Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mifare DESFire tag emulation support #287

Merged
merged 10 commits into from
Oct 19, 2020
Merged

Mifare DESFire tag emulation support #287

merged 10 commits into from
Oct 19, 2020

Conversation

maxieds
Copy link
Contributor

@maxieds maxieds commented Oct 18, 2020

Overview of this pull request

This pull request is effective culmination of my efforts starting this summer to add DESFire tag emulation support to the stock Chameleon Mini firmware sources. I threw my gray hat in the ring offering to get this to work in #218, and it finally seems to be working well after months of head banging and hacking code. Please see the credits for this project -- It has been in part sponsored through GA Tech where I am still a graduate student.

Modular commits to this branch

I made a point to break down the commit history from my separate repo into those made in this fork. This pull request also absorbs #285 and #286 as requisite components. The following is a summary of what has been added to this branch:

  1. LibNFC based software to test the DESFire implementation. This code is important to keep for reference as there are so many moving components with this spec that we should have a sanity check to make sure things don't get broken when modifications are made down the line. At the suggestion of @ceres-c, I put this code into a new directory in Software.
  2. Added detailed documentation here. I was not sure where exactly to file all of this, so I placed the markdown file in the Doc folder.
  3. Sample dump files, including a description of the contents it represents. The dump data includes some new AID types and files.
  4. The core of the DESFire tag support for the bulk of the completely new files that were added to make this happen. I decided to create a new directory to hold most of this implementation: Firmware/Chameleon-Mini/Application/DESFire. Because throwing all of this lengthy source code into a few files in the Application directory makes things impossible to read and maintain, I decided it was best to package up all of the innards of this new functionality and keep the necessary multiple files from cluttering up the main directory.
  5. Changes to the Makefile (see below).
  6. Other smaller changes to the stock sources during development.

Makefile changes (compendia and rationale)

  • Separated the configuration-specific settings into a new CONFIG_SETTINGS variable. This makes it very much painless to add new targets for normal, but non-default builds:
desfire: CONFIG_SETTINGS:= -DCONFIG_MF_DESFIRE_SUPPORT -DDEFAULT_CONFIGURATION=CONFIG_NONE -DDESFIRE_CRYPTO1_SAVE_SPACE
desfire: local-clean $(TARGET).elf $(TARGET).hex $(TARGET).eep
     @cp $(TARGET).hex $(TARGET)-DESFire.hex
     @cp $(TARGET).eep $(TARGET)-DESFire.eep
     @avr-size $(TARGET).elf
  • DESFire tag specific configuration and settings. Most of the big changes to the stock sources are easily disabled by default in the Makefile.
  • There is a new build target: make desfire. This configuration requires so much space on the AVR that it really only works as a standalone version.

The resulting two builds enabled by the make targets

$ make
$ avr-size Chameleon-Mini.elf
   text	   data	    bss	    dec	    hex	filename
  54256	   1226	   4708	  60190	   eb1e	Chameleon-Mini.elf

$ make desfire
$ avr-size Chameleon-Mini.elf     
   text	   data	    bss	    dec	    hex	filename
  60220	    316	   4417	  64953	   fdb9	Chameleon-Mini.elf

Concluding notes

Thanks to the testers on discord and to the developer / maintainers that oversee the main sources for all of the help and informative discussions while I was putting this code together! 🐧 💪

For what it's worth, the first testing release of the DESFire firmware mod came together around the night of RBG's sad passing on Rosh Hashanah this year. The images on the releases page of the intermediate repository I have been working in are carefully chosen and important to me. If you have some time, please glance through these tags and reflect.

@maxieds
Copy link
Contributor Author

maxieds commented Oct 18, 2020
edited
Loading

I want to point out another really nice feature of the code. The DESFire extensions of the Chameleon terminal command set can be used whenever the Chameleon is running CONFIG=MF_DESFIRE. I will point out a couple of interesting examples of use cases quoted from the docs:

DF_SETHDR=ATS xxxxxxxxxx
DF_SETHDR=HardwareVersion xxxx
DF_SETHDR=SoftwareVersion xxxx
DF_SETHDR=BatchNumber xxxxxxxxxx
DF_SETHDR=ProductionDate xxxx

These terminal commands should let users completely clone a DESFire tag. For example, to set the ATS bytes reported to emulate a JCOP tag:

DF_SETHDR=ATS 0675f7b102

This leads to nfc-anticol reporting the following tag data (the UID is pseudo-randomly generated):

Sent bits:     26 (7 bits)
Received bits: 03  44  
Sent bits:     93  20  
Received bits: 88  12  70  a7  4d  
Sent bits:     93  70  88  12  70  a7  4d  f0  08  
Received bits: 04  da  17  
Sent bits:     95  20  
Received bits: e2  c2  6c  b2  fe  
Sent bits:     95  70  e2  c2  6c  b2  fe  51  09  
Received bits: 20  fc  70  
Sent bits:     e0  50  bc  a5  
Received bits: 75  f7  b1  02  80  
Sent bits:     50  00  57  cd  

Found tag with
 UID: 1270a7e2c26cb2
ATQA: 4403
 SAK: 20
 ATS: 75  f7  b1  02  80

A convenient interface that can be used to control the device on the fly in the field is found in the latest versions of my Android logger app for the Chameleon Mini:

🎃 🎃 🎃

@fptrs fptrs merged commit c28597a into emsec:master Oct 19, 2020
This was referenced Oct 19, 2020
Closed
Closed
Closed
@david-oswald
Copy link
Collaborator

Just to say: many thanks @maxieds for your contribution, that is really a massive improvement of the Chameleon firmware!

maxieds added a commit to maxieds/ChameleonMini that referenced this pull request Oct 20, 2020
@maxieds
Cleaning up unused code and appending changes missed in emsec#287
428aa9b
fptrs added a commit that referenced this pull request Oct 23, 2020
@fptrs
Merge pull request #288 from maxieds/desfire-updates
f19cd6f 
Updates to DESfire support code in #287
@maxieds maxieds mentioned this pull request Jan 23, 2022
Merged
@maxieds maxieds mentioned this pull request Jan 30, 2022
Closed
@maxieds maxieds mentioned this pull request Jun 17, 2022
Merged
maxieds added a commit to maxieds/public-file-stashes that referenced this pull request Aug 2, 2024
@maxieds
Ammo reload - X/Twitter info/data wars saga
1c2bd48 
Not joking! These NY mafia types attacked me this week for trying to leave. RADIATION POISONING in South Shore Chicago. I will post the uploaded videos publicly on my YouTube channel after I leave... MDS

The last post with the commit details above appears to have caused Github to refuse to let me upload/backup my data (see files). This is Elon Musk's way of taking a dime away from the poor (as opposed to flicking it at them).

Commit number 314, see here (other pull requests are good too): 
+= emsec/ChameleonMini#314
+= emsec/ChameleonMini#287

Free Kevin, FUCK TRUMP!!! See media reports about him in Chicago on Wednesday. Best for the black POPULATION (I do not like the language) since Lincoln (who abolished slavery). Why can't they ride his ass for 'fake news' (WWII Nazi propaganda word). He deserves the prison sentence.
+= maxieds/ChameleonMiniLiveDebugger#26

Dr. MDS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maxieds @david-oswald @fptrs