//-----------------------------------------------------------------------------\r
\r
#include "cmdhfmf.h"\r
+#include "nonce2key/nonce2key.h"\r
\r
static int CmdHelp(const char *Cmd);\r
\r
uint32_t uid = 0;\r
uint32_t nt = 0, nr = 0;\r
uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
- uint8_t isOK = 0;\r
- uint8_t keyBlock[8] = {0};\r
+ int16_t isOK = 0;\r
\r
UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
\r
// message\r
printf("-------------------------------------------------------------------------\n");\r
printf("Executing command. Expected execution time: 25sec on average :-)\n");\r
- printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
+ printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");\r
printf("-------------------------------------------------------------------------\n");\r
\r
\r
SendCommand(&c);\r
\r
//flush queue\r
- while (ukbhit()) getchar();\r
+ while (ukbhit()) getchar();\r
\r
// wait cycle\r
while (true) {\r
\r
UsbCommand resp;\r
if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {\r
- isOK = resp.arg[0] & 0xff;\r
+ isOK = resp.arg[0];\r
uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4);\r
nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4);\r
par_list = bytes_to_num(resp.d.asBytes + 8, 8);\r
ks_list = bytes_to_num(resp.d.asBytes + 16, 8);\r
nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
printf("\n\n");\r
- if (!isOK) PrintAndLog("Proxmark can't get statistic info. Execution aborted.\n");\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
+ case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
+ case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+ PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;\r
+ default: ;\r
+ }\r
break;\r
}\r
} \r
if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
isOK = 2;\r
PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt); \r
- } else {\r
- printf("------------------------------------------------------------------\n");\r
- PrintAndLog("Key found:%012"llx" \n", r_key);\r
-\r
- num_to_bytes(r_key, 6, keyBlock);\r
- isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);\r
- }\r
- \r
- if (!isOK) \r
- PrintAndLog("Found valid key:%012"llx, r_key);\r
- else\r
- {\r
- if (isOK != 2) PrintAndLog("Found invalid key. "); \r
PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");\r
c.arg[0] = false;\r
goto start;\r
+ } else {\r
+ isOK = 0;\r
+ printf("------------------------------------------------------------------\n");\r
+ PrintAndLog("Found valid key: %012"llx" \n", r_key);\r
}\r
\r
PrintAndLog("");\r
uint8_t trgKeyType = 0;\r
uint8_t SectorsCnt = 0;\r
uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
- uint8_t keyBlock[13*6];\r
+ uint8_t keyBlock[14*6];\r
uint64_t key64 = 0;\r
bool transferToEml = false;\r
\r
\r
if (cmdp == 'o') {\r
PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');\r
- if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) {\r
- PrintAndLog("Nested error.");\r
+ int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);\r
+ if (isOK) {\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+ case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+ default : PrintAndLog("Unknown Error.\n");\r
+ }\r
return 2;\r
}\r
key64 = bytes_to_num(keyBlock, 6);\r
for (j = 0; j < 2; j++) {\r
if (e_sector[i].foundKey[j]) continue;\r
\r
- res = mfCheckKeys(FirstBlockOfSector(i), j, 6, keyBlock, &key64);\r
+ res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);\r
\r
if (!res) {\r
e_sector[i].Key[j] = key64;\r
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
if (e_sector[sectorNo].foundKey[trgKeyType]) continue;\r
PrintAndLog("-----------------------------------------------");\r
- if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {\r
- PrintAndLog("Nested error.\n");\r
+ int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);\r
+ if(isOK) {\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+ case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+ default : PrintAndLog("Unknown Error.\n");\r
+ }\r
free(e_sector);\r
- return 2; }\r
- else {\r
+ return 2;\r
+ } else {\r
calibrate = false;\r
}\r
\r
PrintAndLog("Usage: hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d] [<key (12 hex symbols)>] [<dic (*.dic)>]");\r
PrintAndLog(" * - all sectors");\r
PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
- PrintAndLog("d - write keys to binary file\n");\r
- PrintAndLog("t - write keys to emulator memory");\r
+ PrintAndLog("d - write keys to binary file");\r
+ PrintAndLog("t - write keys to emulator memory\n");\r
PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic");\r
PrintAndLog(" hf mf chk *1 ? t");\r
PrintAndLog(" hf mf chk *1 ? d");\r
uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;\r
for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;\r
- res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64);\r
+ res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
if (res != 1) {\r
if (!res) {\r
PrintAndLog("Found valid key:[%012"llx"]",key64);\r
uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};\r
uint8_t exitAfterNReads = 0;\r
uint8_t flags = 0;\r
-\r
+ \r
uint8_t cmdp = param_getchar(Cmd, 0);\r
+\r
+ clearCommandBuffer();\r
\r
if (cmdp == 'h' || cmdp == 'H') {\r
PrintAndLog("Usage: hf mf sim u <uid (8 hex symbols)> n <numreads> i x");\r
SendCommand(&c);\r
\r
if(flags & FLAG_INTERACTIVE)\r
- {\r
- UsbCommand resp;\r
+ { \r
PrintAndLog("Press pm3-button to abort simulation");\r
- while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- //We're waiting only 1.5 s at a time, otherwise we get the\r
- // annoying message about "Waiting for a response... "\r
+ \r
+ uint8_t data[40];\r
+ uint8_t key[6];\r
+\r
+ UsbCommand resp; \r
+ while(!ukbhit() ){\r
+ if ( WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {\r
+ if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){\r
+ memset(data, 0x00, sizeof(data));\r
+ memset(key, 0x00, sizeof(key));\r
+ int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];\r
+ \r
+ memcpy(data, resp.d.asBytes, len);\r
+ \r
+ uint64_t corr_uid = 0;\r
+ if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {\r
+ corr_uid = (data[3] << 24) | (data[2] << 16) | (data[1] << 8) | data[0];\r
+ }\r
+ else {\r
+ corr_uid |= (uint64_t)data[2] << 48; \r
+ corr_uid |= (uint64_t)data[1] << 40; \r
+ corr_uid |= (uint64_t)data[0] << 32;\r
+ corr_uid |= data[7] << 24;\r
+ corr_uid |= data[6] << 16;\r
+ corr_uid |= data[5] << 8;\r
+ corr_uid |= data[4];\r
+ }\r
+ tryMfk32(corr_uid, data, key);\r
+ //tryMfk64(corr_uid, data, key);\r
+ PrintAndLog("--");\r
+ }\r
+ }\r
}\r
}\r
- \r
return 0;\r
}\r
\r
uint8_t buf8[64] = {0x00};\r
int i, len, blockNum, numBlocks;\r
int nameParamNo = 1;\r
- \r
+ uint8_t blockWidth = 32;\r
char ctmp = param_getchar(Cmd, 0);\r
\r
if ( ctmp == 'h' || ctmp == 0x00) {\r
PrintAndLog("It loads emul dump from the file `filename.eml`");\r
PrintAndLog("Usage: hf mf eload [card memory] <file name w/o `.eml`>");\r
- PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");\r
+ PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL");\r
PrintAndLog("");\r
PrintAndLog(" sample: hf mf eload filename");\r
PrintAndLog(" hf mf eload 4 filename");\r
case '\0': numBlocks = 16*4; break;\r
case '2' : numBlocks = 32*4; break;\r
case '4' : numBlocks = 256; break;\r
+ case 'U' : // fall through , NTAG 215 has 135blocks a 540 bytes.\r
+ case 'u' : numBlocks = 135; blockWidth = 8; break;\r
default: {\r
numBlocks = 16*4;\r
nameParamNo = 0;\r
\r
len = param_getstr(Cmd,nameParamNo,filename);\r
\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
fnameptr += len;\r
\r
return 2;\r
}\r
\r
- if (strlen(buf) < 32){\r
+ if (strlen(buf) < blockWidth){\r
if(strlen(buf) && feof(f))\r
break;\r
- PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
+ PrintAndLog("File content error. Block data must include %d HEX symbols", blockWidth);\r
fclose(f);\r
return 2;\r
}\r
\r
- for (i = 0; i < 32; i += 2) {\r
+ for (i = 0; i < blockWidth; i += 2) {\r
sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
}\r
- \r
- if (mfEmlSetMem(buf8, blockNum, 1)) {\r
+ if (mfEmlSetMem_xt(buf8, blockNum, 1, blockWidth/2)) {\r
PrintAndLog("Cant set emul block: %3d", blockNum);\r
fclose(f);\r
return 3;\r
\r
len = param_getstr(Cmd,nameParamNo,filename);\r
\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
// user supplied filename?\r
if (len < 1) {\r
// get filename (UID from memory)\r
if (mfEmlGetMem(buf, 0, 1)) {\r
PrintAndLog("Can\'t get UID from block: %d", 0);\r
- sprintf(filename, "dump.eml"); \r
+ len = sprintf(fnameptr, "dump");\r
+ fnameptr += len;\r
+ }\r
+ else {\r
+ for (j = 0; j < 7; j++, fnameptr += 2)\r
+ sprintf(fnameptr, "%02X", buf[j]);\r
}\r
- for (j = 0; j < 7; j++, fnameptr += 2)\r
- sprintf(fnameptr, "%02X", buf[j]); \r
} else {\r
fnameptr += len;\r
}\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
memcpy(filename, Cmd, len);\r
fnameptr += len;\r
memset(buf, 0, sizeof(buf));\r
\r
if (fgets(buf, sizeof(buf), f) == NULL) {\r
+ fclose(f);\r
PrintAndLog("File reading error.");\r
return 2;\r
}\r
if(strlen(buf) && feof(f))\r
break;\r
PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
+ fclose(f);\r
return 2;\r
}\r
for (i = 0; i < 32; i += 2)\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
if (len < 1) {\r
// get filename\r
if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) {\r
PrintAndLog("Cant get block: %d", 0);\r
- return 1;\r
+ len = sprintf(fnameptr, "dump");\r
+ fnameptr += len;\r
+ } else {\r
+ for (j = 0; j < 7; j++, fnameptr += 2)\r
+ sprintf(fnameptr, "%02x", buf[j]); \r
}\r
- for (j = 0; j < 7; j++, fnameptr += 2)\r
- sprintf(fnameptr, "%02x", buf[j]); \r
} else {\r
memcpy(filename, Cmd, len);\r
fnameptr += len;\r
return 0;\r
}\r
\r
+//needs nt, ar, at, Data to decrypt\r
+int CmdDecryptTraceCmds(const char *Cmd){\r
+ uint8_t data[50];\r
+ \r
+ uint32_t nt = param_get32ex(Cmd,0,0,16);\r
+ uint32_t ar_enc = param_get32ex(Cmd,1,0,16);\r
+ uint32_t at_enc = param_get32ex(Cmd,2,0,16);\r
+\r
+ int len = 0;\r
+ param_gethex_ex(Cmd, 3, data, &len);\r
+ \r
+ len /= 2; \r
+ int limit = sizeof(data) / 2;\r
+ \r
+ if ( len >= limit )\r
+ len = limit;\r
+ \r
+ return tryDecryptWord( nt, ar_enc, at_enc, data, len);\r
+}\r
\r
static command_t CommandTable[] =\r
{\r
{"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
{"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
{"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
+ {"decrypt", CmdDecryptTraceCmds, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
{NULL, NULL, 0, NULL}\r
};\r
\r