*key = bytes_to_num(resp.d.asBytes, 6);\r
return 0;\r
}\r
+// PM3 imp of J-Run mf_key_brute (part 2)\r
+// ref: https://github.com/J-Run/mf_key_brute\r
+int mfKeyBrute(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint64_t *resultkey){\r
+\r
+ #define KEYS_IN_BLOCK 85\r
+ #define KEYBLOCK_SIZE 510\r
+ #define CANDIDATE_SIZE 0xFFFF * 6\r
+ uint8_t found = FALSE;\r
+ uint64_t key64 = 0;\r
+ uint8_t candidates[CANDIDATE_SIZE] = {0x00};\r
+ uint8_t keyBlock[KEYBLOCK_SIZE] = {0x00};\r
+\r
+ memset(candidates, 0, sizeof(candidates));\r
+ memset(keyBlock, 0, sizeof(keyBlock));\r
+ \r
+ // Generate all possible keys for the first two unknown bytes.\r
+ for (uint16_t i = 0; i < 0xFFFF; ++i) { \r
+ uint32_t j = i * 6; \r
+ candidates[0 + j] = i >> 8; \r
+ candidates[1 + j] = i;\r
+ candidates[2 + j] = key[2];\r
+ candidates[3 + j] = key[3];\r
+ candidates[4 + j] = key[4];\r
+ candidates[5 + j] = key[5];\r
+ }\r
+ uint32_t counter, i;\r
+ for ( i = 0, counter = 1; i < CANDIDATE_SIZE; i += KEYBLOCK_SIZE, ++counter){\r
+\r
+ key64 = 0;\r
+ \r
+ // copy candidatekeys to test key block\r
+ memcpy(keyBlock, candidates + i, KEYBLOCK_SIZE);\r
+\r
+ // check a block of generated candidate keys.\r
+ if (!mfCheckKeys(blockNo, keyType, TRUE, KEYS_IN_BLOCK, keyBlock, &key64)) {\r
+ *resultkey = key64;\r
+ found = TRUE;\r
+ break;\r
+ }\r
+ \r
+ // progress \r
+ if ( counter % 20 == 0 )\r
+ PrintAndLog("tried : %s.. \t %u keys", sprint_hex(candidates + i, 6), counter * KEYS_IN_BLOCK );\r
+ }\r
+ return found;\r
+}\r
+\r
\r
// EMULATOR\r
\r