\r
t1 = clock() - t1;\r
if ( t1 > 0 )\r
- PrintAndLog("Time in darkside: %.0f ticks - %4.2f sec\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC);\r
+ PrintAndLog("Time in darkside: %.0f ticks\n", (float)t1);\r
return 0;\r
}\r
\r
PrintAndLog("t - transfer keys into emulator memory");\r
PrintAndLog("d - write keys to binary file");\r
PrintAndLog(" ");\r
- PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");\r
- PrintAndLog(" sample2: hf mf nested 1 0 A FFFFFFFFFFFF t ");\r
- PrintAndLog(" sample3: hf mf nested 1 0 A FFFFFFFFFFFF d ");\r
- PrintAndLog(" sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A");\r
+ PrintAndLog(" samples:");\r
+ PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF ");\r
+ PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF t ");\r
+ PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF d ");\r
+ PrintAndLog(" hf mf nested o 0 A FFFFFFFFFFFF 4 A");\r
return 0;\r
} \r
\r
}\r
clock_t t2 = clock() - t1;\r
if ( t2 > 0 )\r
- PrintAndLog("Time to check 6 known keys: %.0f ticks %4.2f sec", (float)t2, ((float)t2)/CLOCKS_PER_SEC);\r
- \r
+ PrintAndLog("Time to check 6 known keys: %.0f ticks", (float)t2 );\r
+\r
+ PrintAndLog("enter nested..."); \r
\r
// nested sectors\r
iterations = 0;\r
- PrintAndLog("enter nested...");\r
bool calibrate = true;\r
+\r
for (i = 0; i < NESTED_SECTOR_RETRY; i++) {\r
for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; ++sectorNo) {\r
for (trgKeyType = 0; trgKeyType < 2; ++trgKeyType) { \r
}\r
}\r
}\r
+ \r
+ t1 = clock() - t1;\r
+ if ( t1 > 0 )\r
+ PrintAndLog("Time in nested: %.0f ticks \n", (float)t1);\r
\r
// 20160116 If Sector A is found, but not Sector B, try just reading it of the tag?\r
PrintAndLog("trying to read key B...");\r
key64 = bytes_to_num(data+10, 6);\r
if (key64) {\r
PrintAndLog("Data:%s", sprint_hex(data+10, 6));\r
- e_sector[i].foundKey[1] = 1;\r
+ e_sector[i].foundKey[1] = TRUE;\r
e_sector[i].Key[1] = key64;\r
}\r
}\r
}\r
- \r
- t1 = clock() - t1;\r
- if ( t1 > 0 )\r
- PrintAndLog("Time in nested: %.0f ticks %4.2f sec (%4.2f sec per key)\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/iterations/CLOCKS_PER_SEC);\r
+\r
\r
//print them\r
printKeyTable( SectorsCnt, e_sector );\r
}\r
keyBlock = p;\r
}\r
- PrintAndLog("check key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,\r
+ PrintAndLog("key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,\r
(keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],\r
(keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);\r
keycnt++;\r
}\r
memset(keyBlock + 6 * keycnt, 0, 6);\r
num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
- PrintAndLog("check custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
+ PrintAndLog("check key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
keycnt++;\r
memset(buf, 0, sizeof(buf));\r
}\r
if (keycnt == 0) {\r
PrintAndLog("No key specified, trying default keys");\r
for (;keycnt < defaultKeysSize; keycnt++)\r
- PrintAndLog("check default key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,\r
+ PrintAndLog("key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,\r
(keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],\r
(keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6);\r
}\r
}\r
\r
uint8_t trgKeyType = 0;\r
+ uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt;\r
\r
// time\r
clock_t t1 = clock();\r
\r
// check keys.\r
- for (trgKeyType = 0; trgKeyType < 2; ++trgKeyType) {\r
+ for (trgKeyType = !keyType; trgKeyType < 2; (keyType==2) ? (++trgKeyType) : (trgKeyType=2) ) {\r
+\r
int b = blockNo;\r
for (int i = 0; i < SectorsCnt; ++i) {\r
\r
// skip already found keys.\r
if (e_sector[i].foundKey[trgKeyType]) continue;\r
\r
- uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt;\r
\r
for (uint32_t c = 0; c < keycnt; c += max_keys) {\r
\r
\r
res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64);\r
if (!res) {\r
- PrintAndLog("Sector:%3d Block:%3d, key type: %C -- Found key [%012"llx"]", i, b, trgKeyType ? 'B':'A', key64);\r
+ //PrintAndLog("Sector:%3d Block:%3d, key type: %C -- Found key [%012"llx"]", i, b, trgKeyType ? 'B':'A', key64);\r
\r
e_sector[i].Key[trgKeyType] = key64;\r
e_sector[i].foundKey[trgKeyType] = TRUE;\r
e_sector[i].Key[trgKeyType] = 0xffffffffffff;\r
e_sector[i].foundKey[trgKeyType] = FALSE;\r
}\r
+ printf(".");\r
+ fflush(stdout);\r
}\r
b < 127 ? ( b +=4 ) : ( b += 16 ); \r
}\r
}\r
+ t1 = clock() - t1;\r
+ if ( t1 > 0 )\r
+ printf("\nTime in checkkeys: %.0f ticks\n", (float)t1);\r
+\r
// 20160116 If Sector A is found, but not Sector B, try just reading it of the tag?\r
PrintAndLog("testing to read B...");\r
for (i = 0; i < SectorsCnt; i++) {\r
}\r
}\r
}\r
- \r
- t1 = clock() - t1;\r
- if ( t1 > 0 )\r
- printf("Time in checkkeys: %.0f ticks %1.2f sec (%1.2f sec per key)\n\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/keycnt/CLOCKS_PER_SEC);\r
+\r
\r
//print them\r
printKeyTable( SectorsCnt, e_sector );\r
return 0;\r
}\r
\r
-void printKeyTable( uint8_t sectorscnt, sector *e_sector ){\r
- PrintAndLog("|---|----------------|---|----------------|---|");\r
- PrintAndLog("|sec|key A |res|key B |res|");\r
- PrintAndLog("|---|----------------|---|----------------|---|");\r
- for (uint8_t i = 0; i < sectorscnt; ++i) {\r
- PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i,\r
- e_sector[i].Key[0], e_sector[i].foundKey[0], \r
- e_sector[i].Key[1], e_sector[i].foundKey[1]\r
- );\r
- }\r
- PrintAndLog("|---|----------------|---|----------------|---|");\r
-}\r
\r
-int CmdHF14AMf1kSim(const char *Cmd)\r
-{\r
- uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};\r
+int CmdHF14AMf1kSim(const char *Cmd) {\r
+ uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
uint8_t exitAfterNReads = 0;\r
uint8_t flags = 0;\r
- \r
+ int uidlen = 0;\r
uint8_t cmdp = param_getchar(Cmd, 0);\r
\r
if (cmdp == 'h' || cmdp == 'H') {\r
PrintAndLog("Usage: hf mf sim u <uid (8 hex symbols)> n <numreads> i x");\r
PrintAndLog(" h this help");\r
- PrintAndLog(" u (Optional) UID. If not specified, the UID from emulator memory will be used");\r
+ PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID from emulator memory will be used");\r
PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
- PrintAndLog("");\r
- PrintAndLog(" sample: hf mf sim u 0a0a0a0a ");\r
+ PrintAndLog("samples:");\r
+ PrintAndLog(" hf mf sim u 0a0a0a0a");\r
+ PrintAndLog(" hf mf sim u 11223344556677");\r
+ PrintAndLog(" hf mf sim u 112233445566778899AA");\r
return 0;\r
}\r
uint8_t pnr = 0;\r
if (param_getchar(Cmd, pnr) == 'u') {\r
- if(param_gethex(Cmd, pnr+1, uid, 8) == 0)\r
- {\r
- flags |= FLAG_4B_UID_IN_DATA; // UID from packet\r
- } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) {\r
- flags |= FLAG_7B_UID_IN_DATA;// UID from packet\r
- } else {\r
- PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols");\r
- return 1;\r
+ \r
+ param_gethex_ex(Cmd, pnr+1, uid, &uidlen);\r
+ switch(uidlen){\r
+ case 20: flags |= FLAG_10B_UID_IN_DATA; break;\r
+ case 14: flags |= FLAG_7B_UID_IN_DATA; break;\r
+ case 8: flags |= FLAG_4B_UID_IN_DATA; break;\r
+ default:\r
+ PrintAndLog("UID, if specified, must include 8, 14 or 20 HEX symbols , %d", uidlen>>1);\r
+ return 1;\r
}\r
pnr +=2;\r
}\r
}\r
\r
if (param_getchar(Cmd, pnr) == 'i' ) {\r
- //Using a flag to signal interactiveness, least significant bit\r
flags |= FLAG_INTERACTIVE;\r
pnr++;\r
}\r
\r
if (param_getchar(Cmd, pnr) == 'x' ) {\r
- //Using a flag to signal interactiveness, least significant bit\r
flags |= FLAG_NR_AR_ATTACK;\r
}\r
\r
- PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ",\r
- flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
- flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A"\r
+ PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) "\r
+ , (uidlen == 0 ) ? "N/A" : sprint_hex(uid, uidlen)\r
, exitAfterNReads\r
, flags\r
, flags);\r
\r
-\r
UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
memcpy(c.d.asBytes, uid, sizeof(uid));\r
clearCommandBuffer();\r
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;\r
\r
if ( !(flags & FLAG_NR_AR_ATTACK) ) break;\r
- \r
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;\r
\r
- memset(data, 0x00, sizeof(data));\r
- memset(key, 0x00, sizeof(key));\r
- int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];\r
- \r
- memcpy(data, resp.d.asBytes, len);\r
- \r
- uint64_t corr_uid = 0;\r
- \r
- // this IF? what was I thinking of?\r
- if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {\r
- corr_uid = ((uint64_t)(data[3] << 24)) | (data[2] << 16) | (data[1] << 8) | data[0];\r
- tryMfk32(corr_uid, data, key);\r
- } else {\r
- corr_uid |= (uint64_t)data[2] << 48; \r
- corr_uid |= (uint64_t)data[1] << 40; \r
- corr_uid |= (uint64_t)data[0] << 32;\r
- corr_uid |= (uint64_t)data[7] << 24;\r
- corr_uid |= (uint64_t)data[6] << 16;\r
- corr_uid |= (uint64_t)data[5] << 8;\r
- corr_uid |= (uint64_t)data[4];\r
- tryMfk64(corr_uid, data, key);\r
- }\r
- PrintAndLog("--");\r
+ memset(data, 0x00, sizeof(data));\r
+ memset(key, 0x00, sizeof(key));\r
+ int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];\r
+ \r
+ memcpy(data, resp.d.asBytes, len);\r
+ \r
+ // CUID is always 4 first bytes.\r
+ uint64_t cuid = bytes_to_num(data, 4 );\r
+ \r
+ // this needs to be fixed. ICEMAN\r
+ if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {\r
+ tryMfk32(cuid, data, key);\r
+ } else {\r
+ tryMfk64(cuid, data, key);\r
+ }\r
}\r
}\r
return 0;\r
}\r
\r
-int CmdHF14AMfDbg(const char *Cmd)\r
-{\r
+int CmdHF14AMfDbg(const char *Cmd) {\r
int dbgMode = param_get32ex(Cmd, 0, 0, 10);\r
- if (dbgMode > 4) {\r
+ if (dbgMode > 4)\r
PrintAndLog("Max debug mode parameter is 4 \n");\r
- }\r
\r
if (strlen(Cmd) < 1 || !param_getchar(Cmd, 0) || dbgMode > 4) {\r
PrintAndLog("Usage: hf mf dbg <debug level>");\r
\r
UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};\r
SendCommand(&c);\r
-\r
return 0;\r
}\r
\r
+void printKeyTable( uint8_t sectorscnt, sector *e_sector ){\r
+ PrintAndLog("|---|----------------|---|----------------|---|");\r
+ PrintAndLog("|sec|key A |res|key B |res|");\r
+ PrintAndLog("|---|----------------|---|----------------|---|");\r
+ for (uint8_t i = 0; i < sectorscnt; ++i) {\r
+ PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i,\r
+ e_sector[i].Key[0], e_sector[i].foundKey[0], \r
+ e_sector[i].Key[1], e_sector[i].foundKey[1]\r
+ );\r
+ }\r
+ PrintAndLog("|---|----------------|---|----------------|---|");\r
+}\r
+\r
+// EMULATOR COMMANDS\r
+\r
int CmdHF14AMfEGet(const char *Cmd)\r
{\r
uint8_t blockNo = 0;\r
return 0;\r
}\r
\r
-int CmdHF14AMfCSetUID(const char *Cmd)\r
-{\r
+// CHINESE MAGIC COMMANDS \r
+\r
+int CmdHF14AMfCSetUID(const char *Cmd) {\r
uint8_t wipeCard = 0;\r
uint8_t uid[8] = {0x00};\r
uint8_t oldUid[8] = {0x00};\r
int argi=0;\r
\r
if (strlen(Cmd) < 1 || param_getchar(Cmd, argi) == 'h') {\r
- PrintAndLog("Usage: hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols] [w]");\r
- PrintAndLog("sample: hf mf csetuid 01020304");\r
- PrintAndLog("sample: hf mf csetuid 01020304 0004 08 w");\r
PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)");\r
PrintAndLog("If you also want to wipe the card then add 'w' at the end of the command line.");\r
+ PrintAndLog("");\r
+ PrintAndLog("Usage: hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols] [w]");\r
+ PrintAndLog("");\r
+ PrintAndLog("sample: hf mf csetuid 01020304");\r
+ PrintAndLog(" hf mf csetuid 01020304 0004 08 w");\r
return 0;\r
}\r
\r
\r
PrintAndLog("--wipe card:%s uid:%s", (wipeCard)?"YES":"NO", sprint_hex(uid, 4));\r
\r
- res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid, wipeCard);\r
+ res = mfCSetUID(uid, (atqaPresent) ? atqa : NULL, (atqaPresent) ? sak : NULL, oldUid, wipeCard);\r
if (res) {\r
PrintAndLog("Can't set UID. error=%d", res);\r
return 1;\r
return 0;\r
}\r
\r
-int CmdHF14AMfCSetBlk(const char *Cmd)\r
-{\r
+int CmdHF14AMfCSetBlk(const char *Cmd) {\r
uint8_t block[16] = {0x00};\r
uint8_t blockNo = 0;\r
uint8_t params = MAGIC_SINGLE;\r
return 0;\r
}\r
\r
-int CmdHF14AMfCLoad(const char *Cmd)\r
-{\r
+int CmdHF14AMfCLoad(const char *Cmd) {\r
FILE * f;\r
char filename[FILE_PATH_SIZE];\r
char * fnameptr = filename;\r
}\r
}\r
\r
+\r
+\r
int CmdHF14AMfSniff(const char *Cmd){\r
\r
bool wantLogToFile = 0;\r
int blockLen = 0;\r
int pckNum = 0;\r
int num = 0;\r
- uint8_t uid[7];\r
- uint8_t uid_len;\r
- uint8_t atqa[2] = {0x00};\r
- uint8_t sak;\r
+ uint8_t uid[10];\r
+ uint8_t uid_len = 0;\r
+ uint8_t atqa[2] = {0x00, 0x00};\r
+ uint8_t sak = 0;\r
bool isTag;\r
uint8_t *buf = NULL;\r
uint16_t bufsize = 0;\r
uint8_t *bufPtr = NULL;\r
\r
+ memset(uid, 0x00, sizeof(uid));\r
+ \r
char ctmp = param_getchar(Cmd, 0);\r
if ( ctmp == 'h' || ctmp == 'H' ) {\r
PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file.");\r
uint16_t traceLen = resp.arg[1];\r
len = resp.arg[2];\r
\r
+ // we are done?\r
if (res == 0) {\r
free(buf);\r
- return 0; // we are done\r
+ return 0;\r
}\r
\r
if (res == 1) { // there is (more) data to be transferred\r
memcpy(atqa, bufPtr + 2 + 7, 2);\r
uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4;\r
sak = bufPtr[11];\r
- PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x", \r
+ PrintAndLog("tag select uid| %s atqa:0x%02x%02x sak:0x%02x", \r
sprint_hex(uid + (7 - uid_len), uid_len),\r
atqa[1], \r
atqa[0], \r
sak);\r
if (wantLogToFile || wantDecrypt) {\r
- FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len);\r
+ FillFileNameByUID(logHexFileName, uid + (10 - uid_len), ".log", uid_len);\r
AddLogCurrentDT(logHexFileName);\r
} \r
if (wantDecrypt) \r
mfTraceInit(uid, atqa, sak, wantSaveToEmlFile);\r
} else {\r
- PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len));\r
+ PrintAndLog("%03d| %s |%s", num, isTag ? "TAG" : "RDR", sprint_hex(bufPtr, len));\r
if (wantLogToFile) \r
- AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len);\r
+ AddLogHex(logHexFileName, isTag ? "TAG| ":"RDR| ", bufPtr, len);\r
if (wantDecrypt) \r
mfTraceDecode(bufPtr, len, wantSaveToEmlFile);\r
num++; \r