X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/8ea5706047cb0f6e7bd9f04306249d6a349c2239..refs/pull/227/head:/client/cmdhfmf.c diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index d306ac65..eb3dc878 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -8,7 +8,19 @@ // High frequency MIFARE commands //----------------------------------------------------------------------------- -#include "cmdhfmf.h" +#include +#include +#include +#include "proxmark3.h" +#include "cmdmain.h" +#include "util.h" +#include "ui.h" +#include "mifarehost.h" +#include "mifare.h" +#include "nonce2key/nonce2key.h" + +#define NESTED_SECTOR_RETRY 10 // how often we try mfested() until we give up + static int CmdHelp(const char *Cmd); @@ -28,13 +40,15 @@ int CmdHF14AMifare(const char *Cmd) printf("-------------------------------------------------------------------------\n"); -start: + start: clearCommandBuffer(); SendCommand(&c); //flush queue - while (ukbhit()) getchar(); - + while (ukbhit()) { + int c = getchar(); (void) c; + } + // wait cycle while (true) { printf("."); @@ -81,7 +95,7 @@ start: } else { isOK = 0; printf("------------------------------------------------------------------\n"); - PrintAndLog("Found valid key:%012"llx" \n", r_key); + PrintAndLog("Found valid key:%012" PRIx64 " \n", r_key); } PrintAndLog(""); @@ -121,11 +135,10 @@ int CmdHF14AMfWrBl(const char *Cmd) PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6)); PrintAndLog("--data: %s", sprint_hex(bldata, 16)); - UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}}; + UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); memcpy(c.d.asBytes + 10, bldata, 16); - clearCommandBuffer(); - SendCommand(&c); + SendCommand(&c); UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { @@ -143,7 +156,7 @@ int CmdHF14AMfRdBl(const char *Cmd) uint8_t blockNo = 0; uint8_t keyType = 0; uint8_t key[6] = {0, 0, 0, 0, 0, 0}; - + char cmdp = 0x00; @@ -151,8 +164,8 @@ int CmdHF14AMfRdBl(const char *Cmd) PrintAndLog("Usage: hf mf rdbl "); PrintAndLog(" sample: hf mf rdbl 0 A FFFFFFFFFFFF "); return 0; - } - + } + blockNo = param_get8(Cmd, 0); cmdp = param_getchar(Cmd, 1); if (cmdp == 0x00) { @@ -165,11 +178,10 @@ int CmdHF14AMfRdBl(const char *Cmd) return 1; } PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6)); - - UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}}; + + UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); - clearCommandBuffer(); - SendCommand(&c); + SendCommand(&c); UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { @@ -219,10 +231,9 @@ int CmdHF14AMfRdSc(const char *Cmd) return 1; } PrintAndLog("--sector no:%d key type:%c key:%s ", sectorNo, keyType?'B':'A', sprint_hex(key, 6)); - + UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); - clearCommandBuffer(); SendCommand(&c); PrintAndLog(" "); @@ -242,7 +253,7 @@ int CmdHF14AMfRdSc(const char *Cmd) PrintAndLog("Command execute timeout"); } - return 0; + return 0; } uint8_t FirstBlockOfSector(uint8_t sectorNo) @@ -266,7 +277,7 @@ uint8_t NumBlocksPerSector(uint8_t sectorNo) int CmdHF14AMfDump(const char *Cmd) { uint8_t sectorNo, blockNo; - + uint8_t keyA[40][6]; uint8_t keyB[40][6]; uint8_t rights[40][4]; @@ -304,7 +315,8 @@ int CmdHF14AMfDump(const char *Cmd) // Read keys A from file for (sectorNo=0; sectorNo>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0 - rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1 - rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2 - rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer + if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { + uint8_t isOK = resp.arg[0] & 0xff; + uint8_t *data = resp.d.asBytes; + if (isOK){ + rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0 + rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1 + rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2 + rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer + break; + } else if (tries == 2) { // on last try set defaults + PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo); + rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00; + rights[sectorNo][3] = 0x01; + } } else { - PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo); + PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo); rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00; rights[sectorNo][3] = 0x01; } - } else { - PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo); - rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00; - rights[sectorNo][3] = 0x01; } } - + PrintAndLog("|-----------------------------------------|"); PrintAndLog("|----- Dumping all blocks to file... -----|"); PrintAndLog("|-----------------------------------------|"); - + bool isOK = true; for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) { for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) { bool received = false; - - if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A. - UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}}; - memcpy(c.d.asBytes, keyA[sectorNo], 6); - clearCommandBuffer(); - SendCommand(&c); - received = WaitForResponseTimeout(CMD_ACK,&resp,1500); - } else { // data block. Check if it can be read with key A or key B - uint8_t data_area = sectorNo<32?blockNo:blockNo/5; - if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work - UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}}; - memcpy(c.d.asBytes, keyB[sectorNo], 6); - clearCommandBuffer(); - SendCommand(&c); - received = WaitForResponseTimeout(CMD_ACK,&resp,1500); - } else if (rights[sectorNo][data_area] == 0x07) { // no key would work - isOK = false; - PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo); - } else { // key A would work + for (tries = 0; tries < 3; tries++) { + if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A. UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}}; memcpy(c.d.asBytes, keyA[sectorNo], 6); - clearCommandBuffer(); SendCommand(&c); received = WaitForResponseTimeout(CMD_ACK,&resp,1500); + } else { // data block. Check if it can be read with key A or key B + uint8_t data_area = sectorNo<32?blockNo:blockNo/5; + if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work + UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}}; + memcpy(c.d.asBytes, keyB[sectorNo], 6); + SendCommand(&c); + received = WaitForResponseTimeout(CMD_ACK,&resp,1500); + } else if (rights[sectorNo][data_area] == 0x07) { // no key would work + isOK = false; + PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo); + tries = 2; + } else { // key A would work + UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}}; + memcpy(c.d.asBytes, keyA[sectorNo], 6); + SendCommand(&c); + received = WaitForResponseTimeout(CMD_ACK,&resp,1500); + } + } + if (received) { + isOK = resp.arg[0] & 0xff; + if (isOK) break; } } @@ -472,16 +490,17 @@ int CmdHF14AMfRestore(const char *Cmd) } for (sectorNo = 0; sectorNo < numSectors; sectorNo++) { - if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) { + size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys); + if (bytes_read != 6) { PrintAndLog("File reading error (dumpkeys.bin)."); - fclose(fkeys); return 2; } } for (sectorNo = 0; sectorNo < numSectors; sectorNo++) { - if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) { + size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys); + if (bytes_read != 6) { PrintAndLog("File reading error (dumpkeys.bin)."); fclose(fkeys); return 2; @@ -501,7 +520,8 @@ int CmdHF14AMfRestore(const char *Cmd) UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); - if (fread(bldata, 1, 16, fdump) == 0) { + size_t bytes_read = fread(bldata, 1, 16, fdump); + if (bytes_read != 16) { PrintAndLog("File reading error (dumpdata.bin)."); fclose(fdump); return 2; @@ -525,7 +545,6 @@ int CmdHF14AMfRestore(const char *Cmd) PrintAndLog("Writing to block %3d: %s", FirstBlockOfSector(sectorNo) + blockNo, sprint_hex(bldata, 16)); memcpy(c.d.asBytes + 10, bldata, 16); - clearCommandBuffer(); SendCommand(&c); UsbCommand resp; @@ -542,10 +561,17 @@ int CmdHF14AMfRestore(const char *Cmd) return 0; } + +typedef struct { + uint64_t Key[2]; + int foundKey[2]; +} sector_t; + + int CmdHF14AMfNested(const char *Cmd) { int i, j, res, iterations; - sector *e_sector = NULL; + sector_t *e_sector = NULL; uint8_t blockNo = 0; uint8_t keyType = 0; uint8_t trgBlockNo = 0; @@ -639,7 +665,7 @@ int CmdHF14AMfNested(const char *Cmd) } key64 = bytes_to_num(keyBlock, 6); if (key64) { - PrintAndLog("Found valid key:%012"llx, key64); + PrintAndLog("Found valid key:%012" PRIx64, key64); // transfer key to the emulator if (transferToEml) { @@ -665,7 +691,7 @@ int CmdHF14AMfNested(const char *Cmd) clock_t time1; time1 = clock(); - e_sector = calloc(SectorsCnt, sizeof(sector)); + e_sector = calloc(SectorsCnt, sizeof(sector_t)); if (e_sector == NULL) return 1; //test current key and additional standard keys first @@ -725,7 +751,7 @@ int CmdHF14AMfNested(const char *Cmd) key64 = bytes_to_num(keyBlock, 6); if (key64) { - PrintAndLog("Found valid key:%012"llx, key64); + PrintAndLog("Found valid key:%012" PRIx64, key64); e_sector[sectorNo].foundKey[trgKeyType] = 1; e_sector[sectorNo].Key[trgKeyType] = key64; } @@ -741,7 +767,7 @@ int CmdHF14AMfNested(const char *Cmd) PrintAndLog("|sec|key A |res|key B |res|"); PrintAndLog("|---|----------------|---|----------------|---|"); for (i = 0; i < SectorsCnt; i++) { - PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i, + PrintAndLog("|%03d| %012" PRIx64 " | %d | %012" PRIx64 " | %d |", i, e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]); } PrintAndLog("|---|----------------|---|----------------|---|"); @@ -875,7 +901,6 @@ int CmdHF14AMfChk(const char *Cmd) break; default: PrintAndLog("Key type must be A , B or ?"); - free(keyBlock); return 1; }; @@ -934,7 +959,7 @@ int CmdHF14AMfChk(const char *Cmd) } memset(keyBlock + 6 * keycnt, 0, 6); num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt); - PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6)); + PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6)); keycnt++; memset(buf, 0, sizeof(buf)); } @@ -978,7 +1003,7 @@ int CmdHF14AMfChk(const char *Cmd) res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64); if (res != 1) { if (!res) { - PrintAndLog("Found valid key:[%012"llx"]",key64); + PrintAndLog("Found valid key:[%012" PRIx64 "]",key64); num_to_bytes(key64, 6, foundKey[t][i]); validKey[t][i] = true; } @@ -1025,73 +1050,309 @@ int CmdHF14AMfChk(const char *Cmd) return 0; } -int CmdHF14AMf1kSim(const char *Cmd) -{ - uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0}; +void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) { + #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim() + uint64_t key = 0; + typedef struct { + uint64_t keyA; + uint64_t keyB; + } st_t; + st_t sector_trailer[ATTACK_KEY_COUNT]; + memset(sector_trailer, 0x00, sizeof(sector_trailer)); + + uint8_t stSector[ATTACK_KEY_COUNT]; + memset(stSector, 0x00, sizeof(stSector)); + uint8_t key_cnt[ATTACK_KEY_COUNT]; + memset(key_cnt, 0x00, sizeof(key_cnt)); + + for (uint8_t i = 0; i 0) { + //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2); + if (doStandardAttack && mfkey32(ar_resp[i], &key)) { + PrintAndLog(" Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF)); + + for (uint8_t ii = 0; ii0) { + uint8_t memBlock[16]; + memset(memBlock, 0x00, sizeof(memBlock)); + char cmd1[36]; + memset(cmd1,0x00,sizeof(cmd1)); + snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF)); + PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1); + if (param_gethex(cmd1, 0, memBlock, 32)) { + PrintAndLog("block data must include 32 HEX symbols"); + return; + } + + UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}}; + memcpy(c.d.asBytes, memBlock, 16); + clearCommandBuffer(); + SendCommand(&c); + } + } + } + /* + //un-comment to use as well moebius attack + for (uint8_t i = ATTACK_KEY_COUNT; i 0) { + if (tryMfk32_moebius(ar_resp[i], &key)) { + PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF)); + } + } + }*/ +} + +int usage_hf14_mf1ksim(void) { + PrintAndLog("Usage: hf mf sim h u n i x"); + PrintAndLog("options:"); + PrintAndLog(" h this help"); + PrintAndLog(" u (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used"); + PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); + PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); + PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); + PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)"); + PrintAndLog(" f (Optional) get UIDs to use for 'reader attack' from file 'f ' (implies x and i)"); + PrintAndLog(" r (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works."); + PrintAndLog("samples:"); + PrintAndLog(" hf mf sim u 0a0a0a0a"); + PrintAndLog(" hf mf sim u 11223344556677"); + PrintAndLog(" hf mf sim u 112233445566778899AA"); + PrintAndLog(" hf mf sim f uids.txt"); + PrintAndLog(" hf mf sim u 0a0a0a0a e"); + + return 0; +} + +int CmdHF14AMf1kSim(const char *Cmd) { + UsbCommand resp; + uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; uint8_t exitAfterNReads = 0; uint8_t flags = 0; - - uint8_t cmdp = param_getchar(Cmd, 0); - - if (cmdp == 'h' || cmdp == 'H') { - PrintAndLog("Usage: hf mf sim u n i x"); - PrintAndLog(" h this help"); - PrintAndLog(" u (Optional) UID. If not specified, the UID from emulator memory will be used"); - PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); - PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); - PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); - PrintAndLog(""); - PrintAndLog(" sample: hf mf sim u 0a0a0a0a "); - return 0; - } + int uidlen = 0; uint8_t pnr = 0; - if (param_getchar(Cmd, pnr) == 'u') { - if(param_gethex(Cmd, pnr+1, uid, 8) == 0) - { - flags |= FLAG_4B_UID_IN_DATA; // UID from packet - } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) { - flags |= FLAG_7B_UID_IN_DATA;// UID from packet - } else { - PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols"); - return 1; + bool setEmulatorMem = false; + bool attackFromFile = false; + FILE *f; + char filename[FILE_PATH_SIZE]; + memset(filename, 0x00, sizeof(filename)); + int len = 0; + char buf[64]; + + uint8_t cmdp = 0; + bool errors = false; + + while(param_getchar(Cmd, cmdp) != 0x00) { + switch(param_getchar(Cmd, cmdp)) { + case 'e': + case 'E': + setEmulatorMem = true; + //implies x and i + flags |= FLAG_INTERACTIVE; + flags |= FLAG_NR_AR_ATTACK; + cmdp++; + break; + case 'f': + case 'F': + len = param_getstr(Cmd, cmdp+1, filename); + if (len < 1) { + PrintAndLog("error no filename found"); + return 0; + } + attackFromFile = true; + //implies x and i + flags |= FLAG_INTERACTIVE; + flags |= FLAG_NR_AR_ATTACK; + cmdp += 2; + break; + case 'h': + case 'H': + return usage_hf14_mf1ksim(); + case 'i': + case 'I': + flags |= FLAG_INTERACTIVE; + cmdp++; + break; + case 'n': + case 'N': + exitAfterNReads = param_get8(Cmd, pnr+1); + cmdp += 2; + break; + case 'r': + case 'R': + flags |= FLAG_RANDOM_NONCE; + cmdp++; + break; + case 'u': + case 'U': + param_gethex_ex(Cmd, cmdp+1, uid, &uidlen); + switch(uidlen) { + case 20: flags = FLAG_10B_UID_IN_DATA; break; //not complete + case 14: flags = FLAG_7B_UID_IN_DATA; break; + case 8: flags = FLAG_4B_UID_IN_DATA; break; + default: return usage_hf14_mf1ksim(); + } + cmdp += 2; + break; + case 'x': + case 'X': + flags |= FLAG_NR_AR_ATTACK; + cmdp++; + break; + default: + PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp)); + errors = true; + break; } - pnr +=2; - } - if (param_getchar(Cmd, pnr) == 'n') { - exitAfterNReads = param_get8(Cmd,pnr+1); - pnr += 2; - } - if (param_getchar(Cmd, pnr) == 'i' ) { - //Using a flag to signal interactiveness, least significant bit - flags |= FLAG_INTERACTIVE; - pnr++; + if(errors) break; } + //Validations + if(errors) return usage_hf14_mf1ksim(); - if (param_getchar(Cmd, pnr) == 'x' ) { - //Using a flag to signal interactiveness, least significant bit - flags |= FLAG_NR_AR_ATTACK; - } - PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ", - flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4): - flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A" - , exitAfterNReads, flags,flags); + //get uid from file + if (attackFromFile) { + int count = 0; + // open file + f = fopen(filename, "r"); + if (f == NULL) { + PrintAndLog("File %s not found or locked", filename); + return 1; + } + PrintAndLog("Loading file and simulating. Press keyboard to abort"); + while(!feof(f) && !ukbhit()){ + memset(buf, 0, sizeof(buf)); + memset(uid, 0, sizeof(uid)); + if (fgets(buf, sizeof(buf), f) == NULL) { + if (count > 0) break; + + PrintAndLog("File reading error."); + fclose(f); + return 2; + } + if(!strlen(buf) && feof(f)) break; + + uidlen = strlen(buf)-1; + switch(uidlen) { + case 20: flags |= FLAG_10B_UID_IN_DATA; break; //not complete + case 14: flags |= FLAG_7B_UID_IN_DATA; break; + case 8: flags |= FLAG_4B_UID_IN_DATA; break; + default: + PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf); + fclose(f); + return 2; + } - UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}}; - memcpy(c.d.asBytes, uid, sizeof(uid)); - clearCommandBuffer(); - SendCommand(&c); + for (uint8_t i = 0; i < uidlen; i += 2) { + sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]); + } + + PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort", + flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4): + flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): + flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A" + , exitAfterNReads, flags, flags); + + UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}}; + memcpy(c.d.asBytes, uid, sizeof(uid)); + clearCommandBuffer(); + SendCommand(&c); - if(flags & FLAG_INTERACTIVE) - { - UsbCommand resp; - PrintAndLog("Press pm3-button to abort simulation"); - while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) { - //We're waiting only 1.5 s at a time, otherwise we get the - //annoying message about "Waiting for a response... " + while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) { + //We're waiting only 1.5 s at a time, otherwise we get the + // annoying message about "Waiting for a response... " + } + //got a response + nonces_t ar_resp[ATTACK_KEY_COUNT*2]; + memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp)); + // We can skip the standard attack if we have RANDOM_NONCE set. + readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE)); + if ((bool)resp.arg[1]) { + PrintAndLog("Device button pressed - quitting"); + fclose(f); + return 4; + } + count++; + } + fclose(f); + } else { //not from file + + PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ", + flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4): + flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): + flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A" + , exitAfterNReads, flags, flags); + + UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}}; + memcpy(c.d.asBytes, uid, sizeof(uid)); + clearCommandBuffer(); + SendCommand(&c); + + if(flags & FLAG_INTERACTIVE) { + PrintAndLog("Press pm3-button to abort simulation"); + while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) { + //We're waiting only 1.5 s at a time, otherwise we get the + // annoying message about "Waiting for a response... " + } + //got a response + if (flags & FLAG_NR_AR_ATTACK) { + nonces_t ar_resp[ATTACK_KEY_COUNT*2]; + memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp)); + // We can skip the standard attack if we have RANDOM_NONCE set. + readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE)); + } } } - + return 0; } @@ -1155,6 +1416,7 @@ int CmdHF14AMfEClear(const char *Cmd) return 0; } + int CmdHF14AMfESet(const char *Cmd) { uint8_t memBlock[16]; @@ -1182,6 +1444,7 @@ int CmdHF14AMfESet(const char *Cmd) return 0; } + int CmdHF14AMfELoad(const char *Cmd) { FILE * f; @@ -1191,13 +1454,13 @@ int CmdHF14AMfELoad(const char *Cmd) uint8_t buf8[64] = {0x00}; int i, len, blockNum, numBlocks; int nameParamNo = 1; - uint8_t blockWidth = 32; + char ctmp = param_getchar(Cmd, 0); if ( ctmp == 'h' || ctmp == 0x00) { PrintAndLog("It loads emul dump from the file `filename.eml`"); - PrintAndLog("Usage: hf mf eload [card memory] [numblocks]"); - PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL"); + PrintAndLog("Usage: hf mf eload [card memory] "); + PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K"); PrintAndLog(""); PrintAndLog(" sample: hf mf eload filename"); PrintAndLog(" hf mf eload 4 filename"); @@ -1210,17 +1473,14 @@ int CmdHF14AMfELoad(const char *Cmd) case '\0': numBlocks = 16*4; break; case '2' : numBlocks = 32*4; break; case '4' : numBlocks = 256; break; - case 'U' : // fall through - case 'u' : numBlocks = 255; blockWidth = 8; break; default: { numBlocks = 16*4; nameParamNo = 0; } } - uint32_t numblk2 = param_get32ex(Cmd,2,0,10); - if (numblk2 > 0) numBlocks = numblk2; len = param_getstr(Cmd,nameParamNo,filename); + if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; fnameptr += len; @@ -1247,18 +1507,19 @@ int CmdHF14AMfELoad(const char *Cmd) return 2; } - if (strlen(buf) < blockWidth){ + if (strlen(buf) < 32){ if(strlen(buf) && feof(f)) break; - PrintAndLog("File content error. Block data must include %d HEX symbols", blockWidth); + PrintAndLog("File content error. Block data must include 32 HEX symbols"); fclose(f); return 2; } - for (i = 0; i < blockWidth; i += 2) { + for (i = 0; i < 32; i += 2) { sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]); - } - if (mfEmlSetMem_xt(buf8, blockNum, 1, blockWidth/2)) { + } + + if (mfEmlSetMem(buf8, blockNum, 1)) { PrintAndLog("Cant set emul block: %3d", blockNum); fclose(f); return 3; @@ -1279,6 +1540,7 @@ int CmdHF14AMfELoad(const char *Cmd) return 0; } + int CmdHF14AMfESave(const char *Cmd) { FILE * f; @@ -1364,6 +1626,7 @@ int CmdHF14AMfESave(const char *Cmd) return 0; } + int CmdHF14AMfECFill(const char *Cmd) { uint8_t keyType = 0; @@ -1403,6 +1666,7 @@ int CmdHF14AMfECFill(const char *Cmd) return 0; } + int CmdHF14AMfEKeyPrn(const char *Cmd) { int i; @@ -1410,9 +1674,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) uint8_t data[16]; uint64_t keyA, keyB; - char cmdp = param_getchar(Cmd, 0); - - if ( cmdp == 'h' || cmdp == 'H') { + if (param_getchar(Cmd, 0) == 'h') { PrintAndLog("It prints the keys loaded in the emulator memory"); PrintAndLog("Usage: hf mf ekeyprn [card memory]"); PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K"); @@ -1421,6 +1683,8 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) return 0; } + char cmdp = param_getchar(Cmd, 0); + switch (cmdp) { case '0' : numSectors = 5; break; case '1' : @@ -1440,13 +1704,14 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) } keyA = bytes_to_num(data, 6); keyB = bytes_to_num(data + 10, 6); - PrintAndLog("|%03d| %012"llx" | %012"llx" |", i, keyA, keyB); + PrintAndLog("|%03d| %012" PRIx64 " | %012" PRIx64 " |", i, keyA, keyB); } PrintAndLog("|---|----------------|----------------|"); return 0; } + int CmdHF14AMfCSetUID(const char *Cmd) { uint8_t wipeCard = 0; @@ -1520,7 +1785,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd) { uint8_t memBlock[16] = {0x00}; uint8_t blockNo = 0; - uint8_t params = MAGIC_SINGLE; + bool wipeCard = false; int res; if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { @@ -1539,12 +1804,10 @@ int CmdHF14AMfCSetBlk(const char *Cmd) } char ctmp = param_getchar(Cmd, 2); - if (ctmp == 'w' || ctmp == 'W') - params |= MAGIC_WIPE; - + wipeCard = (ctmp == 'w' || ctmp == 'W'); PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16)); - res = mfCSetBlock(blockNo, memBlock, NULL, params); + res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER); if (res) { PrintAndLog("Can't write block. error=%d", res); return 1; @@ -1552,21 +1815,18 @@ int CmdHF14AMfCSetBlk(const char *Cmd) return 0; } + int CmdHF14AMfCLoad(const char *Cmd) { FILE * f; - char filename[FILE_PATH_SIZE]; + char filename[FILE_PATH_SIZE] = {0x00}; char * fnameptr = filename; char buf[64] = {0x00}; uint8_t buf8[64] = {0x00}; uint8_t fillFromEmulator = 0; int i, len, blockNum, flags=0; - memset(filename, 0, sizeof(filename)); - - char ctmp = param_getchar(Cmd, 0); - - if (ctmp == 'h' || ctmp == 'H' || ctmp == 0x00) { + if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) { PrintAndLog("It loads magic Chinese card from the file `filename.eml`"); PrintAndLog("or from emulator memory (option `e`)"); PrintAndLog("Usage: hf mf cload "); @@ -1575,6 +1835,7 @@ int CmdHF14AMfCLoad(const char *Cmd) return 0; } + char ctmp = param_getchar(Cmd, 0); if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1; if (fillFromEmulator) { @@ -1583,11 +1844,11 @@ int CmdHF14AMfCLoad(const char *Cmd) PrintAndLog("Cant get block: %d", blockNum); return 2; } - if (blockNum == 0) flags = MAGIC_INIT + MAGIC_WUPC; // switch on field and send magic sequence + if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence if (blockNum == 1) flags = 0; // just write - if (blockNum == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; // Done. Magic Halt and switch off field. + if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Magic Halt and switch off field. - if (mfCSetBlock(blockNum, buf8, NULL, flags)) { + if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) { PrintAndLog("Cant set magic card block: %d", blockNum); return 3; } @@ -1630,12 +1891,13 @@ int CmdHF14AMfCLoad(const char *Cmd) for (i = 0; i < 32; i += 2) sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]); - if (blockNum == 0) flags = MAGIC_INIT + MAGIC_WUPC; // switch on field and send magic sequence + if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence if (blockNum == 1) flags = 0; // just write - if (blockNum == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; // Done. Switch off field. + if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Switch off field. - if (mfCSetBlock(blockNum, buf8, NULL, flags)) { + if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) { PrintAndLog("Can't set magic card block: %d", blockNum); + fclose(f); return 3; } blockNum++; @@ -1655,13 +1917,12 @@ int CmdHF14AMfCLoad(const char *Cmd) } int CmdHF14AMfCGetBlk(const char *Cmd) { - uint8_t data[16]; + uint8_t memBlock[16]; uint8_t blockNo = 0; int res; - memset(data, 0x00, sizeof(data)); - char ctmp = param_getchar(Cmd, 0); + memset(memBlock, 0x00, sizeof(memBlock)); - if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') { + if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { PrintAndLog("Usage: hf mf cgetblk "); PrintAndLog("sample: hf mf cgetblk 1"); PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n"); @@ -1672,29 +1933,28 @@ int CmdHF14AMfCGetBlk(const char *Cmd) { PrintAndLog("--block number:%2d ", blockNo); - res = mfCGetBlock(blockNo, data, MAGIC_SINGLE); + res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER); if (res) { PrintAndLog("Can't read block. error=%d", res); return 1; } - PrintAndLog("block data:%s", sprint_hex(data, sizeof(data))); + PrintAndLog("block data:%s", sprint_hex(memBlock, 16)); return 0; } + int CmdHF14AMfCGetSc(const char *Cmd) { - uint8_t data[16]; + uint8_t memBlock[16] = {0x00}; uint8_t sectorNo = 0; int i, res, flags; - memset(data, 0x00, sizeof(data)); - char ctmp = param_getchar(Cmd, 0); - if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') { + if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { PrintAndLog("Usage: hf mf cgetsc "); PrintAndLog("sample: hf mf cgetsc 0"); PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n"); return 0; - } + } sectorNo = param_get8(Cmd, 0); if (sectorNo > 15) { @@ -1703,37 +1963,37 @@ int CmdHF14AMfCGetSc(const char *Cmd) { } PrintAndLog("--sector number:%d ", sectorNo); - PrintAndLog("block | data"); - flags = MAGIC_INIT + MAGIC_WUPC; + flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; for (i = 0; i < 4; i++) { if (i == 1) flags = 0; - if (i == 3) flags = MAGIC_HALT + MAGIC_OFF; + if (i == 3) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; - res = mfCGetBlock(sectorNo * 4 + i, data, flags); + res = mfCGetBlock(sectorNo * 4 + i, memBlock, flags); if (res) { PrintAndLog("Can't read block. %d error=%d", sectorNo * 4 + i, res); return 1; } - PrintAndLog(" %3d | %s", sectorNo * 4 + i, sprint_hex(data, sizeof(data))); + + PrintAndLog("block %3d data:%s", sectorNo * 4 + i, sprint_hex(memBlock, 16)); } return 0; } + int CmdHF14AMfCSave(const char *Cmd) { FILE * f; - char filename[FILE_PATH_SIZE]; + char filename[FILE_PATH_SIZE] = {0x00}; char * fnameptr = filename; uint8_t fillFromEmulator = 0; - uint8_t buf[64]; + uint8_t buf[64] = {0x00}; int i, j, len, flags; + + // memset(filename, 0, sizeof(filename)); + // memset(buf, 0, sizeof(buf)); - memset(filename, 0, sizeof(filename)); - memset(buf, 0, sizeof(buf)); - char ctmp = param_getchar(Cmd, 0); - - if ( ctmp == 'h' || ctmp == 'H' ) { + if (param_getchar(Cmd, 0) == 'h') { PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`"); PrintAndLog("or into emulator memory (option `e`)"); PrintAndLog("Usage: hf mf esave [file name w/o `.eml`][e]"); @@ -1741,21 +2001,23 @@ int CmdHF14AMfCSave(const char *Cmd) { PrintAndLog(" hf mf esave filename"); PrintAndLog(" hf mf esave e \n"); return 0; - } + } + + char ctmp = param_getchar(Cmd, 0); if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1; if (fillFromEmulator) { // put into emulator - flags = MAGIC_INIT + MAGIC_WUPC; + flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; for (i = 0; i < 16 * 4; i++) { if (i == 1) flags = 0; - if (i == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; - + if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; + if (mfCGetBlock(i, buf, flags)) { PrintAndLog("Cant get block: %d", i); break; } - + if (mfEmlSetMem(buf, i, 1)) { PrintAndLog("Cant set emul block: %d", i); return 3; @@ -1765,15 +2027,15 @@ int CmdHF14AMfCSave(const char *Cmd) { } else { len = strlen(Cmd); if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; - - // get filename based on UID + if (len < 1) { - - if (mfCGetBlock(0, buf, MAGIC_SINGLE)) { + // get filename + if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) { PrintAndLog("Cant get block: %d", 0); len = sprintf(fnameptr, "dump"); fnameptr += len; - } else { + } + else { for (j = 0; j < 7; j++, fnameptr += 2) sprintf(fnameptr, "%02x", buf[j]); } @@ -1782,9 +2044,8 @@ int CmdHF14AMfCSave(const char *Cmd) { fnameptr += len; } - // add .eml extension sprintf(fnameptr, ".eml"); - + // open file f = fopen(filename, "w+"); @@ -1794,10 +2055,10 @@ int CmdHF14AMfCSave(const char *Cmd) { } // put hex - flags = MAGIC_INIT + MAGIC_WUPC; + flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; for (i = 0; i < 16 * 4; i++) { if (i == 1) flags = 0; - if (i == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; + if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; if (mfCGetBlock(i, buf, flags)) { PrintAndLog("Cant get block: %d", i); @@ -1807,13 +2068,15 @@ int CmdHF14AMfCSave(const char *Cmd) { fprintf(f, "%02x", buf[j]); fprintf(f,"\n"); } - fflush(f); fclose(f); + PrintAndLog("Saved to file: %s", filename); + return 0; } } + int CmdHF14AMfSniff(const char *Cmd){ bool wantLogToFile = 0; @@ -1883,14 +2146,14 @@ int CmdHF14AMfSniff(const char *Cmd){ uint16_t traceLen = resp.arg[1]; len = resp.arg[2]; - if (res == 0) { + if (res == 0) { // we are done free(buf); - return 0; // we are done + return 0; } if (res == 1) { // there is (more) data to be transferred if (pckNum == 0) { // first packet, (re)allocate necessary buffer - if (traceLen > bufsize) { + if (traceLen > bufsize || buf == NULL) { uint8_t *p; if (buf == NULL) { // not yet allocated p = malloc(traceLen); @@ -1908,11 +2171,6 @@ int CmdHF14AMfSniff(const char *Cmd){ bufsize = traceLen; memset(buf, 0x00, traceLen); } - if (bufPtr == NULL) { - PrintAndLog("Cannot allocate memory for trace"); - free(buf); - return 2; - } memcpy(bufPtr, resp.d.asBytes, len); bufPtr += len; pckNum++; @@ -1970,7 +2228,7 @@ int CmdHF14AMfSniff(const char *Cmd){ } //needs nt, ar, at, Data to decrypt -int CmdHf14MfDecryptBytes(const char *Cmd){ +int CmdDecryptTraceCmds(const char *Cmd){ uint8_t data[50]; int len = 0; param_gethex_ex(Cmd,3,data,&len); @@ -2004,7 +2262,7 @@ static command_t CommandTable[] = {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"}, {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"}, {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"}, - {"decrypt", CmdHf14MfDecryptBytes,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"}, + {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"}, {NULL, NULL, 0, NULL} };