]> cvs.zerfleddert.de Git - proxmark3-svn/blobdiff - client/mifarehost.c
UPD: got the latest updates (@badboy) from @zhovner mfdread.
[proxmark3-svn] / client / mifarehost.c
index 72c1e897899f9cbad95354bb035e0fdfd3da07f4..b41c368702e6cbb4c94e82ee519ff9f2b5e7c8f5 100644 (file)
@@ -125,8 +125,8 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
        p4->even = 0; p4->odd = 0;\r
        statelists[0].len = p3 - statelists[0].head.slhead;\r
        statelists[1].len = p4 - statelists[1].head.slhead;\r
-       statelists[0].tail.sltail=--p3;\r
-       statelists[1].tail.sltail=--p4;\r
+       statelists[0].tail.sltail = --p3;\r
+       statelists[1].tail.sltail = --p4;\r
 \r
        // the statelists now contain possible keys. The key we are searching for must be in the\r
        // intersection of both lists. Create the intersection:\r
@@ -203,6 +203,53 @@ int mfCheckKeys (uint8_t blockNo, uint8_t keyType, bool clear_trace, uint8_t key
        *key = bytes_to_num(resp.d.asBytes, 6);\r
        return 0;\r
 }\r
+// PM3 imp of J-Run mf_key_brute (part 2)\r
+// ref: https://github.com/J-Run/mf_key_brute\r
+int mfKeyBrute(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint64_t *resultkey){\r
+\r
+       #define KEYS_IN_BLOCK 85\r
+       #define KEYBLOCK_SIZE 510\r
+       #define CANDIDATE_SIZE 0xFFFF * 6\r
+       uint8_t found = FALSE;\r
+       uint64_t key64 = 0;\r
+       uint8_t candidates[CANDIDATE_SIZE] = {0x00};\r
+       uint8_t keyBlock[KEYBLOCK_SIZE] = {0x00};\r
+\r
+       memset(candidates, 0, sizeof(candidates));\r
+       memset(keyBlock, 0, sizeof(keyBlock));\r
+       \r
+       // Generate all possible keys for the first two unknown bytes.\r
+       for (uint16_t i = 0; i < 0xFFFF; ++i) {         \r
+               uint32_t j = i * 6;             \r
+               candidates[0 + j] = i >> 8;     \r
+               candidates[1 + j] = i;\r
+               candidates[2 + j] = key[2];\r
+               candidates[3 + j] = key[3];\r
+               candidates[4 + j] = key[4];\r
+               candidates[5 + j] = key[5];\r
+       }\r
+       uint32_t counter, i;\r
+       for ( i = 0, counter = 1; i < CANDIDATE_SIZE; i += KEYBLOCK_SIZE, ++counter){\r
+\r
+               key64 = 0;\r
+               \r
+               // copy candidatekeys to test key block\r
+               memcpy(keyBlock, candidates + i, KEYBLOCK_SIZE);\r
+\r
+               // check a block of generated candidate keys.\r
+               if (!mfCheckKeys(blockNo, keyType, TRUE, KEYS_IN_BLOCK, keyBlock, &key64)) {\r
+                       *resultkey = key64;\r
+                       found = TRUE;\r
+                       break;\r
+               }\r
+               \r
+               // progress \r
+               if ( counter % 20 == 0 )\r
+                       PrintAndLog("tried : %s.. \t %u keys", sprint_hex(candidates + i, 6),  counter * KEYS_IN_BLOCK  );\r
+       }\r
+       return found;\r
+}\r
+\r
 \r
 // EMULATOR\r
 \r
@@ -607,12 +654,12 @@ int mfTraceDecode(uint8_t *data_src, int len, bool wantSaveToEmlFile) {
 \r
 int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len){\r
        PrintAndLog("\nEncrypted data: [%s]", sprint_hex(data, len) );\r
-       struct Crypto1State *pcs = NULL;\r
+       struct Crypto1State *s;\r
        ks2 = ar_enc ^ prng_successor(nt, 64);\r
        ks3 = at_enc ^ prng_successor(nt, 96);\r
-       pcs = lfsr_recovery64(ks2, ks3);\r
-       mf_crypto1_decrypt(pcs, data, len, FALSE);\r
+       s = lfsr_recovery64(ks2, ks3);\r
+       mf_crypto1_decrypt(s, data, len, FALSE);\r
        PrintAndLog("Decrypted data: [%s]", sprint_hex(data, len) );\r
-       crypto1_destroy(pcs);\r
+       crypto1_destroy(s);\r
        return 0;\r
 }\r
Impressum, Datenschutz