X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/73ab92d14c8d80f1313f54d9a9b939cd9452b91b..6980d66b054071c75dfa522ad36eda97a2556159:/client/cmdhfmf.c?ds=inline diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 07d2ab26..cdac6476 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1016,12 +1016,11 @@ int CmdHF14AMfChk(const char *Cmd) return 0; } -void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) { - #define ATTACK_KEY_COUNT 8 +void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) { + #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim() uint64_t key = 0; typedef struct { uint64_t keyA; - uint32_t security; uint64_t keyB; } st_t; st_t sector_trailer[ATTACK_KEY_COUNT]; @@ -1034,9 +1033,9 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) { for (uint8_t i = 0; i 0) { - //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2); - if (mfkey32(ar_resp[i], &key)) { - PrintAndLog("Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF)); + //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2); + if (doStandardAttack && mfkey32(ar_resp[i], &key)) { + PrintAndLog(" Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF)); for (uint8_t ii = 0; ii0) { - //PrintAndLog ("block %d, keyA:%04x%08x, keyb:%04x%08x",stSector[i]*4+3, (uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF)); uint8_t memBlock[16]; memset(memBlock, 0x00, sizeof(memBlock)); char cmd1[36]; @@ -1081,30 +1107,35 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) { } } } - //moebius attack + /* + //un-comment to use as well moebius attack for (uint8_t i = ATTACK_KEY_COUNT; i 0) { if (tryMfk32_moebius(ar_resp[i], &key)) { PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF)); } } - } + }*/ } int usage_hf14_mf1ksim(void) { - PrintAndLog("Usage: hf mf sim [h] u n i x"); + PrintAndLog("Usage: hf mf sim h u n i x"); PrintAndLog("options:"); PrintAndLog(" h this help"); - PrintAndLog(" u (Optional) UID 4,7 bytes. If not specified, the UID 4b from emulator memory will be used"); + PrintAndLog(" u (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used"); PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); - PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory"); + PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)"); PrintAndLog(" f (Optional) get UIDs to use for 'reader attack' from file 'f ' (implies x and i)"); + PrintAndLog(" r (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works."); PrintAndLog("samples:"); PrintAndLog(" hf mf sim u 0a0a0a0a"); PrintAndLog(" hf mf sim u 11223344556677"); - PrintAndLog(" hf mf sim u 112233445566778899AA"); + PrintAndLog(" hf mf sim u 112233445566778899AA"); + PrintAndLog(" hf mf sim f uids.txt"); + PrintAndLog(" hf mf sim u 0a0a0a0a e"); + return 0; } @@ -1122,7 +1153,6 @@ int CmdHF14AMf1kSim(const char *Cmd) { memset(filename, 0x00, sizeof(filename)); int len = 0; char buf[64]; - uint8_t uidBuffer[64]; uint8_t cmdp = 0; bool errors = false; @@ -1132,6 +1162,9 @@ int CmdHF14AMf1kSim(const char *Cmd) { case 'e': case 'E': setEmulatorMem = true; + //implies x and i + flags |= FLAG_INTERACTIVE; + flags |= FLAG_NR_AR_ATTACK; cmdp++; break; case 'f': @@ -1142,7 +1175,10 @@ int CmdHF14AMf1kSim(const char *Cmd) { return 0; } attackFromFile = true; - cmdp+=2; + //implies x and i + flags |= FLAG_INTERACTIVE; + flags |= FLAG_NR_AR_ATTACK; + cmdp += 2; break; case 'h': case 'H': @@ -1157,6 +1193,11 @@ int CmdHF14AMf1kSim(const char *Cmd) { exitAfterNReads = param_get8(Cmd, pnr+1); cmdp += 2; break; + case 'r': + case 'R': + flags |= FLAG_RANDOM_NONCE; + cmdp++; + break; case 'u': case 'U': param_gethex_ex(Cmd, cmdp+1, uid, &uidlen); @@ -1166,7 +1207,7 @@ int CmdHF14AMf1kSim(const char *Cmd) { case 8: flags = FLAG_4B_UID_IN_DATA; break; default: return usage_hf14_mf1ksim(); } - cmdp +=2; + cmdp += 2; break; case 'x': case 'X': @@ -1183,9 +1224,6 @@ int CmdHF14AMf1kSim(const char *Cmd) { //Validations if(errors) return usage_hf14_mf1ksim(); - // attack from file implies nr ar attack and interactive... - if (!(flags & FLAG_NR_AR_ATTACK) && attackFromFile) flags |= FLAG_NR_AR_ATTACK | FLAG_INTERACTIVE; - //get uid from file if (attackFromFile) { int count = 0; @@ -1198,7 +1236,7 @@ int CmdHF14AMf1kSim(const char *Cmd) { PrintAndLog("Loading file and simulating. Press keyboard to abort"); while(!feof(f) && !ukbhit()){ memset(buf, 0, sizeof(buf)); - memset(uidBuffer, 0, sizeof(uidBuffer)); + memset(uid, 0, sizeof(uid)); if (fgets(buf, sizeof(buf), f) == NULL) { if (count > 0) break; @@ -1207,21 +1245,21 @@ int CmdHF14AMf1kSim(const char *Cmd) { fclose(f); return 2; } - if(strlen(buf) && feof(f)) break; + if(!strlen(buf) && feof(f)) break; - uidlen = strlen(buf); + uidlen = strlen(buf)-1; switch(uidlen) { - case 20: flags = FLAG_10B_UID_IN_DATA; break; //not complete - case 14: flags = FLAG_7B_UID_IN_DATA; break; - case 8: flags = FLAG_4B_UID_IN_DATA; break; + case 20: flags |= FLAG_10B_UID_IN_DATA; break; //not complete + case 14: flags |= FLAG_7B_UID_IN_DATA; break; + case 8: flags |= FLAG_4B_UID_IN_DATA; break; default: - PrintAndLog("uid in file wrong length at %d",count); + PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf); fclose(f); return 2; } for (uint8_t i = 0; i < uidlen; i += 2) { - sscanf(&buf[i], "%02x", (unsigned int *)&uidBuffer[i / 2]); + sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]); } PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort", @@ -1242,8 +1280,9 @@ int CmdHF14AMf1kSim(const char *Cmd) { //got a response nonces_t ar_resp[ATTACK_KEY_COUNT*2]; memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp)); - readerAttack(ar_resp, setEmulatorMem); - if (resp.arg[1]) { + // We can skip the standard attack if we have RANDOM_NONCE set. + readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE)); + if ((bool)resp.arg[1]) { PrintAndLog("Device button pressed - quitting"); fclose(f); return 4; @@ -1251,7 +1290,7 @@ int CmdHF14AMf1kSim(const char *Cmd) { count++; } fclose(f); - } else { + } else { //not from file PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ", flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4): @@ -1274,7 +1313,8 @@ int CmdHF14AMf1kSim(const char *Cmd) { if (flags & FLAG_NR_AR_ATTACK) { nonces_t ar_resp[ATTACK_KEY_COUNT*2]; memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp)); - readerAttack(ar_resp, setEmulatorMem); + // We can skip the standard attack if we have RANDOM_NONCE set. + readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE)); } } }