X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/2285d9dd944007444ceb042663fc20f6b0ac0d05..0c97a4562dfc38dbda89277434b077d084e21588:/client/cmdhfmf.c

diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index e41afb6a..0a24f6da 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -9,6 +9,7 @@
 //-----------------------------------------------------------------------------
 
 #include "cmdhfmf.h"
+#include "cmdhfmfhard.h"
 #include "nonce2key/nonce2key.h"
 
 static int CmdHelp(const char *Cmd);
@@ -60,7 +61,7 @@ start:
 				case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;
 				case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;
 				case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");
-							PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;
+						  PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;
 				default: ;
 			}
 			break;
@@ -791,6 +792,102 @@ int CmdHF14AMfNested(const char *Cmd)
 	return 0;
 }
 
+int CmdHF14AMfNestedHard(const char *Cmd)
+{
+	uint8_t blockNo = 0;
+	uint8_t keyType = 0;
+	uint8_t trgBlockNo = 0;
+	uint8_t trgKeyType = 0;
+	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
+	
+	char ctmp;
+	ctmp = param_getchar(Cmd, 0);
+	if (ctmp != 'R' && ctmp != 'r' && strlen(Cmd) < 20) {
+		PrintAndLog("Usage:");
+		PrintAndLog("      hf mf hardnested <block number> <key A|B> <key (12 hex symbols)>");
+		PrintAndLog("                       <target block number> <target key A|B> [w] [s]");
+		PrintAndLog("  or  hf mf hardnested r");
+		PrintAndLog(" ");
+		PrintAndLog("Options: ");
+		PrintAndLog("      w: Acquire nonces and write them to binary file nonces.bin");
+		PrintAndLog("      s: Slower acquisition (required by some non standard cards)");
+		PrintAndLog("      r: Read nonces.bin and start attack");
+		PrintAndLog(" ");
+		PrintAndLog("      sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A");
+		PrintAndLog("      sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w");
+		PrintAndLog("      sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s");
+		PrintAndLog("      sample4: hf mf hardnested r");
+
+		return 0;
+	}	
+	
+	bool nonce_file_read = false;
+	bool nonce_file_write = false;
+	bool slow = false;
+	
+	if (ctmp == 'R' || ctmp == 'r') {
+
+		nonce_file_read = true;
+
+	} else {
+
+		blockNo = param_get8(Cmd, 0);
+		ctmp = param_getchar(Cmd, 1);
+		if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
+			PrintAndLog("Key type must be A or B");
+			return 1;
+		}
+		if (ctmp != 'A' && ctmp != 'a') { 
+			keyType = 1;
+		}
+		
+		if (param_gethex(Cmd, 2, key, 12)) {
+			PrintAndLog("Key must include 12 HEX symbols");
+			return 1;
+		}
+		
+		trgBlockNo = param_get8(Cmd, 3);
+		ctmp = param_getchar(Cmd, 4);
+		if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
+			PrintAndLog("Target key type must be A or B");
+			return 1;
+		}
+		if (ctmp != 'A' && ctmp != 'a') {
+			trgKeyType = 1;
+		}
+
+		uint16_t i = 5;
+		while ((ctmp = param_getchar(Cmd, i))) {
+			if (ctmp == 's' || ctmp == 'S') {
+				slow = true;
+			} else if (ctmp == 'w' || ctmp == 'W') {
+				nonce_file_write = true;
+			} else {
+				PrintAndLog("Possible options are w and/or s");
+				return 1;
+			}
+			i++;
+		}
+	}
+
+	PrintAndLog("--target block no:%3d, target key type:%c, file action: %s, Slow: %s ", 
+			trgBlockNo, 
+			trgKeyType?'B':'A', 
+			nonce_file_write?"write":nonce_file_read?"read":"none",
+			slow?"Yes":"No");
+	int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, nonce_file_read, nonce_file_write, slow);
+	if (isOK) {
+		switch (isOK) {
+			case 1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
+			case 2 : PrintAndLog("Button pressed. Aborted.\n"); break;
+			default : break;
+		}
+		return 2;
+	}
+
+	return 0;
+}
+
 int CmdHF14AMfChk(const char *Cmd)
 {
 	if (strlen(Cmd)<3) {
@@ -1541,9 +1638,9 @@ int CmdHF14AMfCSetUID(const char *Cmd)
 
 int CmdHF14AMfCSetBlk(const char *Cmd)
 {
-	uint8_t memBlock[16] = {0x00};
+	uint8_t block[16] = {0x00};
 	uint8_t blockNo = 0;
-	bool wipeCard = FALSE;
+	uint8_t params = MAGIC_SINGLE;
 	int res;
 
 	if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
@@ -1556,16 +1653,18 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
 
 	blockNo = param_get8(Cmd, 0);
 
-	if (param_gethex(Cmd, 1, memBlock, 32)) {
+	if (param_gethex(Cmd, 1, block, 32)) {
 		PrintAndLog("block data must include 32 HEX symbols");
 		return 1;
 	}
 
 	char ctmp = param_getchar(Cmd, 2);
-	wipeCard = (ctmp == 'w' || ctmp == 'W');
-	PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16));
+	if (ctmp == 'w' || ctmp == 'W')
+		params |= MAGIC_WIPE;
+	
+	PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(block, 16));
 
-	res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER);
+	res = mfCSetBlock(blockNo, block, NULL, params);
 	if (res) {
 		PrintAndLog("Can't write block. error=%d", res);
 		return 1;
@@ -1576,13 +1675,15 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
 int CmdHF14AMfCLoad(const char *Cmd)
 {
 	FILE * f;
-	char filename[FILE_PATH_SIZE] = {0x00};
+	char filename[FILE_PATH_SIZE];
 	char * fnameptr = filename;
 	char buf[64] = {0x00};
 	uint8_t buf8[64] = {0x00};
 	uint8_t fillFromEmulator = 0;
 	int i, len, blockNum, flags=0;
 
+	memset(filename, 0, sizeof(filename));
+	
 	char ctmp = param_getchar(Cmd, 0);
 	
 	if (ctmp == 'h' || ctmp == 'H' || ctmp == 0x00) {
@@ -1602,11 +1703,11 @@ int CmdHF14AMfCLoad(const char *Cmd)
 				PrintAndLog("Cant get block: %d", blockNum);
 				return 2;
 			}
-			if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;				// switch on field and send magic sequence
+			if (blockNum == 0) flags = MAGIC_INIT + MAGIC_WUPC;				// switch on field and send magic sequence
 			if (blockNum == 1) flags = 0;													// just write
-			if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;		// Done. Magic Halt and switch off field.
+			if (blockNum == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF;		// Done. Magic Halt and switch off field.
 
-			if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
+			if (mfCSetBlock(blockNum, buf8, NULL, flags)) {
 				PrintAndLog("Cant set magic card block: %d", blockNum);
 				return 3;
 			}
@@ -1649,11 +1750,11 @@ int CmdHF14AMfCLoad(const char *Cmd)
 			for (i = 0; i < 32; i += 2)
 				sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);
 
-			if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;				// switch on field and send magic sequence
+			if (blockNum == 0) flags = MAGIC_INIT + MAGIC_WUPC;				// switch on field and send magic sequence
 			if (blockNum == 1) flags = 0;													// just write
-			if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;		// Done. Switch off field.
+			if (blockNum == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF;		// Done. Switch off field.
 
-			if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
+			if (mfCSetBlock(blockNum, buf8, NULL, flags)) {
 				PrintAndLog("Can't set magic card block: %d", blockNum);
 				return 3;
 			}
@@ -1663,6 +1764,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 		}
 		fclose(f);
 	
+		// 64 or 256blocks.
 		if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){
 			PrintAndLog("File content error. There must be 64 blocks");
 			return 4;
@@ -1674,12 +1776,13 @@ int CmdHF14AMfCLoad(const char *Cmd)
 }
 
 int CmdHF14AMfCGetBlk(const char *Cmd) {
-	uint8_t memBlock[16];
+	uint8_t data[16];
 	uint8_t blockNo = 0;
 	int res;
-	memset(memBlock, 0x00, sizeof(memBlock));
+	memset(data, 0x00, sizeof(data));
+	char ctmp = param_getchar(Cmd, 0);
 
-	if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
+	if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') {
 		PrintAndLog("Usage:  hf mf cgetblk <block number>");
 		PrintAndLog("sample:  hf mf cgetblk 1");
 		PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");
@@ -1690,22 +1793,24 @@ int CmdHF14AMfCGetBlk(const char *Cmd) {
 
 	PrintAndLog("--block number:%2d ", blockNo);
 
-	res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER);
+	res = mfCGetBlock(blockNo, data, MAGIC_SINGLE);
 	if (res) {
-			PrintAndLog("Can't read block. error=%d", res);
-			return 1;
-		}
+		PrintAndLog("Can't read block. error=%d", res);
+		return 1;
+	}
 	
-	PrintAndLog("block data:%s", sprint_hex(memBlock, 16));
+	PrintAndLog("data:%s", sprint_hex(data, sizeof(data)));
 	return 0;
 }
 
 int CmdHF14AMfCGetSc(const char *Cmd) {
-	uint8_t memBlock[16] = {0x00};
+	uint8_t data[16];
 	uint8_t sectorNo = 0;
 	int i, res, flags;
-
-	if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
+	memset(data, 0x00, sizeof(data));
+	char ctmp = param_getchar(Cmd, 0);
+	
+	if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') {
 		PrintAndLog("Usage:  hf mf cgetsc <sector number>");
 		PrintAndLog("sample:  hf mf cgetsc 0");
 		PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");
@@ -1719,19 +1824,19 @@ int CmdHF14AMfCGetSc(const char *Cmd) {
 	}
 
 	PrintAndLog("--sector number:%d ", sectorNo);
+	PrintAndLog("block | data");
 
-	flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;
+	flags = MAGIC_INIT + MAGIC_WUPC;
 	for (i = 0; i < 4; i++) {
 		if (i == 1) flags = 0;
-		if (i == 3) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;
+		if (i == 3) flags = MAGIC_HALT + MAGIC_OFF;
 
-		res = mfCGetBlock(sectorNo * 4 + i, memBlock, flags);
+		res = mfCGetBlock(sectorNo * 4 + i, data, flags);
 		if (res) {
 			PrintAndLog("Can't read block. %d error=%d", sectorNo * 4 + i, res);
 			return 1;
-		}
-	
-		PrintAndLog("block %3d data:%s", sectorNo * 4 + i, sprint_hex(memBlock, 16));
+		}	
+		PrintAndLog(" %3d | %s", sectorNo * 4 + i, sprint_hex(data, sizeof(data)));
 	}
 	return 0;
 }
@@ -1739,14 +1844,14 @@ int CmdHF14AMfCGetSc(const char *Cmd) {
 int CmdHF14AMfCSave(const char *Cmd) {
 
 	FILE * f;
-	char filename[FILE_PATH_SIZE] = {0x00};
+	char filename[FILE_PATH_SIZE];
 	char * fnameptr = filename;
 	uint8_t fillFromEmulator = 0;
-	uint8_t buf[64] = {0x00};
+	uint8_t buf[64];
 	int i, j, len, flags;
 	
-	// memset(filename, 0, sizeof(filename));
-	// memset(buf, 0, sizeof(buf));
+	memset(filename, 0, sizeof(filename));
+	memset(buf, 0, sizeof(buf));
 	char ctmp = param_getchar(Cmd, 0);
 	
 	if ( ctmp == 'h' || ctmp == 'H' ) {
@@ -1762,10 +1867,10 @@ int CmdHF14AMfCSave(const char *Cmd) {
 
 	if (fillFromEmulator) {
 		// put into emulator
-		flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;
+		flags = MAGIC_INIT + MAGIC_WUPC;
 		for (i = 0; i < 16 * 4; i++) {
 			if (i == 1) flags = 0;
-			if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;
+			if (i == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF;
 		
 			if (mfCGetBlock(i, buf, flags)) {
 				PrintAndLog("Cant get block: %d", i);
@@ -1782,9 +1887,10 @@ int CmdHF14AMfCSave(const char *Cmd) {
 		len = strlen(Cmd);
 		if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
 	
+		// get filename based on UID
 		if (len < 1) {
-			// get filename
-			if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) {
+		
+			if (mfCGetBlock(0, buf, MAGIC_SINGLE)) {
 				PrintAndLog("Cant get block: %d", 0);
 				len = sprintf(fnameptr, "dump");
 				fnameptr += len;
@@ -1797,6 +1903,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
 			fnameptr += len;
 		}
 
+		// add .eml extension
 		sprintf(fnameptr, ".eml"); 
 	
 		// open file
@@ -1808,10 +1915,10 @@ int CmdHF14AMfCSave(const char *Cmd) {
 		}
 
 		// put hex
-		flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;
+		flags = MAGIC_INIT + MAGIC_WUPC;
 		for (i = 0; i < 16 * 4; i++) {
 			if (i == 1) flags = 0;
-			if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;
+			if (i == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF;
 		
 			if (mfCGetBlock(i, buf, flags)) {
 				PrintAndLog("Cant get block: %d", i);
@@ -1821,10 +1928,9 @@ int CmdHF14AMfCSave(const char *Cmd) {
 				fprintf(f, "%02x", buf[j]); 
 			fprintf(f,"\n");
 		}
+		fflush(f);
 		fclose(f);
-	
 		PrintAndLog("Saved to file: %s", filename);
-	
 		return 0;
 	}
 }
@@ -2008,6 +2114,7 @@ static command_t CommandTable[] =
   {"chk",		CmdHF14AMfChk,			0, "Test block keys"},
   {"mifare",	CmdHF14AMifare,			0, "Read parity error messages."},
   {"nested",	CmdHF14AMfNested,		0, "Test nested authentication"},
+	{"hardnested", 	CmdHF14AMfNestedHard, 	0, "Nested attack for hardened Mifare cards"},
   {"sniff",		CmdHF14AMfSniff,		0, "Sniff card-reader communication"},
   {"sim",		CmdHF14AMf1kSim,		0, "Simulate MIFARE card"},
   {"eclr",		CmdHF14AMfEClear,		0, "Clear simulator memory block"},
@@ -2031,13 +2138,12 @@ int CmdHFMF(const char *Cmd)
 {
 	// flush
 	WaitForResponseTimeout(CMD_ACK,NULL,100);
-
-  CmdsParse(CommandTable, Cmd);
-  return 0;
+	CmdsParse(CommandTable, Cmd);
+	return 0;
 }
 
 int CmdHelp(const char *Cmd)
 {
-  CmdsHelp(CommandTable);
-  return 0;
+	CmdsHelp(CommandTable);
+	return 0;
 }