Buffer[2] == 0x00 && 
       Buffer[3] == 0x00 && Buffer[4] == ByteCount - 8) { 

in this case buffer[2] == 0x04, and some iso-8716 do not have a LE field ...

And it seems simple to do
if Buffer[0]==0x90 then wrapped for sure, else if Buffer[0]<0x0a then most likely 8716 else most likely Desfire Native.
for native check the first byte as a valid command, otherwise the second..

most of the time, communication starts with file select , like "select the desfire app" (this is optional but recommended)
00 A4 04 00 07 D2 76 00 00 85 01 00

on windows, it will always try 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00 9e 32, first, if smartcard services are enabled.
( so windows users using the pc/sc api, will always fail trying native desfire when the smartcard service is active)

for the global communication there should be a flag, like "protocolFraming" = unknown / native / 8716
after the card becomes "state active" , the first command determines the protocol framing. until reset..

@maxieds
Copy link
Contributor

maxieds commented Jan 15, 2022

@lvandenb
I will put fixing this on my TODO list. Right now I am still getting up to speed on the first issue #302. It can probably wait for a second pull request once the first is done?

maxieds added a commit to maxieds/ChameleonMini that referenced this issue Jan 16, 2022
maxieds added a commit to maxieds/ChameleonMini that referenced this issue Jan 16, 2022
@maxieds
Copy link
Contributor

maxieds commented Jan 16, 2022

@lvandenb

CODEC RX DATA: 0A 01 00 A4 04 00 0B A0 00 00 03 97 43 49 44 5F 01 00 9E 32

Do you know what the prepended two bytes correspond to? How should this get preprocessed?

@lvandenb
Copy link
Author

lvandenb commented Jan 16, 2022

these are 14443 I-blocks. (marked by the first 2 bytes)
The last two bytes will be 14443 crc.
the first command byte is class 0, should be full iso7816.

so select file (with a DF name) A0 00 00 03 97 43 49 44 5F 01 00
should answer not found 0x6a 0x82
I think there are also known well know AID names for PIV .. should also answer 0x6a 0x82

only name D2760000850100 (Desfire app) should answer found (0x90 0x00) , and select aid 000

the iso answer will need to be preceeded by the same 0A 01 prologue...

@maxieds
Copy link
Contributor

maxieds commented Jan 16, 2022

Edited:
Are the two prologue bytes something that can consistently be identified, or are they something that the reader is free to arbitrarily prepend to the ISO7816 command format?

Also, thank you for all the help these last couple of weeks! I am feeling really good about getting the pull request in today (by the end of my marathon weekend) to add complete reader support. All my previous testing was with wrapped and native commands with LibNFC...

maxieds added a commit to maxieds/ChameleonMini that referenced this issue Jan 16, 2022
@maxieds
Copy link
Contributor

maxieds commented Jan 16, 2022

@lvandenb
The local implementation needs some testing. I do not believe either one of my readers is sending out the example command you gave above. The changes made in the last commit DID prevent pcsc_scan -v from listing that the card is unresponsive. Now that command correctly says that a DESFire card was inserted. This is progress.

@lvandenb
Copy link
Author

I thought most processing was already done via MifareDesfireProcess()
this keeps the prologue, and adds it back afterwards.

but only wrapped desfire ( class starts with 0x90, or native Desfire is processed now.
(and even iso8716 wrapped is first unwrapped to look like native desfire command.. )

anyway, the first command determines Native or 8716 (including wrapped native)

for the implementation I can make existing send and receive apdu's.
( with the random number fixed at sender and receiver, it is easier to test.
I guess the tools on https://pcsclite.apdu.fr/ let you end and receive the apdu's on linux.

@maxieds
Copy link
Contributor

maxieds commented Jan 16, 2022

I have had my head in the clouds since Thursday on like four hours of sleep working on mathematical writing style to eloquently describe the results in an analytic number theory paper I am responsible for this year. On top of that, it's snowing hard for the usually light hoodie as winter weather in Atlanta. Let me have another cup of coffee and come back to writing code in an hour.

Perhaps we can aim to get this pull request started for the holiday (in the US) tomorrow? When I file the PR, I will make sure to note at the top that it is collaborative with @lvandenb and @colinoflynn.

@maxieds
Copy link
Contributor

maxieds commented Jan 16, 2022

I guess the tools on https://pcsclite.apdu.fr/ let you end and receive the apdu's on linux.

I found the scriptor utility docs here so that I do not have to do this in low-level C.

@maxieds
Copy link
Contributor

maxieds commented Jan 18, 2022

@lvandenb @colinoflynn
Can you help me with testing the code from the latest commit to my local branch?

The scriptor command reports an invalid SW byte when transferring the command from above, but the output 0x6a 0x82 is accurately returned and prefixed with the prologue bytes.

Update:

@lvandenb
Copy link
Author

lvandenb commented Jan 18, 2022

it seems logframe 59 sends the answer,
logframe 60 the answer + crc
and logframe 61 the prologue + answer

so 3 answers instead of 1 ?

the full 14443a i-block frame should be 6 bytes, the answer with 2 leading bytes (I-Block), and 2 trailing crc bytes
like 02 01 6a 82 crc1 crc2 ?

I'm still waiting for my Proxmark.
But below is what happens on windows with Omnikey tool, and a real Desfire EV1.

this is sniffed from usb, so the 14443a-4 framing is handled by the reader.

OUT : 00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00
(ISO File Select P1: 04 (Select by DF Name) , P2: 0 (FCI stored in the file with ID 31) , Data a0000003974349445f0100)
(looks for Microsoft PNP AID)

IN : 6a 82
file not found

OUT : 00 ca 7f 68 00
(Get Data , BER-TLV tag (2 bytes) in P1-P2)

IN : 6d 00
(Instruction not supported)

OUT : 00 a4 04 00 09 a0 00 00 03 08 00 00 10 00
(ISO File Select P1: 0 Select by DF Name P2: 0 FCI stored in the file with ID 31 :Data a00000030800001000 )
( looks for Personal Identity Verification (PIV) AID)
IN : 6a 82
( file not found)

OUT : 00 a4 04 00 09 a0 00 00 03 97 42 54 46 59
(ISO File Select P1: 0 Select by DF Name , P2: 0 FCI stored in the file with ID 31 , Data a00000039742544659)
(looks for Microsoft IDMP AID )
IN : 6a 82
(file not found)

remark: well known AID list in https://www.eftlab.com/knowledge-base/211-emv-aid-rid-pix/

@maxieds
Copy link
Contributor

maxieds commented Jan 19, 2022

@lvandenb
Do you think the code is ready to file the pull request? It definitely resolves #302.

@lvandenb
Copy link
Author

Last night it still did not answer the iso file select correctly
it was 4 bytes 02 01 6a 82 , instead of the needed 02 01 6a 82 crc1 crc2
Also the log seemed to be overwritten by 6a 82

@lvandenb
Copy link
Author

lvandenb commented Jan 20, 2022 via email

maxieds added a commit to maxieds/ChameleonMini that referenced this issue Jan 20, 2022
@maxieds
Copy link
Contributor

maxieds commented Jan 20, 2022

@lvandenb
I believe it is fixed now with the latest commit. Please verify (frame 208):

@lvandenb
Copy link
Author

lvandenb commented Jan 21, 2022 via email

@maxieds
Copy link
Contributor

maxieds commented Jan 21, 2022

@lvandenb
I cannot verify the precise results you are getting because the scriptor utility prepends different prologue bytes. The output of running scriptor on the same command inner data does show an improvement and output the recognized SW error bytes as File Not Found. I assume this will now work on your setup as well. Please test with the latest commit to my branch.

You were right. I computed the CRC bytes on just the data part of the buffer before prepending the prologue back to it prior to returning. This was actually a point of confusion for me initially. I thought that it might want a consistency check on just the data for application processing.

At any rate, cheers! It appears to be working. 😺

@lvandenb
Copy link
Author

lvandenb commented Jan 22, 2022

Ok this is looking good.

right now only
[60804] CODEC RX DATA: 0B 01 00 CA 7F 68 00 73 73 (read data )
[60804] CODEC TX DATA: 0B 01 6A 81 6D C1 (Function not supported)

but a real desfire ev1 card responds
0B 01 6D 00 E3 19 (6D00 : Instruction code not supported or invalid)

it seems to work, but sometimes it returns a NAK.
[29540] CODEC RX DATA: 26
[29540] CODEC TX DATA: 44 03
[29645] CODEC RX DATA: 26
[29645] CODEC TX DATA: 44 03
[29649] CODEC RX DATA: 93 20
[29649] CODEC TX DATA: 88 08 AA B0 9A
[29654] CODEC RX DATA: 93 70 88 08 AA B0 9A 21 91
[29654] CODEC TX DATA: 24 D8 36
[29657] CODEC RX DATA: 95 20
[29657] CODEC TX DATA: F5 D9 1D AC 9D
[29662] CODEC RX DATA: 95 70 F5 D9 1D AC 9D 61 0A
[29662] CODEC TX DATA: 20 FC 70
[29665] CODEC RX DATA: E0 81 B8 62
[29665] CODEC TX DATA: 06 75 00 81 02 80 66 FD
[29691] CODEC RX DATA: 0A 01 00 A4 04 00 0B A0 00 00 03 97 43 49 44 5F 01 00 9E 32
[29691] CODEC TX DATA: 0A 01 6A 82 4D EF
[29694] CODEC RX DATA: 0B 01 00 CA 7F 68 00 73 73
[29694] CODEC TX DATA: 0B 01 6D 00 E4 19 ( just changed in code )
[29698] CODEC RX DATA: 0A 01 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 04 90
[29698] CODEC TX DATA: 0A 01 6A 82 4D EF
[29702] CODEC RX DATA: 0B 01 00 A4 04 00 09 A0 00 00 03 97 42 54 46 59 DD CD
[29702] CODEC TX DATA: 0B 01 6A 82 F6 F3
[29706] CODEC RX DATA: 0A 01 00 A4 04 00 0B A0 00 00 03 97 43 49 44 5F 01 00 9E 32
[29706] CODEC TX DATA: 0A 01 6A 82 4D EF
[29709] CODEC RX DATA: 0B 01 00 CA 7F 68 00 73 73
[29709] CODEC TX DATA: 0B 01 6D 00 E4 19
[29713] CODEC RX DATA: 0A 01 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 04 90
[29713] CODEC TX DATA: 0A 01 6A 82 4D EF
[29801] CODEC RX DATA: BA 01 37 C8 ( NAK)
[
this means "an invalid block is received or a FWT time-out occurs"
anyway this should be solved by

Rule 11. When an R(ACK) or an R(NAK) block is received, if its block number is equal to the PICC’s current block
number, the last block shall be re-transmitted.

so maybe I'll wait for the proxmark now, to compare timings.

@maxieds
Copy link
Contributor

maxieds commented Jan 22, 2022

@lvandenb
What do you think about creating the pull request to fix the start of this issue and #302 right now? Maybe we should start a new thread about more subtle bugs in the DESFire implementation like the one you just pointed out.

@lvandenb
Copy link
Author

@maxie
yes, we can close these now.
its another level now.

@maxieds
Copy link
Contributor

maxieds commented Jan 22, 2022

@lvandenb
Please open a new issue for incremental debugging of DESFire emulation and paste the previous message with the data showing an incorrect response there.

Thanks again for all the help debugging and testing.

@maxieds
Copy link
Contributor

maxieds commented Jan 28, 2022

@lvandenb
I have been looking at the last command discrepancy you noted. The LE field in the command is zero, correct? That might cause an error in this code. I have to look at it more carefully.

Are you planning to do more DESFire testing with the Chameleon once your Proxmark arrives?

@fptrs
Copy link
Collaborator

fptrs commented Jan 28, 2022

resolved by #314

@colinoflynn
Copy link

I'll try to give it a check this weekend - I may try to port my changes to that PR as well if I get change, but can at least check it didn't seem to break anything on the base code. Thanks!

@maxieds
Copy link
Contributor

maxieds commented May 7, 2022

@colinoflynn @david-oswald
Any updates with testing? Any chance this PR can get merged soon? The Spring 2022 semester at GT is over. This was my RA project for the term. It would be nice to see it in production in case anyone here asks. 😺

@lvandenb
Copy link
Author

lvandenb commented May 9, 2022

Finally got some time, but I have an issue with the Makefile now
git https://github.com/maxieds/ChameleonMini.git
DESFire-AuthISO-Patch

$ make desfire
../LUFA/Build/lufa_build.mk:131: The XMEGA device support is currently EXPERIMENTAL (incomplete and/or non-functional), and is included for preview purposes only.
Makefile:273: *** recipe commences before first target. Stop.

@maxieds
Copy link
Contributor

maxieds commented May 10, 2022

@lvandenb
I just tried compiling the sources with make desfire on MacOS with no problems. The trailing lines after the build completes are

 [OBJCPY]  : Extracting HEX file data from "Chameleon-Mini.elf"
avr-objcopy -O ihex -R .eeprom -R .fuse -R .lock -R .signature --set-section-flags=.flashdata="alloc,load" Chameleon-Mini.elf Chameleon-Mini.hex
 [OBJCPY]  : Extracting EEP file data from "Chameleon-Mini.elf"
avr-objcopy -O ihex -j .eeprom --set-section-flags=.eeprom="alloc,load" --change-section-lma .eeprom=0 --no-change-warnings Chameleon-Mini.elf Chameleon-Mini.eep || exit 0
 [OBJCPY]  : Extracting BIN file data from "Chameleon-Mini.elf"
avr-objcopy -O binary -R .eeprom -R .fuse -R .lock -R .signature --set-section-flags=.flashdata="alloc,load" Chameleon-Mini.elf Chameleon-Mini.bin

Chameleon-Mini.elf  :
section                       size       addr
.flashdata                 0x10000    0x10000
.spmhelper                    0x14    0x21fe0
.text                       0xe65a        0x0
.data                        0x162   0x802000
.bss                         0xc6d   0x802162
.eeprom                       0x64   0x810000
.comment                      0x26        0x0
.note.gnu.avr.deviceinfo      0x40        0x0
.debug_aranges               0x160        0x0
.debug_info                 0x29f1        0x0
.debug_abbrev               0x2708        0x0
.debug_line                  0x71e        0x0
.debug_str                  0x1b33        0x0
Total                      0x269b1


   text	   data	    bss	    dec	    hex	filename
 0xe65a	  0x1c6	  0xc6d	  62605	   f48d	Chameleon-Mini.elf

AVR Memory Usage
----------------
Device: Unknown

Program:   59324 bytes
(.text + .data + .bootloader)

Data:       3535 bytes
(.data + .bss + .noinit)

EEPROM:      100 bytes
(.eeprom)

The warning from the LUFA make script is normal. It has been printed for years. Looking at line 273 of the Makefile suggests a couple of things. Please fill in more details:

  • What platform are you working in?
  • What is your terminal and shell? What output do you get running which bash?

A quick fix is to use the binaries I just compiled for testing: current-build.zip

Happy to follow up otherwise.

@colinoflynn
Copy link

I finally got around to trying this - I got the same Makefile:273: *** recipe commences before first target. Stop. error (using WSL). it seems to be the SHELL:=$(shell which bash) part of the Makefile line 273, I just removed that and it built OK:

check_size: SHELL:=$(shell which bash)

It doesn't look like the SHELL variable was used there and I got the expected size print. On to functional testing...

@colinoflynn
Copy link

I ran the test by just compiling with make desfire and make desfire-dev (I tried both). The only configuration I did was setting python chamtool.py -p COM4 -c mf_desfire, and I'd check if it was still responding with python chamtool.py -p COM4 -U to print the UID in use.

With this configuration, I see:

  • Using the command sequence in @maxieds March 30 example, and running that on my pm3 (the full 'hw dbg -4'... etc) works. I get the same output showing successful authentication.
  • Using just the hf mfdes auth command without first doing the debug stuff gives me an error - is this a timing issue or just some invalid thing? It looks like the only difference was the debug stuff in pm3 being enabled, it didn't look like any differences in the actual authentication? Here is the output:
[usb] pm3 --> hf mfdes auth -n 0 -t 3tdea -k 000000000000000000000000000000000000000000000000 -v -c native -a
[=] Key num: 0 Key algo: 3tdea Key[24]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[=] Secure channel: n/a Command set: native Communication mode: plain
[+] Setting ISODEP -> inactive
[!!] Desfire AID select error.
[+] Setting ISODEP -> inactive
[-] Select or authentication AID 000000 failed. Result [202] Can't select application by ISO ID.

Trying to use hf mfdes info causes the ChamelonMini to lock up - it stops responding to my ChamTool requests until I power cycle it. in pm3 I see:

[usb] pm3 --> hf mfdes info
[#] pcb_blocknum 0 == 2
[#] [WCMD <--: : 08/08] 02 90 60 00 00 00 14 98
[#] fukked
[#] switch_off
[!] Command unsuccessful

It looks like it's locking up on GET VERSION:

[=] downloading tracelog data from device
[+] Recorded activity (trace len = 178 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                                           | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |        992 | Rdr |52                                                                       |     | WUPA
       2100 |       4468 | Tag |44  03                                                                   |     |
       7040 |       9504 | Rdr |93  20                                                                   |     | ANTICOLL
      10548 |      16436 | Tag |88  08  19  ad  34                                                       |     |
      19072 |      29600 | Rdr |93  70  88  08  19  ad  34  9a  9d                                       |  ok | SELECT_UID
      30644 |      34164 | Tag |24  d8  36                                                               |     |
      35584 |      38048 | Rdr |95  20                                                                   |     | ANTICOLL-2
      39092 |      44916 | Tag |3b  4b  ed  57  ca                                                       |     |
      47616 |      58080 | Rdr |95  70  3b  4b  ed  57  ca  b9  c5                                       |  ok | SELECT_UID-2
      59188 |      62772 | Tag |20  fc  70                                                               |     |
      64512 |      69280 | Rdr |e0  80  31  73                                                           |  ok | RATS
      70324 |      77364 | Tag |06  75  00  81  02  80                                                   | !crc|
      94976 |     104352 | Rdr |02  90  60  00  00  00  14  98                                           |  ok | GET VERSION
[usb] pm3 -->

Anyway the authentication code seems to be working per the instructions & that is great! And still useful for me to build on this for MFP.

maxieds added a commit to maxieds/ChameleonMini that referenced this issue May 11, 2022
maxieds added a commit to maxieds/ChameleonMini that referenced this issue May 13, 2022
@maxieds
Copy link
Contributor

maxieds commented May 13, 2022

@colinoflynn
See if the latest commit works for you? An up to date version of the binaries is here:
current-build.zip

@colinoflynn
Copy link

Hi @maxieds - this seemed to get further, testing shows this result. It does still lock up (stops responding on ChamTool). For some reason I don't get any useful output with hf mfdes list (like I did before).

[usb] pm3 --> hf mfdes info

[=] ---------------------------------- Tag Information ----------------------------------
[+]               UID: 08 71 98 85 E4 07 E9
[+]      Batch number: 00 00 00 00 00
[+]   Production date: week 00 / 2000

[=] --- Hardware Information
[=]    raw: 63000000000000
[=]      Vendor Id: Pragmatic Printing Ltd. UK
[=]           Type: 0x00
[=]        Subtype: 0x00
[=]        Version: 0.0 ( DESFire MF3ICD40 )
[=]   Storage size: 0x00 ( 1 bytes )
[=]       Protocol: 0x00 ( Unknown )

[=] --- Software Information
[=]    raw: C1A0C900000000
[=]      Vendor Id: no tag-info available
[=]           Type: 0xA0
[=]        Subtype: 0xC9
[=]        Version: 0.0
[=]   Storage size: 0x00 ( 1 bytes )
[=]       Protocol: 0x00 ( Unknown )

[=] --------------------------------- Card capabilities ---------------------------------
[#] error DESFIRESendRaw
[#] error DESFIRESendRaw
[#] error DESFIRESendRaw
[#] Card didn't answer to CL1 select all
[!!] APDU: No APDU response
[#] error DESFIRESendApdu Unknown error
[+] ------------------------------------ PICC level -------------------------------------
[+] Applications count: 0 free memory n/a
[+] PICC level auth commands: auth: NO auth iso: NO auth aes: NO auth ev2: NO auth iso native: NO auth lrp: NO

[=] --- Free memory
[+]    Card doesn't support 'free mem' cmd

I'll see if I can get better debug output to show what is giving it problems. BTW I forgot you mentioned missing a proxmark at one point, if can help loan one if helpful let me know.

The authentication side seems to work great, so still major improvements overall. Also the build worked OK now for me too from a clean checkout.

maxieds added a commit to maxieds/ChameleonMini that referenced this issue Jun 2, 2022
…s in emsec#313 (success with \'hf mfdes info -- Still debugging auth exchanges)
@maxieds
Copy link
Contributor

maxieds commented Jun 2, 2022

@colinoflynn
I have some good news to report on progress:

[usb] pm3 --> hf mfdes info

[=] ---------------------------------- Tag Information ----------------------------------
[+]               UID: 08 61 44 FE B4 2B F9 
[+]      Batch number: 00 00 00 00 00 
[+]   Production date: week 00 / 2000

[=] --- Hardware Information
[=]    raw: EC720000000000
[=]      Vendor Id: no tag-info available
[=]           Type: 0x72
[=]        Subtype: 0x00
[=]        Version: 0.0 ( DESFire MF3ICD40 )
[=]   Storage size: 0x00 ( 1 bytes )
[=]       Protocol: 0x00 ( Unknown )

[=] --- Software Information
[=]    raw: 91C1ACC7000000
[=]      Vendor Id: no tag-info available
[=]           Type: 0xC1
[=]        Subtype: 0xAC
[=]        Version: 199.0
[=]   Storage size: 0x00 ( 1 bytes )
[=]       Protocol: 0x00 ( Unknown )

[=] --------------------------------- Card capabilities ---------------------------------
[#] Halt error
[#] Card didn't answer to CL1 select all

I introduced a bug somewhere into the auth command:
hf mfdes auth -n 0 -t 3tdea -k 000000000000000000000000000000000000000000000000 -v -c native -a
I did notice earlier today as you pointed out above (before the latest commit with new fixes) that the auth command is buggy without the debugging options getting set by my script. This behavior has now changed to:

[usb] pm3 --> script run test-mfdes-auth.cmd 
[+] executing Cmd test-mfdes-auth.cmd
[+] args ''
[usb|script] pm3 --> hf mfdes auth -n 0 -t 3tdea -k 000000000000000000000000000000000000000000000000 -v -c native -a
[=] Key num: 0 Key algo: 3tdea Key[24]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[=] Secure channel: n/a Command set: native Communication mode: plain
[+] Setting ISODEP -> inactive
[+] Setting ISODEP -> NFC-A
[=] AID 000000 is selected
[=] Auth: cmd: 0x1a keynum: 0x00
[+] raw>> 1A 00 
[+] raw<< AF EE 91 30 1E E8 F5 84 D6 C7 85 1D 05 65 13 90 A6 C6 D5 
[#] encRndB: EE 91 30 1E E8 F5 84 D6 
[#] RndB: CA FE BA BE 00 11 22 33 
[#] rotRndB: FE BA BE 00 11 22 33 CA FE BA BE 00 11 22 33 CA 
[#] Both   : 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 FE BA BE 00 11 22 33 CA FE BA BE 00 11 22 33 CA 
[+] raw>> AF 30 EB 55 F3 29 39 04 96 77 88 CE EF 33 A3 C8 7B 18 66 1A F1 62 78 A0 28 53 84 67 98 7C BB DB 03 
[+] raw<< 7E 4B 16 
[!!] 🚨 Command (af) ERROR: 0x7e
[#] error DESFIRESendRaw Length of command string invalid
[!!] 🚨 Desfire authenticate error. Result: [7] Sending auth command failed
[+] Setting ISODEP -> inactive
[-] ⛔ Select or authentication AID 000000 failed. Result [7] Sending auth command failed
[usb|script] pm3 --> script run ./debug.cmd
[+] executing Cmd ./debug.cmd
[+] args ''
[usb|script] pm3 --> hw dbg -4
[usb|script] pm3 --> prefs set clientdebug --full
[=]     client debug........... full
[usb|script] pm3 --> data setdebugmode -2
[=] client debug level... 2 ( verbose debug messages )
[usb|script] pm3 --> hf mfdes auth -n 0 -t 3tdea -k 000000000000000000000000000000000000000000000000 -v -c native -a
[=] Key num: 0 Key algo: 3tdea Key[24]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[=] Secure channel: n/a Command set: native Communication mode: plain
[+] Setting ISODEP -> inactive
[#]   Debug log level......... 4 ( extended )
[#] Card didn't answer to select
[!!] 🚨 Desfire AID select error.
[+] Setting ISODEP -> inactive
[-] ⛔ Select or authentication AID 000000 failed. Result [202] Can't select application by ISO ID.

I should have some more time to finish up and get the auth command working tonight or tomorrow :)

Anything else I have missed in all of the excellent feedback you gave above?

maxieds added a commit to maxieds/ChameleonMini that referenced this issue Jun 4, 2022
@maxieds
Copy link
Contributor

maxieds commented Jun 4, 2022

@colinoflynn
Please check with the latest commit to verify. This is what I get with the PM3 after building with make desfire-dev:

[usb] pm3 --> script run debug.cmd
[+] executing Cmd debug.cmd
[+] args ''
[usb|script] pm3 --> hw dbg -4
[usb|script] pm3 --> prefs set clientdebug --full
[=]     client debug........... full
[usb|script] pm3 --> data setdebugmode -2
[=] client debug level... 2 ( verbose debug messages )

[#]   Debug log level......... 4 ( extended )
[usb] pm3 --> hf mfdes info
[#] pcb_blocknum 0 == 2 
[#] [WCMD <--: : 08/08] 02 90 60 00 00 00 14 98 
[#] pcb_blocknum 1 == 3 
[#] [WCMD <--: : 08/08] 03 90 af 00 00 00 1f 15 
[#] pcb_blocknum 0 == 2 
[#] [WCMD <--: : 08/08] 02 90 af 00 00 00 34 11 

[=] ---------------------------------- Tag Information ----------------------------------
[+]               UID: 08 4F 8A 44 7D AE 83 
[+]      Batch number: AE 83 CE E4 A5 
[+]   Production date: week db / 20f1

[=] --- Hardware Information
[=]    raw: 04010100011805
[=]      Vendor Id: NXP Semiconductors Germany
[=]           Type: 0x01
[=]        Subtype: 0x01
[=]        Version: 0.1 ( DESFire MF3ICD40 )
[=]   Storage size: 0x18 ( 4096 bytes )
[=]       Protocol: 0x05 ( ISO 14443-2, 14443-3 )

[=] --- Software Information
[=]    raw: 90AF0401010001
[=]      Vendor Id: no tag-info available
[=]           Type: 0xAF
[=]        Subtype: 0x04
[=]        Version: 1.1
[=]   Storage size: 0x00 ( 1 bytes )
[=]       Protocol: 0x01 ( Unknown )

[=] --------------------------------- Card capabilities ---------------------------------
[#] switch_off
[usb] pm3 --> hf mfdes auth -n 0 -t 3tdea -k 000000000000000000000000000000000000000000000000 -v -c native -a
[=] Key num: 0 Key algo: 3tdea Key[24]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[=] Secure channel: n/a Command set: native Communication mode: plain
[+] Setting ISODEP -> inactive
[+] Setting ISODEP -> NFC-A
[=] AID 000000 is selected
[=] Auth: cmd: 0x1a keynum: 0x00
[+] raw>> 1A 00 
[+] raw<< AF EE 91 30 1E E8 F5 84 D6 C7 85 1D 05 65 13 90 A6 C6 D5 
[#] encRndB: EE 91 30 1E E8 F5 84 D6 
[#] RndB: CA FE BA BE 00 11 22 33 
[#] rotRndB: FE BA BE 00 11 22 33 CA FE BA BE 00 11 22 33 CA 
[#] Both   : 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 FE BA BE 00 11 22 33 CA FE BA BE 00 11 22 33 CA 
[+] raw>> AF 30 EB 55 F3 29 39 04 96 77 88 CE EF 33 A3 C8 7B 18 66 1A F1 62 78 A0 28 53 84 67 98 7C BB DB 03 
[+] raw<< 00 9B 71 57 8F FB DF 80 A8 F6 EF 33 4A C6 CD F9 7A 7D BE 
[=] Session key : 01 02 03 04 CA FE BA BE 07 08 09 10 22 33 CA FE 13 14 15 16 00 11 22 33 
[=] Desfire  authenticated
[+] PICC selected and authenticated succesfully
[+] Context: 
[=] Key num: 0 Key algo: 3tdea Key[24]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[=] Secure channel: ev1 Command set: native Communication mode: plain
[=] Session key [24]: 01 02 03 04 CA FE BA BE 07 08 09 10 22 33 CA FE 13 14 15 16 00 11 22 33  
[=]     IV [8]: 00 00 00 00 00 00 00 00 
[+] Setting ISODEP -> inactive

@colinoflynn
Copy link

With both make desfire and make desfire-dev I get this error:

BuildScripts/lufa_build_extra.mk:131: The XMEGA device support is currently EXPERIMENTAL (incomplete and/or non-functional), and is included for preview purposes only.
basename: extra operand ‘../LUFA/Drivers/USB/Core/DeviceStandardReq.c’
Try 'basename --help' for more information.
make: *** No rule to make target 'Bin/HIDParser.o', needed by 'Chameleon-Mini.elf'.  Stop.

There's no line number so not sure (it looks like maybe from an included makefile?), do you know offhand where things were tweaked? I'm building it on Ubuntu (using WSL).

@maxieds
Copy link
Contributor

maxieds commented Jun 8, 2022

@colinoflynn
Please check one more time with the latest commit. If that doesn't work, you can try testing with the binaries I just compiled in this archive: latest-desfire-build.zip.

BTW, thanks for the proxmark offer. My advisor gave me some money from her grant this Spring to buy one :)

@colinoflynn
Copy link

Got it! Will test those binaries - the output now fixes the basename problem, but I still get:

make: *** No rule to make target 'Bin/HIDParser.o', needed by 'Chameleon-Mini.elf'.  Stop.

How are you building that doesn't trigger the errors?

@maxieds
Copy link
Contributor

maxieds commented Jun 14, 2022

@colinoflynn
Hmmm. Did you try running make clean first? If not, I will try to debug with my Arch Linux box later.

maxieds added a commit to maxieds/ChameleonMini that referenced this issue Jun 15, 2022
@maxieds
Copy link
Contributor

maxieds commented Jun 15, 2022

Nevermind. It should work now.

It looks like brew distinguishes the standard system make with its version called gmake on MacOS. The Linux make command is (looks like) equivalent to gmake on Mac. Now we know...

maxieds added a commit to maxieds/ChameleonMini that referenced this issue Jun 15, 2022
… compat changes: Attempt to fix this problem (PM3 command support verified as still working) -- Cf. emsec#313
@maxieds
Copy link
Contributor

maxieds commented Jun 15, 2022

The make build problems should now all be resolved. As a bonus, running make desfire or make desfire-dev should be quicker on the average: I convinced the Makefile to not rebuild the LUFA library objects at each fresh compile of the Chameleon sources. Some might also checkout the predefined custom build targets in this build script to start on the idea from #283.

@colinoflynn @lvandenb
I have some technical problems with the code in the latest commit interfacing with the USB/PCSC ACS-122U reader. The PM3 compatibility still works, but the USB reader will not recognize the Chameleon with CONFIG=MF_DESFIRE like it did several months ago. I can trace the problem down to where the reader/PCD issues the Chameleon a DESELECT (0x2E) command:
(Updated to include the CMLD screenshot on my phone)

What response should it actuay be sending back? This happens after the anticollision loop and RATS are satisfied. My start to fixing this issue is found here -- all commented out again after failed tests of the code.

@maxieds
Copy link
Contributor

maxieds commented Jun 16, 2022

Here are current binary builds: latest-desfire-build.zip

@colinoflynn
Copy link

I'm travelling for some events - I did throw PM3/CM in my bag in case I've got time, but it's likely I'll be away from this for a couple weeks, will update if I get a chance to try. Unfortunately no other reader with me so on the final problem I can take a look once I've back to office.

@maxieds
Copy link
Contributor

maxieds commented Jun 23, 2022

If anyone else wants to help out with testing PR #319, it would be nice to add some example DESFire configuration dumps generated with non-default interactions with the Chameleon. Also, posting this request as a follow up on the PR thread.

@maxieds
Copy link
Contributor

maxieds commented Jul 15, 2022

@david-oswald @fptrs
I think we can close this issue now that PR #319 is merged. I will check the latest DESFire firmware build with my two local PCSC external USB readers later tonight. If there are still problems getting pcsc_scan to recognize the Chameleon running CONFIG=MF_DESFIRE, I will start a new issue where we can follow up. 😸

@colinoflynn
Copy link

Thanks for more updates! I'll still try and test them, my trip got messed up due to COVID/travel complications so I still didn't get around to it... but if I find any problems will work through them on new issue.

gcammisa added a commit to gcammisa/ChameleonMini that referenced this issue Oct 14, 2022
commit 9fbb7fb
Author: Fabian <[email protected]>
Date:   Wed Sep 21 11:06:58 2022 +0200

    fix emsec#325

    * remove MemoryClear from ConfigurationSetById

commit 62e2f71
Merge: f5c1347 d5d36fe
Author: fptrs <[email protected]>
Date:   Mon Aug 15 10:45:10 2022 +0200

    Merge pull request emsec#323 from maxieds/ExternalUSBReadersCompat

    DESfire emulation support: Updated support for PM3 and better compatibility with external USB readers

commit d5d36fe
Author: Maxie D. Schmidt <[email protected]>
Date:   Wed Aug 3 18:03:28 2022 -0500

    Update BuilingFirmwareBinariesFromSource.md

commit 46a3cc8
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Jul 26 01:40:27 2022 -0400

    Small changes to the NAK/ACK return size (4 bits versus 1 byte)

commit eb0d5fd
Author: Maxie D. Schmidt <[email protected]>
Date:   Tue Jul 26 00:02:15 2022 -0400

    Update DESFireSupportReadme.md

commit 3a91394
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Jul 25 20:39:50 2022 -0400

    One more small change to resetting the ATQA value automatically depending on whether the UID is known to be randomly generated

commit 2257c42
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Jul 25 20:31:29 2022 -0400

    Cleaning up modifications used to test the development code

commit cddb9bd
Author: Maxie D. Schmidt <[email protected]>
Date:   Mon Jul 25 19:41:50 2022 -0400

    Update DESFireSupportReadme.md

commit 63e74f9
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Jul 25 19:42:29 2022 -0400

    Changes to ISO14443A-4 handlers confirmed to work with the ACS ACR-122U external USB reader ; Updated docs and source code

commit 32277f0
Author: Maxie D. Schmidt <[email protected]>
Date:   Mon Jul 25 19:15:46 2022 -0400

    Update DESFireSupportReadme.md

commit f9e9018
Author: Maxie D. Schmidt <[email protected]>
Date:   Mon Jul 25 18:42:50 2022 -0400

    Update DESFireSupportReadme.md

commit 8fe0e66
Author: Maxie D. Schmidt <[email protected]>
Date:   Mon Jul 25 18:40:06 2022 -0400

    Update DESFireSupportReadme.md

commit 15be871
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Jul 23 00:16:22 2022 -0400

    Restore point for changes to the CL1/CL2 exchanges in the anticollision for DF ISO14443A-4 support

commit 2a42b31
Author: Maxie D. Schmidt <[email protected]>
Date:   Sat Jul 23 00:12:24 2022 -0400

    Update DESFireSupportReadme.md

commit f5c1347
Author: Fabian <[email protected]>
Date:   Wed Jul 20 13:42:28 2022 +0200

    fix github action name

commit 78a108b
Author: Fabian <[email protected]>
Date:   Wed Jul 20 13:32:06 2022 +0200

    change automated builds

    * make all builds all ISO14443A configs
    * all ISO15693 configs are automatically build with make iso15693

commit 66c2e8b
Merge: 3c01a6c aa20be6
Author: fptrs <[email protected]>
Date:   Wed Jul 20 13:08:23 2022 +0200

    Merge pull request emsec#322 from maxieds/DESFireNFCExternalUSBReaderPatches-LibNFCTestCode

    DESFire emulation support: Bug fixes, improvements and updated LibNFC test code

commit aa20be6
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jul 20 06:14:27 2022 -0400

    Current firmware builds tested with PM3 and LibNFC test code ; Still takes too long to verify the file mgmt and data manip programs

commit ffb6683
Author: Maxie D. Schmidt <[email protected]>
Date:   Wed Jul 20 05:59:02 2022 -0400

    Update DESFireSupportReadme.md

commit b79d964
Author: Maxie D. Schmidt <[email protected]>
Date:   Wed Jul 20 03:25:21 2022 -0400

    Update DESFireSupportReadme.md

commit 5cd6773
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jul 20 03:00:17 2022 -0400

    Restore point for many incremental updates, bug fixes and documentation changes

commit 126189a
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Jul 19 22:00:24 2022 -0400

    Verified ISODES and legacy DES auth schemes work ; AES-128 auth support is verified with the PM3

commit a050d04
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Jul 19 20:54:09 2022 -0400

    Multiple code cleanup changes to TransferState -- Enc of transfers is handled by the APDU pre/post process functions -- Restore point for previous functionality

commit 871451a
Author: Maxie D. Schmidt <[email protected]>
Date:   Tue Jul 19 19:14:45 2022 -0400

    Update DESFireSupportReadme.md

commit 512eff3
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Jul 19 18:53:18 2022 -0400

    Fixing PM3 AES-128 authentication bug

commit 3d86fe4
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Jul 19 17:46:08 2022 -0400

    Updating TDEA (x3) crypto code to handle uneven buffer sizes ; Changes to DESFire auth instructions reinit / (in)validate state logic

commit 5c894b8
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Jul 19 15:24:27 2022 -0400

    Updating the AES128 enc/dec code to support ECB mode (default) and handle uneven buffer sizes that are not a multiple of 16

commit ccdc36e
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Jul 17 16:54:43 2022 -0400

    Removed old AES128 support with AVR libs in place of openssl/EVP ; Bug fix for ISODES auth in the firmware to keep session IV state with multiple auths

commit 3078e7f
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Jul 17 14:23:02 2022 -0400

    Stashing working LibNFC test code -- ISO auth is working

commit e7790dc
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Jul 17 06:56:28 2022 -0400

    Updates to LibNFC test code (ISO auth works) ; Untested changes to fw source to support recall of header data from EEPROM on power cycle (need to test) ; Other misc minor modifications to stash as a restore point

commit 1c2cf3a
Author: Maxie D. Schmidt <[email protected]>
Date:   Sun Jul 17 02:09:53 2022 -0400

    Update DESFireSupportReadme.md

commit 306865e
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Jul 17 01:55:21 2022 -0400

    New DF_ENCMODE command to set ECB/CBC crypto modes ; Incremental changes to LibNFC test code ; Incomplete docs to edit elsewhere

commit 3a89c4b
Author: Maxie D. Schmidt <[email protected]>
Date:   Sat Jul 16 20:57:25 2022 -0400

    Update BuilingFirmwareBinariesFromSource.md

commit 197b958
Author: Maxie D. Schmidt <[email protected]>
Date:   Sat Jul 16 20:55:20 2022 -0400

    Update and rename BuilingFromSource.md to BuilingFirmwareBinariesFromSource.md

commit 5de0aae
Author: Maxie D. Schmidt <[email protected]>
Date:   Sat Jul 16 20:54:59 2022 -0400

    New misc-tags target to BuildScripts/custom_build_targets.mk

commit e07823e
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Jul 16 20:39:06 2022 -0400

    Stashing in progress changes to the DESFire LibNFC test code ; Adding incomplete documentation for custom build targets

commit 3d19776
Author: Maxie D. Schmidt <[email protected]>
Date:   Sat Jul 16 20:27:39 2022 -0400

    Update DESFireSupportReadme.md

commit 4cfea3d
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Jul 15 19:10:30 2022 -0400

    Saving work on the LibNFC testing code for DESFire builds

commit d297a0e
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Jul 15 11:04:24 2022 -0400

    Restoring full log buffer space to the default (non dev) desfire target

commit bfac980
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Jul 15 10:20:39 2022 -0400

    Testing code updates with the PM3 -- a few small changes

commit 53de26e
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Jul 15 08:50:10 2022 -0400

    Tidying up code, build script fixes for no bc command, preliminary attempts to get CONFIG=MF_DESFIRE compatibility with extrernal USB readers using 'pcsc_spy -v'

commit 3c01a6c
Author: fptrs <[email protected]>
Date:   Fri Jul 8 13:09:53 2022 +0200

    Update firmware-desfire-push.yml

commit bc333f9
Merge: 99dceff 37be68d
Author: fptrs <[email protected]>
Date:   Fri Jul 8 12:24:22 2022 +0200

    Merge pull request emsec#319 from maxieds/DESFire-AuthISO-Patch

    DESFire emulation support: Bug, stability and reliability fixes and PM3 compatible ISO authentication

commit 37be68d
Merge: bc8057b 05eeda6
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Jul 1 08:44:33 2022 -0400

    Merge branch 'DESFire-AuthISO-Patch' of https://github.com/maxieds/ChameleonMini into DESFire-AuthISO-Patch

commit bc8057b
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Jul 1 08:44:21 2022 -0400

    Several fixes to responsiveness and frozen behavior noted in PR emsec#319

commit 93e77a2
Author: Maxie Dion Schmidt <[email protected]>
Date:   Thu Jun 30 22:42:22 2022 -0400

    Stashing changes to DESFire code -- No PSTR wrappers on command names as this doesn't change the ELF application size

commit 807d4ac
Author: Maxie Dion Schmidt <[email protected]>
Date:   Thu Jun 30 22:24:07 2022 -0400

    Stashing DESFire updates before tinkering with saving space with PSTR wrappers around the terminal command names

commit 05eeda6
Author: fptrs <[email protected]>
Date:   Wed Jun 29 13:12:55 2022 +0200

    Update Log.py

    change DESFire Generic Error decoder

commit 99dceff
Author: fptrs <[email protected]>
Date:   Wed Jun 29 11:50:28 2022 +0200

    Update ISO15693-A.c

    add missing VICINITY support statement

commit cda26ee
Merge: c3e1dab b6f4094
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jun 29 05:44:30 2022 -0400

    Merge branch 'DESFire-AuthISO-Patch' of https://github.com/maxieds/ChameleonMini into DESFire-AuthISO-Patch

commit c3e1dab
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jun 29 05:44:22 2022 -0400

    Updating the FLASH_DATA_ADDR value to the correct value for 6 slots (versus standard 8)

commit b6f4094
Author: fptrs <[email protected]>
Date:   Wed Jun 29 11:36:35 2022 +0200

    add missing sources for ISO15693_SNIFF

commit 3d2a8a6
Author: fptrs <[email protected]>
Date:   Wed Jun 29 11:24:39 2022 +0200

    add missing EM4233 statement

commit 40da00a
Author: fptrs <[email protected]>
Date:   Wed Jun 29 11:12:29 2022 +0200

    fix typos

commit 688b494
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jun 29 04:50:39 2022 -0400

    More typ corrections and build script bug fixes annotated in emsec#319

commit 7f37bfb
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Jun 28 11:59:03 2022 -0400

    Updating source after the feedback from @fptrs in PR emsec#319

commit b378b4e
Author: Maxie D. Schmidt <[email protected]>
Date:   Wed Jun 22 21:00:18 2022 -0400

    Delete DESFire_example.contents

    This image is out of date -- Created using much older firmware sources. It eventually would be nice to replace it with a better dump using PR emsec#319 sources (or more recent).

commit 3806bcf
Author: Maxie D. Schmidt <[email protected]>
Date:   Wed Jun 22 21:00:08 2022 -0400

    Delete DESFire_example.dmp

    This image is out of date -- Created using much older firmware sources. It eventually would be nice to replace it with a better dump using PR emsec#319 sources (or more recent).

commit d29f087
Merge: 149599e 0291b9b
Author: Maxie D. Schmidt <[email protected]>
Date:   Thu Jun 16 20:17:00 2022 -0400

    Merge branch 'master' into DESFire-AuthISO-Patch

commit 149599e
Author: Maxie D. Schmidt <[email protected]>
Date:   Thu Jun 16 02:32:57 2022 -0400

    Cleaning up some old commented out macro definitions

commit bbc489e
Author: Maxie D. Schmidt <[email protected]>
Date:   Thu Jun 16 02:31:32 2022 -0400

    Typo corrected

commit 39de8cc
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jun 15 18:54:58 2022 -0400

    ACR122U USB/PCSC reader stopped being responsive after all of the PM3 compat changes: Attempt to fix this problem (PM3 command support verified as still working) -- Cf. emsec#313

commit 1ce7b55
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jun 15 12:20:25 2022 -0400

    Fixing the terminal (echo) printing on MacOS following the last commit for Linux users

commit 68a12e6
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jun 15 11:42:43 2022 -0400

    Fixing Linux build errors noticed by @colinoflynn in \emsec#313

commit 7b4cdd8
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Jun 7 21:56:24 2022 -0400

    Fixing some make build script bugs

commit 024c699
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Jun 4 16:13:01 2022 -0400

    Finalizing the fixes to emsec#313 to verify PM3 support

commit f9c1dab
Author: Maxie Dion Schmidt <[email protected]>
Date:   Thu Jun 2 00:40:53 2022 -0400

    Updates to make/build scripts ; Partial fixes to @colinoflynn\'s notes in emsec#313 (success with \'hf mfdes info -- Still debugging auth exchanges)

commit 8e77d78
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jun 1 09:04:53 2022 -0400

    More refinements and efforts to make build output cleaner to read

commit 8a823c8
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Jun 1 00:39:24 2022 -0400

    A few improvements to Makefile and build scripts (cf. previous issue emsec#283)

commit 8e25538
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri May 13 08:27:42 2022 -0400

    Attempt to fix bug with `pm3 --> hf mfdes info` reported in emsec#313

commit 83ce182
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed May 11 00:43:28 2022 -0400

    Fix Makefile bugs noticed in emsec#313

commit 4536789
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Apr 22 13:43:40 2022 -0400

    Incorporating bug fixes by @colinoflynn at https://github.com/colinoflynn/ChameleonMini/commits/desfire-fixes (see message in emsec#313)

commit 19e0d1c
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Mar 30 12:46:06 2022 -0400

    Stashing LibNFC external USB reader test code online to test on Linux (builds on MacOS)

commit f4faaa7
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Mar 30 10:00:26 2022 -0400

    Working ISO authentication on the PM3 : cf. emsec#313

commit 45a6c3f
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Mar 29 23:30:46 2022 -0400

    Stashing more working code to test PM3 compatibility (ISO/EV1 auth)

commit 7ecf3cb
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Mar 26 18:25:54 2022 -0400

    Stuck on debugging issue with PM3 -- Posted to discord -- awaiting fix before this can get fixed

commit fecf5cb
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Mar 26 10:44:07 2022 -0400

    More progress towards PM3 compatible auth II

commit b873261
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Mar 26 10:23:55 2022 -0400

    More progress towards PM3 compatible auth

commit bccf579
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Mar 22 06:36:24 2022 -0400

    Proposed PM3 ISO auth compliant fwmod -- pending testing

commit 1be7688
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Mar 21 21:05:16 2022 -0400

    Adding more complete support for PM3 ISO auth (stashing incremental changes as reference point -- II)

commit bb7d46f
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Mar 21 18:34:11 2022 -0400

    Adding more complete support for PM3 ISO auth (stashing incremental changes as reference point)

commit 0291b9b
Author: Fabian <[email protected]>
Date:   Thu Mar 17 12:04:40 2022 +0100

    update Doxygen

commit aafc5ab
Author: Maxie Dion Schmidt <[email protected]>
Date:   Wed Mar 16 03:03:03 2022 -0400

    Stashing more incremental updates to the code to get/verify PM3 compatibility

commit 64d1fff
Author: Maxie Dion Schmidt <[email protected]>
Date:   Tue Mar 15 17:48:29 2022 -0400

    Stashing incremental changes from Arch for compilation on Mac

commit 371eaca
Merge: 94aeb3c 14537ac
Author: fptrs <[email protected]>
Date:   Tue Mar 1 15:31:32 2022 +0100

    Merge pull request emsec#318 from cacke-r/master

    AUTOCALIBRATE command for Sniff-ISO15693 application

commit 14537ac
Merge: a212bbb c47974e
Author: cacke-r <[email protected]>
Date:   Thu Feb 24 15:40:22 2022 +0100

    Merge pull request #2 from cacke-r/fix_autothreshold

    Sniff15693: Autocalibrate: Detect error case

commit c47974e
Author: cacke-r <[email protected]>
Date:   Wed Feb 23 21:03:17 2022 +0100

    Sniff15693: Autocalibrate: Detect error case

    Detect the case, that we never receive a valid card frame.
    Restore original/recent threshold in this case.

    Signed-off-by: cacke-r <[email protected]>

commit a212bbb
Author: cacke-r <[email protected]>
Date:   Tue Feb 15 20:56:36 2022 +0100

    Chamtool: Add Autothreshold command

    Signed-off-by: cacke-r <[email protected]>

commit c686040
Author: cacke-r <[email protected]>
Date:   Tue Feb 15 20:15:15 2022 +0100

    Commands: Autocalibrate: Dont execute if ISO15693 codec uses autothreshold

    Signed-off-by: cacke-r <[email protected]>

commit b8fec22
Author: cacke-r <[email protected]>
Date:   Mon Feb 14 21:01:46 2022 +0100

    Terminal: Add commands to control Sniff15693 autothreshold feature

    Signed-off-by: cacke-r <[email protected]>

commit b04351b
Author: cacke-r <[email protected]>
Date:   Wed Feb 9 21:46:30 2022 +0100

    Sniff15693: Add CRC Check on received data

    Signed-off-by: cacke-r <[email protected]>

commit ad16434
Author: cacke-r <[email protected]>
Date:   Tue Feb 15 20:07:25 2022 +0100

    Sniff15693: Implementation of Autocalibration command

    Signed-off-by: cacke-r <[email protected]>

commit 821de78
Author: cacke-r <[email protected]>
Date:   Tue Feb 15 20:00:22 2022 +0100

    SniffISO15693: Add functions to codec to enable autocalibration

    Signed-off-by: cacke-r <[email protected]>

commit 97d7ad8
Author: cacke-r <[email protected]>
Date:   Sun Jan 30 21:21:39 2022 +0100

    Hook Sniff15693 App to the AutoCalibration command

    Signed-off-by: cacke-r <[email protected]>

commit 5f8d0ec
Author: cacke-r <[email protected]>
Date:   Sun Jan 30 21:20:38 2022 +0100

    Add Autocalibrate command to chamtool

    Signed-off-by: cacke-r <[email protected]>

commit 8f5053f
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Feb 14 12:54:05 2022 -0500

    *Should* finally be working now -- Problem was that the SETTINGS memory remapped the FLASH memory space used by avr-gcc\'s __flash to a custom .flashdata section after the LUFA build by a second call to avr-objcopy -- Clever way to maximize slot space, but the previous code was not aware of that causing apparently quasi-non-deterministic behavior with some readers -- Cf. emsec#313 and emsec#315

commit 2d54740
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Feb 14 12:32:10 2022 -0500

    Separate section to store in flash not working -- Beginning new approach to put reduced size massive structure into plain old data mem

commit 138a174
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Feb 14 08:19:23 2022 -0500

    Swapping out previous __flash settings for commands lookup table into last half of LOG_FRAM (code and Makefile defines -- may still need to extract this new section using avr-objcopy -- pending testing)

commit ac265b4
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Feb 13 03:54:01 2022 -0500

    Out of hell ... Everything seems to be working again with the MEMORY_LIMITED_TESTING define set in the Makefile :)

commit 65766e1
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Feb 13 02:41:53 2022 -0500

    Incremental backup -- Auth schemes should be working -- New CommMode checksum functions DO NOT fit into text/data (yet)

commit bf1eadc
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Feb 13 00:29:24 2022 -0500

    Making a sane backup point while prfusely debugging

commit a24fbe8
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 21:47:54 2022 -0500

    Preliminary (partial) support for more CommModes -- This is going to need substantial testing -- III

commit 74f216f
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 19:15:57 2022 -0500

    Preliminary (partial) support for more CommModes -- This is going to need substantial testing -- II

commit e9437a6
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 18:52:10 2022 -0500

    Preliminary (partial) support for more CommModes -- This is going to need substantial testing

commit e9ce4ac
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 14:43:01 2022 -0500

    Untested CMAC implementation for CommMode=FULL exchanges (Enciphered+CMAC'ed data)

commit de798fb
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 10:59:20 2022 -0500

    Adding in preliminary AES transfer functions -- Trying to save space for more where it can be pruned -- III -- cf. emsec#313

commit a0cb74c
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 10:20:10 2022 -0500

    Adding in preliminary AES transfer functions -- Trying to save space for more where it can be pruned -- II

commit 583bb93
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 10:07:37 2022 -0500

    Adding in preliminary AES transfer functions -- Trying to save space for more where it can be pruned

commit 3974786
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 08:47:04 2022 -0500

    Finding other places to squeeze space for the DESFire config (Log and terminal buffers stored on the stack -- adding buffer full messages for INFO)

commit a4672ff
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 08:34:27 2022 -0500

    Finding other places to squeeze space for the DESFire config (Log and terminal buffers stored on the stack)

commit 9ee3236
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 08:02:54 2022 -0500

    Addressing the ACK/NAK keep-alive exchanges from some NXP readers noted by \@lvandenb in emsec#313

commit b6be1b8
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 05:32:37 2022 -0500

    Space saving defines to remove currently unused crypto exchange functionality (will revisit when get to this subproject)

commit 20a6960
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 04:41:40 2022 -0500

    Fixing legacy auth algorithm from 3K3DES -> 2K3DES (cf. emsec#313)

commit 1644a9e
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 00:40:13 2022 -0500

    Making sure the auth AES and auth ISO handlers keep the chain of prior legacy auths intact

commit bcf68d0
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sat Feb 12 00:27:24 2022 -0500

    Last minute modifications to DES/3DES enc/dec routines for data that is not a multiple of the resp. block size

commit e15f8c7
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Feb 11 22:51:37 2022 -0500

    Fixing bug where we must first auth with the legacy command mentioned in emsec#313

commit e22b286
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Feb 11 17:43:41 2022 -0500

    Removing default testing nonce B from auth commands ; Running make style

commit ba3c736
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Feb 11 17:42:20 2022 -0500

    Bug fixes to observations in emsec#313

commit a02f214
Author: Maxie Dion Schmidt <[email protected]>
Date:   Fri Feb 4 22:17:00 2022 -0500

    Working AES128 auth and ISO auth ; Still need to debug the legacy auth

commit b451e12
Author: Maxie Dion Schmidt <[email protected]>
Date:   Thu Feb 3 06:52:33 2022 -0500

    Working AES128 auth ; Nearly working ISO auth (still debugging) -- Stashing copy for reference

commit 7176259
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Jan 31 12:54:23 2022 -0500

    Stashing incremental testing release code

commit ca0afad
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Jan 31 10:54:37 2022 -0500

    Adding support for non-wrapped native commands (I believe)

commit 281d3c7
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Jan 31 01:23:50 2022 -0500

    AuthLegacy(0x0A) works using 3DES enc/dec modes -- Makefile no testing -- For emsec#313

commit 195e600
Author: Maxie Dion Schmidt <[email protected]>
Date:   Mon Jan 31 01:22:07 2022 -0500

    AuthLegacy(0x0A) works using 3DES enc/dec modes

commit 6ee1958
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Jan 30 23:03:07 2022 -0500

    AuthISO(0x1A) works tentatively (a little slowly) with the LibNFC test code

commit d20cac4
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Jan 30 15:45:27 2022 -0500

    More testing (still doesn't make it through round2 on the Chameleon)

commit 1e542ec
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Jan 30 14:53:16 2022 -0500

    Re-implementing the 3DES crypto with CBC

commit fba0ee3
Author: Maxie Dion Schmidt <[email protected]>
Date:   Sun Jan 30 12:34:25 2022 -0500

    Debugging ISO authenticate command (0x1a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants