X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/7e735c1398b9c3643d292614db10c7e58c58db85..88e7a6bfa7afcc586ad41a93d62d5c8dc2c3d889:/client/cmdhfmf.c
diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 6b944df3..ede88cb7 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -24,19 +24,20 @@ int usage_hf14_mifare(void){
return 0;
}
int usage_hf14_mf1ksim(void){
- PrintAndLog("Usage: hf mf sim [h] u <uid (8,14,20 hex symbols)> n <numreads> i x");
+ PrintAndLog("Usage: hf mf sim [h] u <uid> n <numreads> [i] [x] [e] [v]");
PrintAndLog("options:");
PrintAndLog(" h this help");
PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID 4b from emulator memory will be used");
PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");
PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");
- PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
- PrintAndLog(" e (Optional) Fill simulator keys from what we crack");
- PrintAndLog(" v (Optional) Show maths used for cracking reader. Useful for debugging.");
+ PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a reader");
+ PrintAndLog(" e (Optional) Fill simulator keys from found keys");
+ PrintAndLog(" v (Optional) Verbose");
PrintAndLog("samples:");
PrintAndLog(" hf mf sim u 0a0a0a0a");
PrintAndLog(" hf mf sim u 11223344556677");
PrintAndLog(" hf mf sim u 112233445566778899AA");
+ PrintAndLog(" hf mf sim u 11223344 i x");
return 0;
}
int usage_hf14_dbg(void){
@@ -225,7 +226,7 @@ start:
c.arg[0] = false;
goto start;
} else {
- PrintAndLog("Found valid key: %012"llx" \n", r_key);
+ PrintAndLog("Found valid key: %012" PRIx64 " \n", r_key);
goto END;
}
}
@@ -245,10 +246,10 @@ start:
uint64_t key64 = 0;
int res = mfCheckKeys(blockNo, keytype - 0x60 , false, 1, keyblock, &key64);
if ( res > 0 ) {
- PrintAndLog("Candidate Key found (%012"llx") - Test authentication failed. [%d] Restarting darkside attack", r_key, res);
+ PrintAndLog("Candidate Key found (%012" PRIx64 ") - Test authentication failed. [%d] Restarting darkside attack", r_key, res);
goto start;
}
- PrintAndLog("Found valid key: %012"llx" \n", r_key);
+ PrintAndLog("Found valid key: %012" PRIx64 " \n", r_key);
}
END:
t1 = clock() - t1;
@@ -312,9 +313,7 @@ int CmdHF14AMfRdBl(const char *Cmd) {
uint8_t blockNo = 0;
uint8_t keyType = 0;
uint8_t key[6] = {0, 0, 0, 0, 0, 0};
-
- char cmdp = 0x00;
-
+ char cmdp = 0x00;
if (strlen(Cmd)<3) {
PrintAndLog("Usage: hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>");
@@ -471,10 +470,9 @@ int CmdHF14AMfDump(const char *Cmd) {
size_t bytes_read;
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
bytes_read = fread( keyA[sectorNo], 1, 6, fin );
- if ( bytes_read == 0) {
+ if ( bytes_read != 6) {
PrintAndLog("File reading error.");
fclose(fin);
- fin = NULL;
return 2;
}
}
@@ -482,22 +480,21 @@ int CmdHF14AMfDump(const char *Cmd) {
// Read keys B from file
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
bytes_read = fread( keyB[sectorNo], 1, 6, fin );
- if ( bytes_read == 0) {
+ if ( bytes_read != 6) {
PrintAndLog("File reading error.");
fclose(fin);
- fin = NULL;
return 2;
}
}
fclose(fin);
- fin = NULL;
PrintAndLog("|-----------------------------------------|");
PrintAndLog("|------ Reading sector access bits...-----|");
PrintAndLog("|-----------------------------------------|");
-
+ uint8_t tries = 0;
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
+ for (tries = 0; tries < 3; tries++) {
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};
memcpy(c.d.asBytes, keyA[sectorNo], 6);
clearCommandBuffer();
@@ -511,7 +508,8 @@ int CmdHF14AMfDump(const char *Cmd) {
rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1
rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2
rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer
- } else {
+ break;
+ } else if (tries == 2) { // on last try set defaults
PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);
rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;
rights[sectorNo][3] = 0x01;
@@ -522,6 +520,7 @@ int CmdHF14AMfDump(const char *Cmd) {
rights[sectorNo][3] = 0x01;
}
}
+ }
PrintAndLog("|-----------------------------------------|");
PrintAndLog("|----- Dumping all blocks to file... -----|");
@@ -531,7 +530,7 @@ int CmdHF14AMfDump(const char *Cmd) {
for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
bool received = false;
-
+ for (tries = 0; tries < 3; tries++) {
if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A.
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
memcpy(c.d.asBytes, keyA[sectorNo], 6);
@@ -548,12 +547,18 @@ int CmdHF14AMfDump(const char *Cmd) {
} else if (rights[sectorNo][data_area] == 0x07) { // no key would work
isOK = false;
PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);
+ tries = 2;
} else { // key A would work
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
memcpy(c.d.asBytes, keyA[sectorNo], 6);
clearCommandBuffer();
SendCommand(&c);
received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
+ }
+ }
+ if (received) {
+ isOK = resp.arg[0] & 0xff;
+ if (isOK) break;
}
}
@@ -598,7 +603,6 @@ int CmdHF14AMfDump(const char *Cmd) {
uint16_t numblocks = FirstBlockOfSector(numSectors - 1) + NumBlocksPerSector(numSectors - 1);
fwrite(carddata, 1, 16*numblocks, fout);
fclose(fout);
- fout = NULL;
PrintAndLog("Dumped %d blocks (%d bytes) to file dumpdata.bin", numblocks, 16*numblocks);
}
@@ -644,20 +648,18 @@ int CmdHF14AMfRestore(const char *Cmd) {
size_t bytes_read;
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
bytes_read = fread( keyA[sectorNo], 1, 6, fkeys );
- if ( bytes_read == 0) {
+ if ( bytes_read != 6) {
PrintAndLog("File reading error (dumpkeys.bin).");
fclose(fkeys);
- fkeys = NULL;
return 2;
}
}
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
bytes_read = fread( keyB[sectorNo], 1, 6, fkeys );
- if ( bytes_read == 0) {
+ if ( bytes_read != 6) {
PrintAndLog("File reading error (dumpkeys.bin).");
fclose(fkeys);
- fkeys = NULL;
return 2;
}
}
@@ -675,7 +677,7 @@ int CmdHF14AMfRestore(const char *Cmd) {
UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
bytes_read = fread(bldata, 1, 16, fdump);
- if ( bytes_read == 0) {
+ if ( bytes_read != 16) {
PrintAndLog("File reading error (dumpdata.bin).");
fclose(fdump);
fdump = NULL;
@@ -714,7 +716,6 @@ int CmdHF14AMfRestore(const char *Cmd) {
}
fclose(fdump);
- fdump = NULL;
return 0;
}
@@ -790,7 +791,7 @@ int CmdHF14AMfNested(const char *Cmd) {
switch (isOK) {
case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
- case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break;
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random number generator is not predictable).\n"); break;
case -4 : PrintAndLog("No valid key found"); break;
case -5 :
key64 = bytes_to_num(keyBlock, 6);
@@ -1206,7 +1207,7 @@ int CmdHF14AMfChk(const char *Cmd) {
}
memset(keyBlock + 6 * keycnt, 0, 6);
num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);
- PrintAndLog("check key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
+ PrintAndLog("check key[%2d] %012" PRIx64, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
keycnt++;
memset(buf, 0, sizeof(buf));
}
@@ -1360,18 +1361,16 @@ int CmdHF14AMfChk(const char *Cmd) {
PrintAndLog("");
return 0;
}
-#define ATTACK_KEY_COUNT 8
+
sector *k_sector = NULL;
uint8_t k_sectorsCount = 16;
-void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
+static void emptySectorTable(){
// initialize storage for found keys
if (k_sector == NULL)
k_sector = calloc(k_sectorsCount, sizeof(sector));
if (k_sector == NULL)
return;
-
- uint64_t key = 0;
// empty e_sector
for(int i = 0; i < k_sectorsCount; ++i){
@@ -1380,67 +1379,47 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
k_sector[i].foundKey[0] = FALSE;
k_sector[i].foundKey[1] = FALSE;
}
+}
+void showSectorTable(){
+ if (k_sector != NULL) {
+ printKeyTable(k_sectorsCount, k_sector);
+ free(k_sector);
+ k_sector = NULL;
+ }
+}
+void readerAttack(nonces_t data, bool setEmulatorMem, bool verbose) {
- printf("enter reader attack\n");
- for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) {
-
- // if no-collected data
- if (data[i].ar2 == 0) continue;
-
- // We can probably skip this, mfkey32v2 is more reliable.
-#ifdef HFMF_TRYMFK32
- if (tryMfk32(data[i], &key, verbose)) {
- PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"
- , (data[i].keytype) ? "B" : "A"
- , data[i].sector
- , key
- );
-
- k_sector[i].Key[data[i].keytype] = key;
- k_sector[i].foundKey[data[i].keytype] = TRUE;
-
- //set emulator memory for keys
- if (setEmulatorMem) {
- uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};
- num_to_bytes( k_sector[i].Key[0], 6, memBlock);
- num_to_bytes( k_sector[i].Key[1], 6, memBlock+10);
- PrintAndLog("Setting Emulator Memory Block %02d: [%s]"
- , ((data[i].sector)*4) + 3
- , sprint_hex( memBlock, sizeof(memBlock))
- );
- mfEmlSetMem( memBlock, ((data[i].sector)*4) + 3, 1);
- }
- continue;
- }
-#endif
-
- //moebius attack
- if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) {
- uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector;
- uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype;
-
- PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"
- , keyType ? "B" : "A"
- , sectorNum
- , key
- );
-
- k_sector[sectorNum].Key[keyType] = key;
- k_sector[sectorNum].foundKey[keyType] = TRUE;
-
- //set emulator memory for keys
- if (setEmulatorMem) {
- uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};
- num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock);
- num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10);
- //iceman, guessing this will not work so well for 4K tags.
- PrintAndLog("Setting Emulator Memory Block %02d: [%s]"
- , (sectorNum*4) + 3
- , sprint_hex( memBlock, sizeof(memBlock))
- );
- mfEmlSetMem( memBlock, (sectorNum*4) + 3, 1);
- }
- continue;
+ uint64_t key = 0;
+ bool success = FALSE;
+
+ if (k_sector == NULL)
+ emptySectorTable();
+
+ success = tryMfk32_moebius(data, &key, verbose);
+ if (success) {
+ uint8_t sector = data.sector;
+ uint8_t keytype = data.keytype;
+
+ PrintAndLog("Reader is trying authenticate with: Key %s, sector %02d: [%012" PRIx64 "]"
+ , keytype ? "B" : "A"
+ , sector
+ , key
+ );
+
+ k_sector[sector].Key[keytype] = key;
+ k_sector[sector].foundKey[keytype] = TRUE;
+
+ //set emulator memory for keys
+ if (setEmulatorMem) {
+ uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};
+ num_to_bytes( k_sector[sector].Key[0], 6, memBlock);
+ num_to_bytes( k_sector[sector].Key[1], 6, memBlock+10);
+ //iceman, guessing this will not work so well for 4K tags.
+ PrintAndLog("Setting Emulator Memory Block %02d: [%s]"
+ , (sector*4) + 3
+ , sprint_hex( memBlock, sizeof(memBlock))
+ );
+ mfEmlSetMem( memBlock, (sector*4) + 3, 1);
}
}
}
@@ -1451,18 +1430,17 @@ int CmdHF14AMf1kSim(const char *Cmd) {
uint8_t exitAfterNReads = 0;
uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);
int uidlen = 0;
- bool setEmulatorMem = false;
uint8_t cmdp = 0;
- bool errors = false;
-
- // If set to true, we should show our workings when doing NR_AR_ATTACK.
- bool verbose = false;
-
+ bool errors = FALSE;
+ bool verbose = FALSE;
+ bool setEmulatorMem = FALSE;
+ nonces_t data[1];
+
while(param_getchar(Cmd, cmdp) != 0x00) {
switch(param_getchar(Cmd, cmdp)) {
case 'e':
case 'E':
- setEmulatorMem = true;
+ setEmulatorMem = TRUE;
cmdp++;
break;
case 'h':
@@ -1487,11 +1465,11 @@ int CmdHF14AMf1kSim(const char *Cmd) {
case 8: flags = FLAG_4B_UID_IN_DATA; break;
default: return usage_hf14_mf1ksim();
}
- cmdp +=2;
+ cmdp += 2;
break;
case 'v':
case 'V':
- verbose = true;
+ verbose = TRUE;
cmdp++;
break;
case 'x':
@@ -1501,7 +1479,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
break;
default:
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
- errors = true;
+ errors = TRUE;
break;
}
if(errors) break;
@@ -1519,28 +1497,20 @@ int CmdHF14AMf1kSim(const char *Cmd) {
memcpy(c.d.asBytes, uid, sizeof(uid));
clearCommandBuffer();
SendCommand(&c);
+ UsbCommand resp;
- if(flags & FLAG_INTERACTIVE) {
+ if(flags & FLAG_INTERACTIVE) {
PrintAndLog("Press pm3-button or send another cmd to abort simulation");
- nonces_t data[ATTACK_KEY_COUNT*2];
- UsbCommand resp;
-
while( !ukbhit() ){
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
-
if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
- memcpy( data, resp.d.asBytes, sizeof(data) );
- readerAttack(data, setEmulatorMem, verbose);
- }
-
- if (k_sector != NULL) {
- printKeyTable(k_sectorsCount, k_sector );
- free(k_sector);
- k_sector = NULL;
+ memcpy(data, resp.d.asBytes, sizeof(data));
+ readerAttack(data[0], setEmulatorMem, verbose);
}
+ showSectorTable();
}
return 0;
}
@@ -1616,7 +1586,7 @@ int CmdHF14AMfSniff(const char *Cmd){
if (res == 1) { // there is (more) data to be transferred
if (pckNum == 0) { // first packet, (re)allocate necessary buffer
- if (traceLen > bufsize) {
+ if (traceLen > bufsize || buf == NULL) {
uint8_t *p;
if (buf == NULL) // not yet allocated
p = malloc(traceLen);
@@ -1737,7 +1707,7 @@ int CmdHF14AMfKeyBrute(const char *Cmd) {
time(&start);
if (mfKeyBrute( blockNo, keytype, key, &foundkey))
- PrintAndLog("Found valid key: %012"llx" \n", foundkey);
+ PrintAndLog("Found valid key: %012" PRIx64 " \n", foundkey);
else
PrintAndLog("Key not found");
@@ -1755,7 +1725,7 @@ void printKeyTable( uint8_t sectorscnt, sector *e_sector ){
PrintAndLog("|sec|key A |res|key B |res|");
PrintAndLog("|---|----------------|---|----------------|---|");
for (uint8_t i = 0; i < sectorscnt; ++i) {
- PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i,
+ PrintAndLog("|%03d| %012" PRIx64 " | %d | %012" PRIx64 " | %d |", i,
e_sector[i].Key[0], e_sector[i].foundKey[0],
e_sector[i].Key[1], e_sector[i].foundKey[1]
);
@@ -1804,7 +1774,6 @@ int CmdHF14AMfESet(const char *Cmd)
{
uint8_t memBlock[16];
uint8_t blockNo = 0;
-
memset(memBlock, 0x00, sizeof(memBlock));
if (strlen(Cmd) < 3 || param_getchar(Cmd, 0) == 'h') {
@@ -2086,7 +2055,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
}
keyA = bytes_to_num(data, 6);
keyB = bytes_to_num(data + 10, 6);
- PrintAndLog("|%03d| %012"llx" | %012"llx" |", i, keyA, keyB);
+ PrintAndLog("|%03d| %012" PRIx64 " | %012" PRIx64 " |", i, keyA, keyB);
}
PrintAndLog("|---|----------------|----------------|");