//-----------------------------------------------------------------------------\r
\r
#include "cmdhfmf.h"\r
+#include "./nonce2key/nonce2key.h"\r
\r
static int CmdHelp(const char *Cmd);\r
\r
uint32_t uid = 0;\r
uint32_t nt = 0, nr = 0;\r
uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
- uint8_t isOK = 0;\r
- uint8_t keyBlock[8] = {0};\r
+ int16_t isOK = 0;\r
\r
UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
\r
// message\r
printf("-------------------------------------------------------------------------\n");\r
printf("Executing command. Expected execution time: 25sec on average :-)\n");\r
- printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
+ printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");\r
printf("-------------------------------------------------------------------------\n");\r
\r
\r
-start:\r
+ start:\r
clearCommandBuffer();\r
SendCommand(&c);\r
\r
}\r
\r
UsbCommand resp;\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {\r
- isOK = resp.arg[0] & 0xff;\r
+ if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {\r
+ isOK = resp.arg[0];\r
uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4);\r
nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4);\r
par_list = bytes_to_num(resp.d.asBytes + 8, 8);\r
ks_list = bytes_to_num(resp.d.asBytes + 16, 8);\r
nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
printf("\n\n");\r
- if (!isOK) PrintAndLog("Proxmark can't get statistic info. Execution aborted.\n");\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
+ case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
+ case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+ PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;\r
+ default: ;\r
+ }\r
break;\r
}\r
} \r
if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
isOK = 2;\r
PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt); \r
- } else {\r
- printf("------------------------------------------------------------------\n");\r
- PrintAndLog("Key found:%012"llx" \n", r_key);\r
-\r
- num_to_bytes(r_key, 6, keyBlock);\r
- isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);\r
- }\r
- \r
- if (!isOK) \r
- PrintAndLog("Found valid key:%012"llx, r_key);\r
- else\r
- {\r
- if (isOK != 2) PrintAndLog("Found invalid key. "); \r
PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");\r
c.arg[0] = false;\r
goto start;\r
+ } else {\r
+ isOK = 0;\r
+ printf("------------------------------------------------------------------\n");\r
+ PrintAndLog("Found valid key:%012"llx" \n", r_key);\r
}\r
\r
PrintAndLog("");\r
{\r
uint8_t sectorNo,blockNo;\r
uint8_t keyType = 0;\r
- uint8_t key[6] = {0xFF};\r
+ uint8_t key[6] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};\r
uint8_t bldata[16] = {0x00};\r
uint8_t keyA[40][6];\r
uint8_t keyB[40][6];\r
uint8_t trgKeyType = 0;\r
uint8_t SectorsCnt = 0;\r
uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
- uint8_t keyBlock[13*6];\r
+ uint8_t keyBlock[14*6];\r
uint64_t key64 = 0;\r
bool transferToEml = false;\r
\r
\r
if (cmdp == 'o') {\r
PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');\r
- if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) {\r
- PrintAndLog("Nested error.");\r
+ int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);\r
+ if (isOK) {\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+ case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+ default : PrintAndLog("Unknown Error.\n");\r
+ }\r
return 2;\r
}\r
key64 = bytes_to_num(keyBlock, 6);\r
for (j = 0; j < 2; j++) {\r
if (e_sector[i].foundKey[j]) continue;\r
\r
- res = mfCheckKeys(FirstBlockOfSector(i), j, 6, keyBlock, &key64);\r
+ res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);\r
\r
if (!res) {\r
e_sector[i].Key[j] = key64;\r
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
if (e_sector[sectorNo].foundKey[trgKeyType]) continue;\r
PrintAndLog("-----------------------------------------------");\r
- if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {\r
- PrintAndLog("Nested error.\n");\r
+ int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);\r
+ if(isOK) {\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+ case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+ default : PrintAndLog("Unknown Error.\n");\r
+ }\r
free(e_sector);\r
- return 2; }\r
- else {\r
+ return 2;\r
+ } else {\r
calibrate = false;\r
}\r
\r
int CmdHF14AMfChk(const char *Cmd)\r
{\r
if (strlen(Cmd)<3) {\r
- PrintAndLog("Usage: hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t] [<key (12 hex symbols)>] [<dic (*.dic)>]");\r
+ PrintAndLog("Usage: hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d] [<key (12 hex symbols)>] [<dic (*.dic)>]");\r
PrintAndLog(" * - all sectors");\r
PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
PrintAndLog("d - write keys to binary file\n");\r
+ PrintAndLog("t - write keys to emulator memory");\r
PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic");\r
PrintAndLog(" hf mf chk *1 ? t");\r
+ PrintAndLog(" hf mf chk *1 ? d");\r
return 0;\r
} \r
\r
uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;\r
for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;\r
- res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64);\r
+ res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
if (res != 1) {\r
if (!res) {\r
PrintAndLog("Found valid key:[%012"llx"]",key64);\r
return 0;\r
}\r
\r
-int CmdHF14AMf1kSim(const char *Cmd)\r
-{\r
- uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};\r
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {\r
+ #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()\r
+ uint64_t key = 0;\r
+ typedef struct {\r
+ uint64_t keyA;\r
+ uint64_t keyB;\r
+ } st_t;\r
+ st_t sector_trailer[ATTACK_KEY_COUNT];\r
+ memset(sector_trailer, 0x00, sizeof(sector_trailer));\r
+\r
+ uint8_t stSector[ATTACK_KEY_COUNT];\r
+ memset(stSector, 0x00, sizeof(stSector));\r
+ uint8_t key_cnt[ATTACK_KEY_COUNT];\r
+ memset(key_cnt, 0x00, sizeof(key_cnt));\r
+\r
+ for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+ if (ar_resp[i].ar2 > 0) {\r
+ //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+ if (doStandardAttack && mfkey32(ar_resp[i], &key)) {\r
+ PrintAndLog(" Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+\r
+ for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+ if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
+ if (ar_resp[i].keytype==0) {\r
+ //keyA\r
+ sector_trailer[ii].keyA = key;\r
+ stSector[ii] = ar_resp[i].sector;\r
+ key_cnt[ii]++;\r
+ break;\r
+ } else {\r
+ //keyB\r
+ sector_trailer[ii].keyB = key;\r
+ stSector[ii] = ar_resp[i].sector;\r
+ key_cnt[ii]++;\r
+ break;\r
+ }\r
+ }\r
+ }\r
+ } else if (tryMfk32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {\r
+ uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;\r
+ uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;\r
+\r
+ PrintAndLog("M-Found Key%s for sector %02d: [%012"llx"]"\r
+ , keyType ? "B" : "A"\r
+ , sectorNum\r
+ , key\r
+ );\r
+\r
+ for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+ if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {\r
+ if (keyType==0) {\r
+ //keyA\r
+ sector_trailer[ii].keyA = key;\r
+ stSector[ii] = sectorNum;\r
+ key_cnt[ii]++;\r
+ break;\r
+ } else {\r
+ //keyB\r
+ sector_trailer[ii].keyB = key;\r
+ stSector[ii] = sectorNum;\r
+ key_cnt[ii]++;\r
+ break;\r
+ }\r
+ }\r
+ }\r
+ continue;\r
+ }\r
+ }\r
+ }\r
+ //set emulator memory for keys\r
+ if (setEmulatorMem) {\r
+ for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+ if (key_cnt[i]>0) {\r
+ uint8_t memBlock[16];\r
+ memset(memBlock, 0x00, sizeof(memBlock));\r
+ char cmd1[36];\r
+ memset(cmd1,0x00,sizeof(cmd1));\r
+ snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
+ PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);\r
+ if (param_gethex(cmd1, 0, memBlock, 32)) {\r
+ PrintAndLog("block data must include 32 HEX symbols");\r
+ return;\r
+ }\r
+ \r
+ UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};\r
+ memcpy(c.d.asBytes, memBlock, 16);\r
+ clearCommandBuffer();\r
+ SendCommand(&c); \r
+ }\r
+ }\r
+ }\r
+ /*\r
+ //un-comment to use as well moebius attack\r
+ for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
+ if (ar_resp[i].ar2 > 0) {\r
+ if (tryMfk32_moebius(ar_resp[i], &key)) {\r
+ PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+ }\r
+ }\r
+ }*/\r
+}\r
+\r
+int usage_hf14_mf1ksim(void) {\r
+ PrintAndLog("Usage: hf mf sim h u <uid (8, 14, or 20 hex symbols)> n <numreads> i x");\r
+ PrintAndLog("options:");\r
+ PrintAndLog(" h this help");\r
+ PrintAndLog(" u (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used");\r
+ PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
+ PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
+ PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
+ PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");\r
+ PrintAndLog(" f (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");\r
+ PrintAndLog(" r (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");\r
+ PrintAndLog("samples:");\r
+ PrintAndLog(" hf mf sim u 0a0a0a0a");\r
+ PrintAndLog(" hf mf sim u 11223344556677");\r
+ PrintAndLog(" hf mf sim u 112233445566778899AA");\r
+ PrintAndLog(" hf mf sim f uids.txt");\r
+ PrintAndLog(" hf mf sim u 0a0a0a0a e");\r
+ \r
+ return 0;\r
+}\r
+\r
+int CmdHF14AMf1kSim(const char *Cmd) {\r
+ UsbCommand resp;\r
+ uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
uint8_t exitAfterNReads = 0;\r
uint8_t flags = 0;\r
-\r
- if (param_getchar(Cmd, 0) == 'h') {\r
- PrintAndLog("Usage: hf mf sim u <uid (8 hex symbols)> n <numreads> i x");\r
- PrintAndLog(" u (Optional) UID. If not specified, the UID from emulator memory will be used");\r
- PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
- PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
- PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
- PrintAndLog(" sample: hf mf sim u 0a0a0a0a ");\r
- return 0;\r
- }\r
+ int uidlen = 0;\r
uint8_t pnr = 0;\r
- if (param_getchar(Cmd, pnr) == 'u') {\r
- if(param_gethex(Cmd, pnr+1, uid, 8) == 0)\r
- {\r
- flags |= FLAG_4B_UID_IN_DATA; // UID from packet\r
- } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) {\r
- flags |= FLAG_7B_UID_IN_DATA;// UID from packet\r
- } else {\r
- PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols");\r
- return 1;\r
+ bool setEmulatorMem = false;\r
+ bool attackFromFile = false;\r
+ FILE *f;\r
+ char filename[FILE_PATH_SIZE];\r
+ memset(filename, 0x00, sizeof(filename));\r
+ int len = 0;\r
+ char buf[64];\r
+\r
+ uint8_t cmdp = 0;\r
+ bool errors = false;\r
+\r
+ while(param_getchar(Cmd, cmdp) != 0x00) {\r
+ switch(param_getchar(Cmd, cmdp)) {\r
+ case 'e':\r
+ case 'E':\r
+ setEmulatorMem = true;\r
+ //implies x and i\r
+ flags |= FLAG_INTERACTIVE;\r
+ flags |= FLAG_NR_AR_ATTACK;\r
+ cmdp++;\r
+ break;\r
+ case 'f':\r
+ case 'F':\r
+ len = param_getstr(Cmd, cmdp+1, filename);\r
+ if (len < 1) {\r
+ PrintAndLog("error no filename found");\r
+ return 0;\r
+ }\r
+ attackFromFile = true;\r
+ //implies x and i\r
+ flags |= FLAG_INTERACTIVE;\r
+ flags |= FLAG_NR_AR_ATTACK;\r
+ cmdp += 2;\r
+ break;\r
+ case 'h':\r
+ case 'H':\r
+ return usage_hf14_mf1ksim();\r
+ case 'i':\r
+ case 'I':\r
+ flags |= FLAG_INTERACTIVE;\r
+ cmdp++;\r
+ break;\r
+ case 'n':\r
+ case 'N':\r
+ exitAfterNReads = param_get8(Cmd, pnr+1);\r
+ cmdp += 2;\r
+ break;\r
+ case 'r':\r
+ case 'R':\r
+ flags |= FLAG_RANDOM_NONCE;\r
+ cmdp++;\r
+ break;\r
+ case 'u':\r
+ case 'U':\r
+ param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);\r
+ switch(uidlen) {\r
+ case 20: flags = FLAG_10B_UID_IN_DATA; break; //not complete\r
+ case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
+ case 8: flags = FLAG_4B_UID_IN_DATA; break;\r
+ default: return usage_hf14_mf1ksim();\r
+ }\r
+ cmdp += 2;\r
+ break;\r
+ case 'x':\r
+ case 'X':\r
+ flags |= FLAG_NR_AR_ATTACK;\r
+ cmdp++;\r
+ break;\r
+ default:\r
+ PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+ errors = true;\r
+ break;\r
}\r
- pnr +=2;\r
- }\r
- if (param_getchar(Cmd, pnr) == 'n') {\r
- exitAfterNReads = param_get8(Cmd,pnr+1);\r
- pnr += 2;\r
- }\r
- if (param_getchar(Cmd, pnr) == 'i' ) {\r
- //Using a flag to signal interactiveness, least significant bit\r
- flags |= FLAG_INTERACTIVE;\r
- pnr++;\r
+ if(errors) break;\r
}\r
+ //Validations\r
+ if(errors) return usage_hf14_mf1ksim();\r
\r
- if (param_getchar(Cmd, pnr) == 'x' ) {\r
- //Using a flag to signal interactiveness, least significant bit\r
- flags |= FLAG_NR_AR_ATTACK;\r
- }\r
- PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ",\r
- flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
- flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A"\r
- , exitAfterNReads, flags,flags);\r
+ //get uid from file\r
+ if (attackFromFile) {\r
+ int count = 0;\r
+ // open file\r
+ f = fopen(filename, "r");\r
+ if (f == NULL) {\r
+ PrintAndLog("File %s not found or locked", filename);\r
+ return 1;\r
+ }\r
+ PrintAndLog("Loading file and simulating. Press keyboard to abort");\r
+ while(!feof(f) && !ukbhit()){\r
+ memset(buf, 0, sizeof(buf));\r
+ memset(uid, 0, sizeof(uid));\r
\r
+ if (fgets(buf, sizeof(buf), f) == NULL) { \r
+ if (count > 0) break;\r
+ \r
+ PrintAndLog("File reading error.");\r
+ fclose(f);\r
+ return 2;\r
+ }\r
+ if(!strlen(buf) && feof(f)) break;\r
+\r
+ uidlen = strlen(buf)-1;\r
+ switch(uidlen) {\r
+ case 20: flags |= FLAG_10B_UID_IN_DATA; break; //not complete\r
+ case 14: flags |= FLAG_7B_UID_IN_DATA; break;\r
+ case 8: flags |= FLAG_4B_UID_IN_DATA; break;\r
+ default: \r
+ PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);\r
+ fclose(f);\r
+ return 2;\r
+ }\r
\r
- UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
- memcpy(c.d.asBytes, uid, sizeof(uid));\r
- SendCommand(&c);\r
+ for (uint8_t i = 0; i < uidlen; i += 2) {\r
+ sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);\r
+ }\r
+ \r
+ PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",\r
+ flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
+ flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): \r
+ flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"\r
+ , exitAfterNReads, flags, flags);\r
+\r
+ UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
+ memcpy(c.d.asBytes, uid, sizeof(uid));\r
+ clearCommandBuffer();\r
+ SendCommand(&c);\r
\r
- if(flags & FLAG_INTERACTIVE)\r
- {\r
- UsbCommand resp;\r
- PrintAndLog("Press pm3-button to abort simulation");\r
- while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- //We're waiting only 1.5 s at a time, otherwise we get the\r
- // annoying message about "Waiting for a response... "\r
+ while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+ //We're waiting only 1.5 s at a time, otherwise we get the\r
+ // annoying message about "Waiting for a response... "\r
+ }\r
+ //got a response\r
+ nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+ memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+ // We can skip the standard attack if we have RANDOM_NONCE set.\r
+ readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
+ if ((bool)resp.arg[1]) {\r
+ PrintAndLog("Device button pressed - quitting");\r
+ fclose(f);\r
+ return 4;\r
+ }\r
+ count++;\r
+ }\r
+ fclose(f);\r
+ } else { //not from file\r
+\r
+ PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",\r
+ flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
+ flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): \r
+ flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"\r
+ , exitAfterNReads, flags, flags);\r
+\r
+ UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
+ memcpy(c.d.asBytes, uid, sizeof(uid));\r
+ clearCommandBuffer();\r
+ SendCommand(&c);\r
+\r
+ if(flags & FLAG_INTERACTIVE) {\r
+ PrintAndLog("Press pm3-button to abort simulation");\r
+ while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+ //We're waiting only 1.5 s at a time, otherwise we get the\r
+ // annoying message about "Waiting for a response... "\r
+ }\r
+ //got a response\r
+ if (flags & FLAG_NR_AR_ATTACK) {\r
+ nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+ memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+ // We can skip the standard attack if we have RANDOM_NONCE set.\r
+ readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
+ }\r
}\r
}\r
- \r
+\r
return 0;\r
}\r
\r
\r
len = param_getstr(Cmd,nameParamNo,filename);\r
\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
fnameptr += len;\r
\r
\r
len = param_getstr(Cmd,nameParamNo,filename);\r
\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
// user supplied filename?\r
if (len < 1) {\r
// get filename (UID from memory)\r
if (mfEmlGetMem(buf, 0, 1)) {\r
PrintAndLog("Can\'t get UID from block: %d", 0);\r
- sprintf(filename, "dump.eml"); \r
+ len = sprintf(fnameptr, "dump");\r
+ fnameptr += len;\r
+ }\r
+ else {\r
+ for (j = 0; j < 7; j++, fnameptr += 2)\r
+ sprintf(fnameptr, "%02X", buf[j]);\r
}\r
- for (j = 0; j < 7; j++, fnameptr += 2)\r
- sprintf(fnameptr, "%02X", buf[j]); \r
} else {\r
fnameptr += len;\r
}\r
uint8_t wipeCard = 0;\r
uint8_t uid[8] = {0x00};\r
uint8_t oldUid[8] = {0x00};\r
+ uint8_t atqa[2] = {0x00};\r
+ uint8_t sak[1] = {0x00};\r
+ uint8_t atqaPresent = 1;\r
int res;\r
-\r
- if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
- PrintAndLog("Usage: hf mf csetuid <UID 8 hex symbols> <w>");\r
- PrintAndLog("sample: hf mf csetuid 01020304 w");\r
- PrintAndLog("Set UID for magic Chinese card (only works with!!!)");\r
- PrintAndLog("If you want wipe card then add 'w' into command line. \n");\r
+ char ctmp;\r
+ int argi=0;\r
+\r
+ if (strlen(Cmd) < 1 || param_getchar(Cmd, argi) == 'h') {\r
+ PrintAndLog("Usage: hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols] [w]");\r
+ PrintAndLog("sample: hf mf csetuid 01020304");\r
+ PrintAndLog("sample: hf mf csetuid 01020304 0004 08 w");\r
+ PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)");\r
+ PrintAndLog("If you also want to wipe the card then add 'w' at the end of the command line.");\r
return 0;\r
- } \r
+ }\r
\r
- if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) {\r
+ if (param_getchar(Cmd, argi) && param_gethex(Cmd, argi, uid, 8)) {\r
PrintAndLog("UID must include 8 HEX symbols");\r
return 1;\r
}\r
+ argi++;\r
\r
- char ctmp = param_getchar(Cmd, 1);\r
- if (ctmp == 'w' || ctmp == 'W') wipeCard = 1;\r
- \r
- PrintAndLog("--wipe card:%02x uid:%s", wipeCard, sprint_hex(uid, 4));\r
+ ctmp = param_getchar(Cmd, argi);\r
+ if (ctmp == 'w' || ctmp == 'W') {\r
+ wipeCard = 1;\r
+ atqaPresent = 0;\r
+ }\r
\r
- res = mfCSetUID(uid, oldUid, wipeCard);\r
+ if (atqaPresent) {\r
+ if (param_getchar(Cmd, argi)) {\r
+ if (param_gethex(Cmd, argi, atqa, 4)) {\r
+ PrintAndLog("ATQA must include 4 HEX symbols");\r
+ return 1;\r
+ }\r
+ argi++;\r
+ if (!param_getchar(Cmd, argi) || param_gethex(Cmd, argi, sak, 2)) {\r
+ PrintAndLog("SAK must include 2 HEX symbols");\r
+ return 1;\r
+ }\r
+ argi++;\r
+ } else\r
+ atqaPresent = 0;\r
+ }\r
+\r
+ if(!wipeCard) {\r
+ ctmp = param_getchar(Cmd, argi);\r
+ if (ctmp == 'w' || ctmp == 'W') {\r
+ wipeCard = 1;\r
+ }\r
+ }\r
+\r
+ PrintAndLog("--wipe card:%s uid:%s", (wipeCard)?"YES":"NO", sprint_hex(uid, 4));\r
+\r
+ res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid, wipeCard);\r
if (res) {\r
PrintAndLog("Can't set UID. error=%d", res);\r
return 1;\r
\r
int CmdHF14AMfCSetBlk(const char *Cmd)\r
{\r
- uint8_t uid[8] = {0x00};\r
uint8_t memBlock[16] = {0x00};\r
uint8_t blockNo = 0;\r
+ bool wipeCard = FALSE;\r
int res;\r
\r
if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
- PrintAndLog("Usage: hf mf csetblk <block number> <block data (32 hex symbols)>");\r
+ PrintAndLog("Usage: hf mf csetblk <block number> <block data (32 hex symbols)> [w]");\r
PrintAndLog("sample: hf mf csetblk 1 01020304050607080910111213141516");\r
- PrintAndLog("Set block data for magic Chinese card (only works with!!!)");\r
- PrintAndLog("If you want wipe card then add 'w' into command line. \n");\r
+ PrintAndLog("Set block data for magic Chinese card (only works with such cards)");\r
+ PrintAndLog("If you also want wipe the card then add 'w' at the end of the command line");\r
return 0;\r
} \r
\r
return 1;\r
}\r
\r
+ char ctmp = param_getchar(Cmd, 2);\r
+ wipeCard = (ctmp == 'w' || ctmp == 'W');\r
PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16));\r
\r
- res = mfCSetBlock(blockNo, memBlock, uid, 0, CSETBLOCK_SINGLE_OPER);\r
+ res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER);\r
if (res) {\r
- PrintAndLog("Can't write block. error=%d", res);\r
- return 1;\r
- }\r
- \r
- PrintAndLog("UID:%s", sprint_hex(uid, 4));\r
+ PrintAndLog("Can't write block. error=%d", res);\r
+ return 1;\r
+ }\r
return 0;\r
}\r
\r
char buf[64] = {0x00};\r
uint8_t buf8[64] = {0x00};\r
uint8_t fillFromEmulator = 0;\r
- int i, len, blockNum, flags;\r
+ int i, len, blockNum, flags=0;\r
\r
- // memset(filename, 0, sizeof(filename));\r
- // memset(buf, 0, sizeof(buf));\r
-\r
if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {\r
- PrintAndLog("It loads magic Chinese card (only works with!!!) from the file `filename.eml`");\r
+ PrintAndLog("It loads magic Chinese card from the file `filename.eml`");\r
PrintAndLog("or from emulator memory (option `e`)");\r
PrintAndLog("Usage: hf mf cload <file name w/o `.eml`>");\r
PrintAndLog(" or: hf mf cload e ");\r
if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
\r
if (fillFromEmulator) {\r
- flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
for (blockNum = 0; blockNum < 16 * 4; blockNum += 1) {\r
if (mfEmlGetMem(buf8, blockNum, 1)) {\r
PrintAndLog("Cant get block: %d", blockNum);\r
return 2;\r
}\r
- \r
- if (blockNum == 2) flags = 0;\r
- if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+ if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence\r
+ if (blockNum == 1) flags = 0; // just write\r
+ if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Magic Halt and switch off field.\r
\r
if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
PrintAndLog("Cant set magic card block: %d", blockNum);\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
memcpy(filename, Cmd, len);\r
fnameptr += len;\r
}\r
\r
blockNum = 0;\r
- flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
while(!feof(f)){\r
+ \r
memset(buf, 0, sizeof(buf));\r
+ \r
if (fgets(buf, sizeof(buf), f) == NULL) {\r
+ fclose(f);\r
PrintAndLog("File reading error.");\r
return 2;\r
}\r
\r
- if (strlen(buf) < 32){\r
+ if (strlen(buf) < 32) {\r
if(strlen(buf) && feof(f))\r
break;\r
PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
+ fclose(f);\r
return 2;\r
}\r
for (i = 0; i < 32; i += 2)\r
sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
\r
- if (blockNum == 2) flags = 0;\r
- if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+ if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence\r
+ if (blockNum == 1) flags = 0; // just write\r
+ if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Switch off field.\r
\r
if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
PrintAndLog("Can't set magic card block: %d", blockNum);\r
PrintAndLog("Loaded from file: %s", filename);\r
return 0;\r
}\r
+ return 0;\r
}\r
\r
int CmdHF14AMfCGetBlk(const char *Cmd) {\r
if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
PrintAndLog("Usage: hf mf cgetblk <block number>");\r
PrintAndLog("sample: hf mf cgetblk 1");\r
- PrintAndLog("Get block data from magic Chinese card (only works with!!!)\n");\r
+ PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");\r
return 0;\r
} \r
\r
if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
PrintAndLog("Usage: hf mf cgetsc <sector number>");\r
PrintAndLog("sample: hf mf cgetsc 0");\r
- PrintAndLog("Get sector data from magic Chinese card (only works with!!!)\n");\r
+ PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");\r
return 0;\r
} \r
\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
if (len < 1) {\r
// get filename\r
if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) {\r
PrintAndLog("Cant get block: %d", 0);\r
- return 1;\r
+ len = sprintf(fnameptr, "dump");\r
+ fnameptr += len;\r
+ }\r
+ else {\r
+ for (j = 0; j < 7; j++, fnameptr += 2)\r
+ sprintf(fnameptr, "%02x", buf[j]); \r
}\r
- for (j = 0; j < 7; j++, fnameptr += 2)\r
- sprintf(fnameptr, "%02x", buf[j]); \r
} else {\r
memcpy(filename, Cmd, len);\r
fnameptr += len;\r
int res = 0;\r
int len = 0;\r
int blockLen = 0;\r
- int num = 0;\r
int pckNum = 0;\r
- uint8_t uid[7] = {0x00};\r
+ int num = 0;\r
+ uint8_t uid[7];\r
uint8_t uid_len;\r
uint8_t atqa[2] = {0x00};\r
uint8_t sak;\r
bool isTag;\r
- uint8_t buf[3000] = {0x00};\r
- uint8_t * bufPtr = buf;\r
+ uint8_t *buf = NULL;\r
+ uint16_t bufsize = 0;\r
+ uint8_t *bufPtr = NULL;\r
\r
- if (param_getchar(Cmd, 0) == 'h') {\r
+ char ctmp = param_getchar(Cmd, 0);\r
+ if ( ctmp == 'h' || ctmp == 'H' ) {\r
PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file.");\r
PrintAndLog("You can specify:");\r
PrintAndLog(" l - save encrypted sequence to logfile `uid.log`");\r
} \r
\r
for (int i = 0; i < 4; i++) {\r
- char ctmp = param_getchar(Cmd, i);\r
+ ctmp = param_getchar(Cmd, i);\r
if (ctmp == 'l' || ctmp == 'L') wantLogToFile = true;\r
if (ctmp == 'd' || ctmp == 'D') wantDecrypt = true;\r
//if (ctmp == 'e' || ctmp == 'E') wantSaveToEml = true; TODO\r
break;\r
}\r
\r
- UsbCommand resp;\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,2000)) {\r
+ UsbCommand resp;\r
+ if (WaitForResponseTimeout(CMD_ACK,&resp,2000)) {\r
res = resp.arg[0] & 0xff;\r
- len = resp.arg[1];\r
- num = resp.arg[2];\r
- \r
- if (res == 0) return 0;\r
- if (res == 1) {\r
- if (num ==0) {\r
+ uint16_t traceLen = resp.arg[1];\r
+ len = resp.arg[2];\r
+\r
+ if (res == 0) return 0; // we are done\r
+\r
+ if (res == 1) { // there is (more) data to be transferred\r
+ if (pckNum == 0) { // first packet, (re)allocate necessary buffer\r
+ if (traceLen > bufsize) {\r
+ uint8_t *p;\r
+ if (buf == NULL) { // not yet allocated\r
+ p = malloc(traceLen);\r
+ } else { // need more memory\r
+ p = realloc(buf, traceLen);\r
+ }\r
+ if (p == NULL) {\r
+ PrintAndLog("Cannot allocate memory for trace");\r
+ free(buf);\r
+ return 2;\r
+ }\r
+ buf = p;\r
+ }\r
bufPtr = buf;\r
- memset(buf, 0x00, 3000);\r
+ bufsize = traceLen;\r
+ memset(buf, 0x00, traceLen);\r
}\r
memcpy(bufPtr, resp.d.asBytes, len);\r
bufPtr += len;\r
pckNum++;\r
}\r
- if (res == 2) {\r
+\r
+ if (res == 2) { // received all data, start displaying\r
blockLen = bufPtr - buf;\r
bufPtr = buf;\r
printf(">\n");\r
PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum);\r
- num = 0;\r
while (bufPtr - buf < blockLen) {\r
- bufPtr += 6;\r
+ bufPtr += 6; // skip (void) timing information\r
len = *((uint16_t *)bufPtr);\r
-\r
if(len & 0x8000) {\r
isTag = true;\r
len &= 0x7fff;\r
}\r
bufPtr += 2;\r
if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) {\r
- \r
memcpy(uid, bufPtr + 2, 7);\r
memcpy(atqa, bufPtr + 2 + 7, 2);\r
uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;\r
sak = bufPtr[11];\r
- \r
PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x", \r
sprint_hex(uid + (7 - uid_len), uid_len),\r
atqa[1], \r
AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
if (wantDecrypt) \r
mfTraceDecode(bufPtr, len, wantSaveToEmlFile);\r
+ num++; \r
}\r
bufPtr += len;\r
bufPtr += ((len-1)/8+1); // ignore parity\r
- num++;\r
}\r
+ pckNum = 0;\r
}\r
} // resp not NULL\r
} // while (true)\r
- \r
+\r
+ free(buf);\r
return 0;\r
}\r
\r
+//needs nt, ar, at, Data to decrypt\r
+int CmdDecryptTraceCmds(const char *Cmd){\r
+ uint8_t data[50];\r
+ int len = 0;\r
+ param_gethex_ex(Cmd,3,data,&len);\r
+ return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);\r
+}\r
+\r
static command_t CommandTable[] =\r
{\r
{"help", CmdHelp, 1, "This help"},\r
{"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
{"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
{"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
+ {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
{NULL, NULL, 0, NULL}\r
};\r
\r