From a807a9e81dcca0de906bd761c9dacacf26290982 Mon Sep 17 00:00:00 2001 From: Zinong Li <131403964+zinongli@users.noreply.github.com> Date: Thu, 29 Aug 2024 18:12:14 -0400 Subject: [PATCH] NFC: Saflok Parser (#196) * ready for PR * improve weekday restriction rendering * fix weekday index bug * format * memcpy optimization * format * Update changelog --------- Co-authored-by: Willy-JL <49810075+Willy-JL@users.noreply.github.com> --- CHANGELOG.md | 1 + .../main/nfc/plugins/supported_cards/saflok.c | 273 +++++++++++++++++- 2 files changed, 266 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d36507d49..cae75ea2c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ ### Added: - Apps: - Games: Laser Tag (by @RocketGod-git) +- NFC: Added new Saflok parser (#196 by @zinongli & @xtruan & @zacharyweiss & @evilmog & @Arkwin) - OFW: Desktop: New Procrastination dolphin animation (by @Astrrra) ### Updated: diff --git a/applications/main/nfc/plugins/supported_cards/saflok.c b/applications/main/nfc/plugins/supported_cards/saflok.c index b2904109e..5c4aa0b70 100644 --- a/applications/main/nfc/plugins/supported_cards/saflok.c +++ b/applications/main/nfc/plugins/supported_cards/saflok.c @@ -1,26 +1,64 @@ -// From: https://gitee.com/jadenwu/Saflok_KDF/blob/master/saflok.c +// KDF from: https://gitee.com/jadenwu/Saflok_KDF/blob/master/saflok.c // KDF published and reverse engineered by Jaden Wu // FZ plugin by @noproto +// Decryption and parsing from: https://gitee.com/wangshuoyue/unsaflok +// Decryption algorithm and parsing published by Shuoyue Wang +// Parsing also inspired by Lennert Wouters and Ian Carroll's DEFCON 32 talk +// https://defcon.org/html/defcon-32/dc-32-speakers.html +// FZ parser by @Torron, with help from @xtruan, @zacharyweiss, @evilmog and kara (@Arkwin) #include "nfc_supported_card_plugin.h" #include #include - +#include #include +#include +#include +#include + #define TAG "Saflok" -#define MAGIC_TABLE_SIZE 192 -#define KEY_LENGTH 6 -#define UID_LENGTH 4 -#define CHECK_SECTOR 1 +#define MAGIC_TABLE_SIZE 192 +#define KEY_LENGTH 6 +#define UID_LENGTH 4 +#define CHECK_SECTOR 1 +#define BASIC_ACCESS_BYTE_NUM 17 +#define SAFLOK_YEAR_OFFSET 1980 typedef struct { uint64_t a; uint64_t b; } MfClassicKeyPair; +typedef struct { + uint8_t level_num; + char* level_name; +} SaflokKeyLevel; + +static SaflokKeyLevel key_levels[] = { + {1, "Guest Key"}, + {2, "Connectors"}, + {3, "Suite"}, + {4, "Limited Use"}, + {5, "Failsafe"}, + {6, "Inhibit"}, + {7, "Pool/Meeting Master"}, + {8, "Housekeeping"}, + {9, "Floor Key"}, + {10, "Section Key"}, + {11, "Rooms Master"}, + {12, "Grand Master"}, + {13, "Emergency"}, + {14, "Electronic Lockout"}, + {15, "Secondary Programming Key (SPK)"}, + {16, "Primary Programming Key (PPK)"}, +}; + +const char* weekdays[] = + {"Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday", "Sunday"}; + static MfClassicKeyPair saflok_1k_keys[] = { {.a = 0x000000000000, .b = 0xffffffffffff}, // 000 {.a = 0x2a2c13cc242a, .b = 0xffffffffffff}, // 001 @@ -71,6 +109,68 @@ void generate_saflok_key(const uint8_t* uid, uint8_t* key) { memcpy(key, temp_key, KEY_LENGTH); } +// Lookup table +static const uint8_t c_aDecode[256] = { + 0xEA, 0x0D, 0xD9, 0x74, 0x4E, 0x28, 0xFD, 0xBA, 0x7B, 0x98, 0x87, 0x78, 0xDD, 0x8D, 0xB5, + 0x1A, 0x0E, 0x30, 0xF3, 0x2F, 0x6A, 0x3B, 0xAC, 0x09, 0xB9, 0x20, 0x6E, 0x5B, 0x2B, 0xB6, + 0x21, 0xAA, 0x17, 0x44, 0x5A, 0x54, 0x57, 0xBE, 0x0A, 0x52, 0x67, 0xC9, 0x50, 0x35, 0xF5, + 0x41, 0xA0, 0x94, 0x60, 0xFE, 0x24, 0xA2, 0x36, 0xEF, 0x1E, 0x6B, 0xF7, 0x9C, 0x69, 0xDA, + 0x9B, 0x6F, 0xAD, 0xD8, 0xFB, 0x97, 0x62, 0x5F, 0x1F, 0x38, 0xC2, 0xD7, 0x71, 0x31, 0xF0, + 0x13, 0xEE, 0x0F, 0xA3, 0xA7, 0x1C, 0xD5, 0x11, 0x4C, 0x45, 0x2C, 0x04, 0xDB, 0xA6, 0x2E, + 0xF8, 0x64, 0x9A, 0xB8, 0x53, 0x66, 0xDC, 0x7A, 0x5D, 0x03, 0x07, 0x80, 0x37, 0xFF, 0xFC, + 0x06, 0xBC, 0x26, 0xC0, 0x95, 0x4A, 0xF1, 0x51, 0x2D, 0x22, 0x18, 0x01, 0x79, 0x5E, 0x76, + 0x1D, 0x7F, 0x14, 0xE3, 0x9E, 0x8A, 0xBB, 0x34, 0xBF, 0xF4, 0xAB, 0x48, 0x63, 0x55, 0x3E, + 0x56, 0x8C, 0xD1, 0x12, 0xED, 0xC3, 0x49, 0x8E, 0x92, 0x9D, 0xCA, 0xB1, 0xE5, 0xCE, 0x4D, + 0x3F, 0xFA, 0x73, 0x05, 0xE0, 0x4B, 0x93, 0xB2, 0xCB, 0x08, 0xE1, 0x96, 0x19, 0x3D, 0x83, + 0x39, 0x75, 0xEC, 0xD6, 0x3C, 0xD0, 0x70, 0x81, 0x16, 0x29, 0x15, 0x6C, 0xC7, 0xE7, 0xE2, + 0xF6, 0xB7, 0xE8, 0x25, 0x6D, 0x3A, 0xE6, 0xC8, 0x99, 0x46, 0xB0, 0x85, 0x02, 0x61, 0x1B, + 0x8B, 0xB3, 0x9F, 0x0B, 0x2A, 0xA8, 0x77, 0x10, 0xC1, 0x88, 0xCC, 0xA4, 0xDE, 0x43, 0x58, + 0x23, 0xB4, 0xA1, 0xA5, 0x5C, 0xAE, 0xA9, 0x7E, 0x42, 0x40, 0x90, 0xD2, 0xE9, 0x84, 0xCF, + 0xE4, 0xEB, 0x47, 0x4F, 0x82, 0xD4, 0xC5, 0x8F, 0xCD, 0xD3, 0x86, 0x00, 0x59, 0xDF, 0xF2, + 0x0C, 0x7C, 0xC6, 0xBD, 0xF9, 0x7D, 0xC4, 0x91, 0x27, 0x89, 0x32, 0x72, 0x33, 0x65, 0x68, + 0xAF}; + +void DecryptCard( + uint8_t strCard[BASIC_ACCESS_BYTE_NUM], + int length, + uint8_t decryptedCard[BASIC_ACCESS_BYTE_NUM]) { + int i, num, num2, num3, num4, b = 0, b2 = 0; + for(i = 0; i < length; i++) { + num = c_aDecode[strCard[i]] - (i + 1); + if(num < 0) num += 256; + decryptedCard[i] = num; + } + + if(length == 17) { + b = decryptedCard[10]; + b2 = b & 1; + } + + for(num2 = length; num2 > 0; num2--) { + b = decryptedCard[num2 - 1]; + for(num3 = 8; num3 > 0; num3--) { + num4 = num2 + num3; + if(num4 > length) num4 -= length; + int b3 = decryptedCard[num4 - 1]; + int b4 = (b3 & 0x80) >> 7; + b3 = ((b3 << 1) & 0xFF) | b2; + b2 = (b & 0x80) >> 7; + b = ((b << 1) & 0xFF) | b4; + decryptedCard[num4 - 1] = b3; + } + decryptedCard[num2 - 1] = b; + } +} + +uint8_t CalculateCheckSum(uint8_t data[BASIC_ACCESS_BYTE_NUM]) { + int sum = 0; + for(int i = 0; i < BASIC_ACCESS_BYTE_NUM - 1; i++) { + sum += data[i]; + } + sum = 255 - (sum & 0xFF); + return sum & 0xFF; +} + static bool saflok_verify(Nfc* nfc) { bool verified = false; @@ -153,13 +253,170 @@ static bool saflok_read(Nfc* nfc, NfcDevice* device) { return is_read; } +bool saflok_parse(const NfcDevice* device, FuriString* parsed_data) { + furi_assert(device); + const MfClassicData* data = nfc_device_get_data(device, NfcProtocolMfClassic); + bool parsed = false; + + do { + // Check card type + if(data->type != MfClassicType1k) break; + + // Verify key + const MfClassicSectorTrailer* sec_tr = + mf_classic_get_sector_trailer_by_sector(data, CHECK_SECTOR); + + const uint64_t key_a = + bit_lib_bytes_to_num_be(sec_tr->key_a.data, COUNT_OF(sec_tr->key_a.data)); + if(key_a != saflok_1k_keys[CHECK_SECTOR].a) break; + + // Decrypt basic access + uint8_t basicAccess[BASIC_ACCESS_BYTE_NUM]; + memcpy(&basicAccess, &data->block[1].data, 16); + memcpy(&basicAccess[16], &data->block[2].data[0], 1); + uint8_t decodedBA[BASIC_ACCESS_BYTE_NUM]; + DecryptCard(basicAccess, BASIC_ACCESS_BYTE_NUM, decodedBA); + + // Byte 0: Key level, LED warning bit, and subgroup functions + uint8_t key_level = (decodedBA[0] & 0xF0) >> 4; + uint8_t led_warning = (decodedBA[0] & 0x08) >> 3; + + // Byte 1: Key ID + uint8_t key_id = decodedBA[1]; + + // Byte 2 & 3: KeyRecord, including OpeningKey flag + uint8_t key_record_high = decodedBA[2] & 0x7F; + uint8_t opening_key = (decodedBA[2] & 0x80) >> 7; + uint16_t key_record = (key_record_high << 8) | decodedBA[3]; + + // Byte 4 & 5: Pass level in reversed binary + // This part is commented because the relevance of this info is still unknown + // uint16_t pass_level = ((decodedBA[4] & 0xFF) << 8) | decodedBA[5]; + // uint8_t pass_levels[12]; + // int pass_levels_count = 0; + + // for (int i = 0; i < 12; i++) { + // if ((pass_level >> i) & 1) { + // pass_levels[pass_levels_count++] = i + 1; + // } + // } + + // Byte 5 & 6: EncryptSequence + Combination + uint16_t sequence_combination_number = ((decodedBA[5] & 0x0F) << 8) | decodedBA[6]; + // Bytes 14-15: Property number and year + uint8_t creation_year_bits = (decodedBA[14] & 0xF0); + uint16_t property_id = ((decodedBA[14] & 0x0F) << 8) | decodedBA[15]; + + // Byte 7: OverrideDeadbolt and Days + uint8_t override_deadbolt = (decodedBA[7] & 0x80) >> 7; + uint8_t restricted_weekday = decodedBA[7] & 0x7F; + // Counter to keep track of the number of restricted days + int restricted_count = 0; + // Buffer to store the resulting string + FuriString* restricted_weekday_string = furi_string_alloc(); + // Check each bit from Monday to Sunday + for(int i = 0; i < 7; i++) { + if(restricted_weekday & (0b01000000 >> i)) { + // If the bit is set, append the corresponding weekday to the buffer + if(restricted_count > 0) { + furi_string_cat_printf(restricted_weekday_string, ", "); + } + furi_string_cat_printf(restricted_weekday_string, "%s", weekdays[i]); + restricted_count++; + } + } + + // Determine if all weekdays are restricted + if(restricted_weekday == 0b01111100) { + furi_string_printf(restricted_weekday_string, "weekdays"); + } + // If there are specific restricted days + else if(restricted_weekday == 0b00000011) { + furi_string_printf(restricted_weekday_string, "weekends"); + } + // If no weekdays are restricted + else if(restricted_weekday == 0) { + furi_string_printf(restricted_weekday_string, "none"); + } + + // Bytes 8-10: Expiry interval + uint16_t interval_year = (decodedBA[8] >> 4); + uint8_t interval_month = decodedBA[8] & 0x0F; + uint8_t interval_day = (decodedBA[9] >> 3) & 0x1F; + uint8_t interval_hour = ((decodedBA[9] & 0x07) << 2) | (decodedBA[10] >> 6); + uint8_t interval_minute = decodedBA[10] & 0x3F; + + // Bytes 11-13: Creation date since 1980 Jan 1st + uint16_t creation_year = (((decodedBA[11] & 0xF0) >> 4) + SAFLOK_YEAR_OFFSET) | + creation_year_bits; + uint8_t creation_month = decodedBA[11] & 0x0F; + uint8_t creation_day = (decodedBA[12] >> 3) & 0x1F; + uint8_t creation_hour = ((decodedBA[12] & 0x07) << 2) | (decodedBA[13] >> 6); + uint8_t creation_minute = decodedBA[13] & 0x3F; + + uint16_t expire_year = creation_year + interval_year; + uint8_t expire_month = creation_month + interval_month; + uint8_t expire_day = creation_day + interval_day; + uint8_t expire_hour = interval_hour; + uint8_t expire_minute = interval_minute; + + // Byte 16: Checksum + uint8_t checksum = decodedBA[16]; + uint8_t checksum_calculated = CalculateCheckSum(decodedBA); + bool checksum_valid = (checksum_calculated == checksum); + for(int i = 0; i < 17; i++) { + FURI_LOG_D(TAG, "%02X", decodedBA[i]); + } + FURI_LOG_D(TAG, "CS decrypted: %02X", checksum); + FURI_LOG_D(TAG, "CS calculated: %02X", checksum_calculated); + + furi_string_cat_printf(parsed_data, "\e#Saflok Card\n"); + furi_string_cat_printf( + parsed_data, + "Key Level: %u, %s\n", + key_levels[key_level].level_num, + key_levels[key_level].level_name); + furi_string_cat_printf(parsed_data, "LED Exp. Warning: %s\n", led_warning ? "Yes" : "No"); + furi_string_cat_printf(parsed_data, "Key ID: %02X\n", key_id); + furi_string_cat_printf(parsed_data, "Key Record: %04X\n", key_record); + furi_string_cat_printf(parsed_data, "Opening key: %s\n", opening_key ? "Yes" : "No"); + furi_string_cat_printf( + parsed_data, "Seq. & Combination: %04X\n", sequence_combination_number); + furi_string_cat_printf( + parsed_data, "Override Deadbolt: %s\n", override_deadbolt ? "Yes" : "No"); + furi_string_cat_printf( + parsed_data, + "Restricted Weekday: %s\n", + furi_string_get_cstr(restricted_weekday_string)); + furi_string_cat_printf( + parsed_data, + "Valid Start Date: \n%u-%02d-%02d\n%02d:%02d:00\n", + creation_year, + creation_month, + creation_day, + creation_hour, + creation_minute); + furi_string_cat_printf( + parsed_data, + "Expiration Date: \n%u-%02d-%02d\n%02d:%02d:00\n", + expire_year, + expire_month, + expire_day, + expire_hour, + expire_minute); + furi_string_cat_printf(parsed_data, "Property Number: %u\n", property_id); + furi_string_cat_printf(parsed_data, "Checksum Valid: %s", checksum_valid ? "Yes" : "No"); + parsed = true; + } while(false); + return parsed; +} + /* Actual implementation of app<>plugin interface */ static const NfcSupportedCardsPlugin saflok_plugin = { .protocol = NfcProtocolMfClassic, .verify = saflok_verify, .read = saflok_read, - // KDF mode - .parse = NULL, + .parse = saflok_parse, }; /* Plugin descriptor to comply with basic plugin specification */