]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iso14443a.c
Merge pull request #257 from marshmellow42/master
[proxmark3-svn] / armsrc / iso14443a.c
index d76bddd51a176c722b33f796ed40dd484358d0d9..bd3bd84571637f369b3166555e02d487077e4da6 100644 (file)
 #include "cmd.h"
 #include "iso14443crc.h"
 #include "iso14443a.h"
 #include "cmd.h"
 #include "iso14443crc.h"
 #include "iso14443a.h"
-#include "crapto1.h"
+#include "crapto1/crapto1.h"
 #include "mifareutil.h"
 #include "BigBuf.h"
 #include "protocols.h"
 #include "mifareutil.h"
 #include "BigBuf.h"
 #include "protocols.h"
+#include "parity.h"
+
 
 static uint32_t iso14a_timeout;
 int rsamples = 0;
 
 static uint32_t iso14a_timeout;
 int rsamples = 0;
@@ -123,25 +125,6 @@ static uint32_t LastProxToAirDuration;
 #define        SEC_Y 0x00
 #define        SEC_Z 0xc0
 
 #define        SEC_Y 0x00
 #define        SEC_Z 0xc0
 
-const uint8_t OddByteParity[256] = {
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0,
-  1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1
-};
-
 
 void iso14a_set_trigger(bool enable) {
        trigger = enable;
 
 void iso14a_set_trigger(bool enable) {
        trigger = enable;
@@ -180,11 +163,6 @@ void iso14a_set_ATS_timeout(uint8_t *ats) {
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
 // Generate the parity value for a byte sequence
 //
 //-----------------------------------------------------------------------------
-byte_t oddparity (const byte_t bt)
-{
-       return OddByteParity[bt];
-}
-
 void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
 {
        uint16_t paritybit_cnt = 0;
 void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
 {
        uint16_t paritybit_cnt = 0;
@@ -193,7 +171,7 @@ void GetParity(const uint8_t *pbtCmd, uint16_t iLen, uint8_t *par)
 
        for (uint16_t i = 0; i < iLen; i++) {
                // Generate the parity bits
 
        for (uint16_t i = 0; i < iLen; i++) {
                // Generate the parity bits
-               parityBits |= ((OddByteParity[pbtCmd[i]]) << (7-paritybit_cnt));
+               parityBits |= ((oddparity8(pbtCmd[i])) << (7-paritybit_cnt));
                if (paritybit_cnt == 7) {
                        par[paritybyte_cnt] = parityBits;       // save 8 Bits parity
                        parityBits = 0;                                         // and advance to next Parity Byte
                if (paritybit_cnt == 7) {
                        par[paritybyte_cnt] = parityBits;       // save 8 Bits parity
                        parityBits = 0;                                         // and advance to next Parity Byte
@@ -2329,6 +2307,7 @@ typedef struct {
   * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
   * FLAG_10B_UID_IN_DATA       - use 10-byte UID in the data-section not finished
   *    FLAG_NR_AR_ATTACK  - means we should collect NR_AR responses for bruteforcing later
   * FLAG_7B_UID_IN_DATA - means that there is a 7-byte UID in the data-section, we're expected to use that
   * FLAG_10B_UID_IN_DATA       - use 10-byte UID in the data-section not finished
   *    FLAG_NR_AR_ATTACK  - means we should collect NR_AR responses for bruteforcing later
+  * FLAG_RANDOM_NONCE - means we should generate some pseudo-random nonce data (only allows moebius attack)
   *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
   * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
   */
   *@param exitAfterNReads, exit simulation after n blocks have been read, 0 is infinite ...
   * (unless reader attack mode enabled then it runs util it gets enough nonces to recover all keys attmpted)
   */
@@ -2336,7 +2315,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 {
        int cardSTATE = MFEMUL_NOFIELD;
        int _UID_LEN = 0; // 4, 7, 10
 {
        int cardSTATE = MFEMUL_NOFIELD;
        int _UID_LEN = 0; // 4, 7, 10
-       int _7BUID = 0;
        int vHf = 0;    // in mV
        int res;
        uint32_t selTimer = 0;
        int vHf = 0;    // in mV
        int res;
        uint32_t selTimer = 0;
@@ -2360,14 +2338,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        uint8_t response[MAX_MIFARE_FRAME_SIZE];
        uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
        
        uint8_t response[MAX_MIFARE_FRAME_SIZE];
        uint8_t response_par[MAX_MIFARE_PARITY_SIZE];
        
-       uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
+       uint8_t rATQA[]    = {0x04, 0x00}; // Mifare classic 1k 4BUID
        uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
        uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
        uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
 
        uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
        uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
        uint8_t rUIDBCC3[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
 
-       uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
-       uint8_t rSAK1[] = {0x04, 0xda, 0x17};
-       uint8_t rSAK2[] = {0x04, 0xda, 0x17}; //need to look up
+       uint8_t rSAKfinal[]= {0x08, 0xb6, 0xdd};      // mifare 1k indicated
+       uint8_t rSAK1[]    = {0x04, 0xda, 0x17};      // indicate UID not finished
 
        uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
        uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
 
        uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
        uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
@@ -2375,21 +2352,26 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        //Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
        // This will be used in the reader-only attack.
 
        //Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
        // This will be used in the reader-only attack.
 
-       //allow collecting up to 8 sets of nonces to allow recovery of 8 keys
-       #define ATTACK_KEY_COUNT 8
-       nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types
+       //allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys
+       #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack()
+       nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types (nml, moebius)
        memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
 
        memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
 
-       uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2];
+       uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; //*2 for 2nd attack type (moebius)
        memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
        memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
-       bool gettingMoebius = false;
        uint8_t nonce1_count = 0;
        uint8_t nonce2_count = 0;
        uint8_t moebius_n_count = 0;
        uint8_t nonce1_count = 0;
        uint8_t nonce2_count = 0;
        uint8_t moebius_n_count = 0;
+       bool gettingMoebius = false;
        uint8_t mM = 0; //moebius_modifier for collection storage
 
        // Authenticate response - nonce
        uint8_t mM = 0; //moebius_modifier for collection storage
 
        // Authenticate response - nonce
-       uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
+       uint32_t nonce;
+       if (flags & FLAG_RANDOM_NONCE) {
+               nonce = prand();
+       } else {
+               nonce = bytes_to_num(rAUTH_NT, 4);
+       }
        
        //-- Determine the UID
        // Can be set from emulator memory, incoming data
        
        //-- Determine the UID
        // Can be set from emulator memory, incoming data
@@ -2404,7 +2386,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                // 7B uid comes from data-portion of packet
                memcpy(&rUIDBCC1[1],datain,3);
                memcpy(rUIDBCC2, datain+3, 4);
                // 7B uid comes from data-portion of packet
                memcpy(&rUIDBCC1[1],datain,3);
                memcpy(rUIDBCC2, datain+3, 4);
-               _7BUID = true;
                _UID_LEN = 7;
        } else if (flags & FLAG_10B_UID_IN_DATA) {
                memcpy(&rUIDBCC1[1], datain,   3);
                _UID_LEN = 7;
        } else if (flags & FLAG_10B_UID_IN_DATA) {
                memcpy(&rUIDBCC1[1], datain,   3);
@@ -2414,8 +2395,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        } else {
                // get UID from emul memory - guess at length
                emlGetMemBt(receivedCmd, 7, 1);
        } else {
                // get UID from emul memory - guess at length
                emlGetMemBt(receivedCmd, 7, 1);
-               _7BUID = !(receivedCmd[0] == 0x00);
-               if (!_7BUID) {                     // ---------- 4BUID
+               if (receivedCmd[0] == 0x00) {      // ---------- 4BUID
                        emlGetMemBt(rUIDBCC1, 0, 4);
                        _UID_LEN = 4;
                } else {                           // ---------- 7BUID
                        emlGetMemBt(rUIDBCC1, 0, 4);
                        _UID_LEN = 4;
                } else {                           // ---------- 7BUID
@@ -2515,7 +2495,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                cardSTATE_TO_IDLE();
                                LED_A_ON();
                        }
                                cardSTATE_TO_IDLE();
                                LED_A_ON();
                        }
-               } 
+               }
                if (cardSTATE == MFEMUL_NOFIELD) continue;
 
                //Now, get data
                if (cardSTATE == MFEMUL_NOFIELD) continue;
 
                //Now, get data
@@ -2527,7 +2507,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                } else if (res == 1) {
                        break;  //return value 1 means button press
                }
                } else if (res == 1) {
                        break;  //return value 1 means button press
                }
-                       
+
                // REQ or WUP request in ANY state and WUP in HALTED state
                if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
                        selTimer = GetTickCount();
                // REQ or WUP request in ANY state and WUP in HALTED state
                if (len == 1 && ((receivedCmd[0] == ISO14443A_CMD_REQA && cardSTATE != MFEMUL_HALTED) || receivedCmd[0] == ISO14443A_CMD_WUPA)) {
                        selTimer = GetTickCount();
@@ -2539,6 +2519,9 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                        LED_C_OFF();
                        crypto1_destroy(pcs);
                        cardAUTHKEY = 0xff;
                        LED_C_OFF();
                        crypto1_destroy(pcs);
                        cardAUTHKEY = 0xff;
+                       if (flags & FLAG_RANDOM_NONCE) {
+                               nonce = prand();
+                       }
                        continue;
                }
                
                        continue;
                }
                
@@ -2550,27 +2533,25 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                break;
                        }
                        case MFEMUL_SELECT1:{
                                break;
                        }
                        case MFEMUL_SELECT1:{
-                               // select all
-                               if (len == 2 && (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x20)) {
+                               // select all - 0x93 0x20
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x20)) {
                                        if (MF_DBGLEVEL >= 4)   Dbprintf("SELECT ALL received");
                                        EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
                                        break;
                                }
 
                                        if (MF_DBGLEVEL >= 4)   Dbprintf("SELECT ALL received");
                                        EmSendCmd(rUIDBCC1, sizeof(rUIDBCC1));
                                        break;
                                }
 
-                               if (MF_DBGLEVEL >= 4 && len == 9 && receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 )
-                               {
-                                       Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
-                               }
-                               // select card
-                               // check correct sak values... (marshmellow)
-                               if (len == 9 && 
-                                               (receivedCmd[0] == 0x93 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
+                               // select card - 0x93 0x70 ...
+                               if (len == 9 &&
+                                               (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC1, 4) == 0)) {
+                                       if (MF_DBGLEVEL >= 4) 
+                                               Dbprintf("SELECT %02x%02x%02x%02x received",receivedCmd[2],receivedCmd[3],receivedCmd[4],receivedCmd[5]);
+                                       
                                        switch(_UID_LEN) {
                                                case 4:
                                                        cardSTATE = MFEMUL_WORK;
                                                        LED_B_ON();
                                                        if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
                                        switch(_UID_LEN) {
                                                case 4:
                                                        cardSTATE = MFEMUL_WORK;
                                                        LED_B_ON();
                                                        if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol1 time: %d", GetTickCount() - selTimer);
-                                                       EmSendCmd(rSAK, sizeof(rSAK));
+                                                       EmSendCmd(rSAKfinal, sizeof(rSAKfinal));
                                                        break;
                                                case 7:
                                                        cardSTATE       = MFEMUL_SELECT2;
                                                        break;
                                                case 7:
                                                        cardSTATE       = MFEMUL_SELECT2;
@@ -2578,7 +2559,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                                        break;
                                                case 10:
                                                        cardSTATE       = MFEMUL_SELECT2;
                                                        break;
                                                case 10:
                                                        cardSTATE       = MFEMUL_SELECT2;
-                                                       EmSendCmd(rSAK2, sizeof(rSAK2));
+                                                       EmSendCmd(rSAK1, sizeof(rSAK1));
                                                        break;
                                                default:break;
                                        }
                                                        break;
                                                default:break;
                                        }
@@ -2592,16 +2573,18 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
+                               // select all cl3 - 0x97 0x20
                                if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && receivedCmd[1] == 0x20)) {
                                        EmSendCmd(rUIDBCC3, sizeof(rUIDBCC3));
                                        break;
                                }
                                if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 && receivedCmd[1] == 0x20)) {
                                        EmSendCmd(rUIDBCC3, sizeof(rUIDBCC3));
                                        break;
                                }
+                               // select card cl3 - 0x97 0x70
                                if (len == 9 && 
                                                (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 &&
                                                 receivedCmd[1] == 0x70 && 
                                                 memcmp(&receivedCmd[2], rUIDBCC3, 4) == 0) ) {
 
                                if (len == 9 && 
                                                (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_3 &&
                                                 receivedCmd[1] == 0x70 && 
                                                 memcmp(&receivedCmd[2], rUIDBCC3, 4) == 0) ) {
 
-                                       EmSendCmd(rSAK2, sizeof(rSAK2));
+                                       EmSendCmd(rSAKfinal, sizeof(rSAKfinal));
                                        cardSTATE = MFEMUL_WORK;
                                        LED_B_ON();
                                        if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol3 time: %d", GetTickCount() - selTimer);
                                        cardSTATE = MFEMUL_WORK;
                                        LED_B_ON();
                                        if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol3 time: %d", GetTickCount() - selTimer);
@@ -2611,8 +2594,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                break;
                        }
                        case MFEMUL_AUTH1:{
                                break;
                        }
                        case MFEMUL_AUTH1:{
-                               if( len != 8)
-                               {
+                               if( len != 8) {
                                        cardSTATE_TO_IDLE();
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                        cardSTATE_TO_IDLE();
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
@@ -2621,7 +2603,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                uint32_t nr = bytes_to_num(receivedCmd, 4);
                                uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
        
                                uint32_t nr = bytes_to_num(receivedCmd, 4);
                                uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
        
-                               //Collect AR/NR per keytype & sector
+                               // Collect AR/NR per keytype & sector
                                if(flags & FLAG_NR_AR_ATTACK) {
                                        for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
                                                if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
                                if(flags & FLAG_NR_AR_ATTACK) {
                                        for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
                                                if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
@@ -2639,7 +2621,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                                                                ar_nr_resp[i+mM].nr = nr;
                                                                                ar_nr_resp[i+mM].ar = ar;
                                                                                nonce1_count++;
                                                                                ar_nr_resp[i+mM].nr = nr;
                                                                                ar_nr_resp[i+mM].ar = ar;
                                                                                nonce1_count++;
-                                                                               //add this nonce to first moebius nonce
+                                                                               // add this nonce to first moebius nonce
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
@@ -2647,33 +2629,35 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
                                                                                ar_nr_collected[i+ATTACK_KEY_COUNT]++;
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
                                                                                ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
                                                                                ar_nr_collected[i+ATTACK_KEY_COUNT]++;
-                                                                       } else { //second nonce collect (std and moebius)
+                                                                       } else { // second nonce collect (std and moebius)
                                                                                ar_nr_resp[i+mM].nonce2 = nonce;
                                                                                ar_nr_resp[i+mM].nr2 = nr;
                                                                                ar_nr_resp[i+mM].ar2 = ar;
                                                                                if (!gettingMoebius) {
                                                                                        nonce2_count++;
                                                                                ar_nr_resp[i+mM].nonce2 = nonce;
                                                                                ar_nr_resp[i+mM].nr2 = nr;
                                                                                ar_nr_resp[i+mM].ar2 = ar;
                                                                                if (!gettingMoebius) {
                                                                                        nonce2_count++;
-                                                                                       //check if this was the last second nonce we need for std attack
+                                                                                       // check if this was the last second nonce we need for std attack
                                                                                        if ( nonce2_count == nonce1_count ) {
                                                                                        if ( nonce2_count == nonce1_count ) {
-                                                                                               //done collecting std test switch to moebius
-                                                                                                 //finish incrementing last sample
+                                                                                               // done collecting std test switch to moebius
+                                                                                               // first finish incrementing last sample
                                                                                                ar_nr_collected[i+mM]++; 
                                                                                                ar_nr_collected[i+mM]++; 
-                                                                                               //switch to moebius collection
+                                                                                               // switch to moebius collection
                                                                                                gettingMoebius = true;
                                                                                                mM = ATTACK_KEY_COUNT;
                                                                                                gettingMoebius = true;
                                                                                                mM = ATTACK_KEY_COUNT;
-                                                                                               nonce = nonce*7;
+                                                                                               if (flags & FLAG_RANDOM_NONCE) {
+                                                                                                       nonce = prand();
+                                                                                               } else {
+                                                                                                       nonce = nonce*7;
+                                                                                               }
                                                                                                break;
                                                                                        }
                                                                                } else {
                                                                                        moebius_n_count++;
                                                                                                break;
                                                                                        }
                                                                                } else {
                                                                                        moebius_n_count++;
-                                                                                       //if we've collected all the nonces we need - finish.
+                                                                                       // if we've collected all the nonces we need - finish.
                                                                                        if (nonce1_count == moebius_n_count) finished = true;
                                                                                }
                                                                        }
                                                                        ar_nr_collected[i+mM]++;
                                                                }
                                                                                        if (nonce1_count == moebius_n_count) finished = true;
                                                                                }
                                                                        }
                                                                        ar_nr_collected[i+mM]++;
                                                                }
-                                                       } else { //already collected 2 nonces for sector - dump out
-                                                               //finished = true;
                                                        }
                                                        // we found right spot for this nonce stop looking
                                                        break;
                                                        }
                                                        // we found right spot for this nonce stop looking
                                                        break;
@@ -2716,24 +2700,25 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                if (!len) { 
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                if (!len) { 
                                        LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
-                               }
-                               if (len == 2 && (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x20)) {
+                               }       
+                               // select all cl2 - 0x95 0x20
+                               if (len == 2 && (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x20)) {
                                        EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
                                        break;
                                }
 
                                        EmSendCmd(rUIDBCC2, sizeof(rUIDBCC2));
                                        break;
                                }
 
-                               // select 2 card
+                               // select cl2 card - 0x95 0x70 xxxxxxxxxxxx
                                if (len == 9 && 
                                if (len == 9 && 
-                                               (receivedCmd[0] == 0x95 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
-                                       //which sak now? (marshmellow)
-                                       EmSendCmd(rSAK, sizeof(rSAK));
+                                               (receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT_2 && receivedCmd[1] == 0x70 && memcmp(&receivedCmd[2], rUIDBCC2, 4) == 0)) {
                                        switch(_UID_LEN) {
                                                case 7:
                                        switch(_UID_LEN) {
                                                case 7:
+                                                       EmSendCmd(rSAKfinal, sizeof(rSAKfinal));
                                                        cardSTATE = MFEMUL_WORK;
                                                        LED_B_ON();
                                                        if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
                                                        break;
                                                case 10:
                                                        cardSTATE = MFEMUL_WORK;
                                                        LED_B_ON();
                                                        if (MF_DBGLEVEL >= 4)   Dbprintf("--> WORK. anticol2 time: %d", GetTickCount() - selTimer);
                                                        break;
                                                case 10:
+                                                       EmSendCmd(rSAK1, sizeof(rSAK1));
                                                        cardSTATE = MFEMUL_SELECT3;
                                                        break;
                                                default:break;
                                                        cardSTATE = MFEMUL_SELECT3;
                                                        break;
                                                default:break;
@@ -2963,8 +2948,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
        LEDsoff();
 
-       if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1)
-       {
+       if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) {
                for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
                        if (ar_nr_collected[i] == 2) {
                                Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
                for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
                        if (ar_nr_collected[i] == 2) {
                                Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
@@ -2995,16 +2979,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        }
        if (MF_DBGLEVEL >= 1)   Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ",    tracing, BigBuf_get_traceLen());
 
        }
        if (MF_DBGLEVEL >= 1)   Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ",    tracing, BigBuf_get_traceLen());
 
-       if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK
-       {
+       if(flags & FLAG_INTERACTIVE) { // Interactive mode flag, means we need to send ACK
                //Send the collected ar_nr in the response
                cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,button_pushed,0,&ar_nr_resp,sizeof(ar_nr_resp));
        }
                //Send the collected ar_nr in the response
                cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,button_pushed,0,&ar_nr_resp,sizeof(ar_nr_resp));
        }
-       
 }
 
 
 }
 
 
-
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
 //-----------------------------------------------------------------------------
 // MIFARE sniffer. 
 // 
Impressum, Datenschutz