Skip to content

Commit

Permalink
Implemented 'info' command for NTAG424
Browse files Browse the repository at this point in the history
  • Loading branch information
dankar committed Oct 31, 2023
1 parent 03ffda0 commit ee3a223
Show file tree
Hide file tree
Showing 3 changed files with 160 additions and 12 deletions.
4 changes: 4 additions & 0 deletions client/src/cmdhfmfdes.c
Original file line number Diff line number Diff line change
Expand Up @@ -439,6 +439,10 @@ static int desfire_print_signature(uint8_t *uid, uint8_t uidlen, uint8_t *signat
return PM3_SUCCESS;
}

int DesfirePrintSignature(uint8_t *uid, uint8_t uidlen, uint8_t *signature, size_t signature_len) {
return desfire_print_signature(uid, uidlen, signature, signature_len, DESFIRE_UNKNOWN);
}

static void swap24(uint8_t *data) {
if (data == NULL) return;
uint8_t tmp = data[0];
Expand Down
2 changes: 2 additions & 0 deletions client/src/cmdhfmfdes.h
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ char *getVersionStr(uint8_t major, uint8_t minor);
int getKeySettings(uint8_t *aid);
*/

int DesfirePrintSignature(uint8_t *uid, uint8_t uidlen, uint8_t *signature, size_t signature_len);

// Ev1 card limits
#define MAX_NUM_KEYS 0x0F
#define MAX_APPLICATION_COUNT 28
Expand Down
166 changes: 154 additions & 12 deletions client/src/cmdhfntag424.c
Original file line number Diff line number Diff line change
Expand Up @@ -32,18 +32,21 @@
#include "ui.h"
#include "util.h"
#include "crc32.h"
#include "cmdhfmfdes.h"

#define NTAG424_MAX_BYTES 412


// NTAG424 commands currently implemented
#define NTAG424_CMD_GET_FILE_SETTINGS 0xF5
#define NTAG424_CMD_CHANGE_FILE_SETTINGS 0x5F
#define NTAG424_CMD_CHANGE_KEY 0xC4
#define NTAG424_CMD_READ_DATA 0xAD
#define NTAG424_CMD_WRITE_DATA 0x8D
#define NTAG424_CMD_AUTHENTICATE_EV2_FIRST_PART_1 0x71
#define NTAG424_CMD_AUTHENTICATE_EV2_FIRST_PART_2 0xAF
#define NTAG424_CMD_GET_FILE_SETTINGS 0xF5
#define NTAG424_CMD_CHANGE_FILE_SETTINGS 0x5F
#define NTAG424_CMD_CHANGE_KEY 0xC4
#define NTAG424_CMD_READ_DATA 0xAD
#define NTAG424_CMD_WRITE_DATA 0x8D
#define NTAG424_CMD_AUTHENTICATE_EV2_FIRST 0x71
#define NTAG424_CMD_MORE_DATA 0xAF
#define NTAG424_CMD_GET_VERSION 0x60
#define NTAG424_CMD_GET_SIGNATURE 0x3C

//
// Original from https://github.com/rfidhacking/node-sdm/
Expand Down Expand Up @@ -117,6 +120,62 @@ typedef struct {
ntag424_file_sdm_settings_t optional_sdm_settings;
} file_settings_write_t;

// -------------- Version information structs -------------------------
typedef struct {
uint8_t vendor_id;
uint8_t type;
uint8_t sub_type;
uint8_t major_version;
uint8_t minor_version;
uint8_t storage_size;
uint8_t protocol;
} PACKED ntag424_version_information_t;

typedef struct {
uint8_t uid[7];
uint8_t batch[4];
uint8_t fab_key_high : 4;
uint8_t batchno : 4;
uint8_t week_prod : 7;
uint8_t fab_key_low : 1;
uint8_t year_prod;
} PACKED ntag424_production_information_t;

typedef struct {
ntag424_version_information_t hardware;
ntag424_version_information_t software;
ntag424_production_information_t production;
} ntag424_full_version_information_t;


static void ntag424_print_version_information(ntag424_version_information_t *version) {
PrintAndLogEx(INFO, " vendor id: " _GREEN_("%02X"), version->vendor_id);
PrintAndLogEx(INFO, " type: " _GREEN_("%02X"), version->type);
PrintAndLogEx(INFO, " sub type: " _GREEN_("%02X"), version->sub_type);
PrintAndLogEx(INFO, " version: " _GREEN_("%d.%d"), version->major_version, version->minor_version);
PrintAndLogEx(INFO, "storage size: " _GREEN_("%02X"), version->storage_size);
PrintAndLogEx(INFO, " protocol: " _GREEN_("%02X"), version->protocol);
}

static void ntag424_print_production_information(ntag424_production_information_t *version) {
PrintAndLogEx(INFO, " uid: " _GREEN_("%s"), sprint_hex(version->uid, sizeof(version->uid)));
PrintAndLogEx(INFO, " batch: " _GREEN_("%s"), sprint_hex(version->batch, sizeof(version->batch)));
PrintAndLogEx(INFO, " batchno: " _GREEN_("%02X"), version->batchno);
PrintAndLogEx(INFO, " fab key: " _GREEN_("%02X"), (version->fab_key_high << 1) | version->fab_key_low);
PrintAndLogEx(INFO, " date: week " _GREEN_("%02X") " / " _GREEN_("20%02X"), version->week_prod, version->year_prod);
}

static void ntag424_print_full_version_information(ntag424_full_version_information_t *version) {
PrintAndLogEx(INFO, "--- " _CYAN_("Hardware version information:"), fileno);
ntag424_print_version_information(&version->hardware);

PrintAndLogEx(INFO, "--- " _CYAN_("Software version information:"), fileno);
ntag424_print_version_information(&version->software);

PrintAndLogEx(INFO, "--- " _CYAN_("Production information:"), fileno);
ntag424_print_production_information(&version->production);
}

// Currently unused functions, commented out due to -Wunused-function
/*static void ntag424_file_settings_set_access_rights(ntag424_file_settings_t *settings,
uint8_t read_write_key, uint8_t change_key,
Expand Down Expand Up @@ -473,7 +532,7 @@ static int ntag424_auth_first_step(uint8_t keyno, uint8_t *key, uint8_t *out) {

APDU_t apdu = {
.cla = 0x90,
.ins = NTAG424_CMD_AUTHENTICATE_EV2_FIRST_PART_1,
.ins = NTAG424_CMD_AUTHENTICATE_EV2_FIRST,
.lc = 0x02,
.data = key_number
};
Expand All @@ -500,7 +559,7 @@ static int ntag424_auth_first_step(uint8_t keyno, uint8_t *key, uint8_t *out) {
static int ntag424_auth_second_step(uint8_t *challenge, uint8_t *response_out) {
APDU_t apdu = {
.cla = 0x90,
.ins = NTAG424_CMD_AUTHENTICATE_EV2_FIRST_PART_2,
.ins = NTAG424_CMD_MORE_DATA,
.lc = 0x20,
.data = challenge,
};
Expand Down Expand Up @@ -691,6 +750,63 @@ static int ntag424_read_data(uint8_t fileno, uint16_t offset, uint16_t num_bytes
return PM3_SUCCESS;
}

static int ntag424_get_version(ntag424_full_version_information_t *version) {
APDU_t apdu = {
.cla = 0x90,
.ins = NTAG424_CMD_GET_VERSION,
};


uint8_t response[256];

int response_length = sizeof(ntag424_version_information_t) + 2;
if (ntag424_exchange_apdu(&apdu, 0, response, &response_length, COMM_PLAIN, NULL, 0x91, 0xAF) != PM3_SUCCESS) {
return PM3_ESOFT;
}
memcpy(&version->hardware, response, sizeof(ntag424_version_information_t));

APDU_t continue_apdu = {
.cla = 0x90,
.ins = NTAG424_CMD_MORE_DATA,
};

response_length = sizeof(ntag424_version_information_t) + 2;
if (ntag424_exchange_apdu(&continue_apdu, 0, response, &response_length, COMM_PLAIN, NULL, 0x91, 0xAF) != PM3_SUCCESS) {
return PM3_ESOFT;
}
memcpy(&version->software, response, sizeof(ntag424_version_information_t));

response_length = sizeof(ntag424_production_information_t) + 2;
if (ntag424_exchange_apdu(&continue_apdu, 0, response, &response_length, COMM_PLAIN, NULL, 0x91, 0x00) != PM3_SUCCESS) {
return PM3_ESOFT;
}
memcpy(&version->production, response, sizeof(ntag424_production_information_t));

return PM3_SUCCESS;
}

#define NXP_SIGNATURE_LENGTH 56
#define NXP_SIGNATURE_ID 0x00

static int ntag424_get_signature(uint8_t *signature_out) {
uint8_t signature_id = NXP_SIGNATURE_ID;
APDU_t apdu = {
.cla = 0x90,
.ins = NTAG424_CMD_GET_SIGNATURE,
.lc = 1,
.data = &signature_id,
};

int response_length = NXP_SIGNATURE_LENGTH + 2;
// This is a weird one. Datasheet claims this command should result in 91 00, but cards, and the AN12196
// document shows 91 90 on success.
if (ntag424_exchange_apdu(&apdu, 1, signature_out, &response_length, COMM_PLAIN, NULL, 0x91, 0x90) != PM3_SUCCESS) {
return PM3_ESOFT;
}

return PM3_SUCCESS;
}

static int ntag424_change_key(uint8_t keyno, uint8_t *new_key, uint8_t *old_key, uint8_t version, ntag424_session_keys_t *session_keys) {
// -------- Calculate xor and crc
uint8_t key[16] = {0};
Expand Down Expand Up @@ -787,9 +903,35 @@ static int CmdHF_ntag424_info(const char *Cmd) {
};
CLIExecWithReturn(ctx, Cmd, argtable, true);
CLIParserFree(ctx);
PrintAndLogEx(INFO, "not implemented yet");
PrintAndLogEx(INFO, "Feel free to contribute!");
return PM3_SUCCESS;

if (SelectCard14443A_4(false, true, NULL) != PM3_SUCCESS) {
PrintAndLogEx(ERR, "Failed to select card");
DropField();
return PM3_ERFTRANS;
}

if (ntag424_select_application() != PM3_SUCCESS) {
DropField();
return PM3_ESOFT;
}

ntag424_full_version_information_t version = {0};
if (ntag424_get_version(&version) != PM3_SUCCESS) {
DropField();
return PM3_ESOFT;
}
ntag424_print_full_version_information(&version);

uint8_t signature[NXP_SIGNATURE_LENGTH];
int res = ntag424_get_signature(signature);
DropField();

if (res == PM3_SUCCESS) {
PrintAndLogEx(INFO, "--- " _CYAN_("NXP originality signature:"), fileno);
DesfirePrintSignature(version.production.uid, 7, signature, NXP_SIGNATURE_LENGTH);
}

return res;
}

static int ntag424_cli_get_auth_information(CLIParserContext *ctx, int keyno_index, int key_index, int *keyno, uint8_t *key_out) {
Expand Down

0 comments on commit ee3a223

Please sign in to comment.