X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/b725f2ca21d11709b5e61595bd88ae260fee4c7f..cd91e41cb53263b0354aded7b5f6008e6f774ce6:/client/cmdhfmf.c diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index e10a88f3..797b5657 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -21,8 +21,17 @@ int CmdHF14AMifare(const char *Cmd) uint64_t par_list = 0, ks_list = 0, r_key = 0; int16_t isOK = 0; int tmpchar; + uint8_t blockNo = 0; + + char cmdp = param_getchar(Cmd, 0); + if ( cmdp == 'H' || cmdp == 'h') { + PrintAndLog("Usage: hf mf mifare "); + PrintAndLog(" sample: hf mf mifare 0"); + return 0; + } - UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}}; + blockNo = param_get8(Cmd, 0); + UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, 0}}; // message printf("-------------------------------------------------------------------------\n"); @@ -54,13 +63,8 @@ start: } UsbCommand resp; - if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) { + if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { isOK = resp.arg[0]; - uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4); - nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4); - par_list = bytes_to_num(resp.d.asBytes + 8, 8); - ks_list = bytes_to_num(resp.d.asBytes + 16, 8); - nr = bytes_to_num(resp.d.asBytes + 24, 4); printf("\n\n"); switch (isOK) { case -1 : PrintAndLog("Button pressed. Aborted.\n"); break; @@ -70,6 +74,11 @@ start: PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break; default: ; } + uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4); + nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4); + par_list = bytes_to_num(resp.d.asBytes + 8, 8); + ks_list = bytes_to_num(resp.d.asBytes + 16, 8); + nr = bytes_to_num(resp.d.asBytes + 24, 4); break; } } @@ -87,14 +96,12 @@ start: c.arg[0] = false; goto start; } else { - isOK = 0; - printf("------------------------------------------------------------------\n"); PrintAndLog("Found valid key: %012"llx" \n", r_key); } + t1 = clock() - t1; - if ( t1 > 0 ){ - PrintAndLog("Time in darkside: %.0f ticks - %4.2f sec\n (%u)", (float)t1, ((float)t1)/CLOCKS_PER_SEC, CLOCKS_PER_SEC); - } + if ( t1 > 0 ) + PrintAndLog("Time in darkside: %.0f ticks\n", (float)t1); return 0; } @@ -566,7 +573,7 @@ int CmdHF14AMfNested(const char *Cmd) uint8_t trgKeyType = 0; uint8_t SectorsCnt = 0; uint8_t key[6] = {0, 0, 0, 0, 0, 0}; - uint8_t keyBlock[14*6]; + uint8_t keyBlock[6*6]; uint64_t key64 = 0; bool transferToEml = false; @@ -586,10 +593,11 @@ int CmdHF14AMfNested(const char *Cmd) PrintAndLog("t - transfer keys into emulator memory"); PrintAndLog("d - write keys to binary file"); PrintAndLog(" "); - PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF "); - PrintAndLog(" sample2: hf mf nested 1 0 A FFFFFFFFFFFF t "); - PrintAndLog(" sample3: hf mf nested 1 0 A FFFFFFFFFFFF d "); - PrintAndLog(" sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A"); + PrintAndLog(" samples:"); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF t "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF d "); + PrintAndLog(" hf mf nested o 0 A FFFFFFFFFFFF 4 A"); return 0; } @@ -640,40 +648,35 @@ int CmdHF14AMfNested(const char *Cmd) transferToEml |= (ctmp == 'd' || ctmp == 'D'); if (cmdp == 'o') { - PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A'); int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true); - if (isOK) { - switch (isOK) { - case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; - case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; - default : PrintAndLog("Unknown Error.\n"); - } - return 2; - } - key64 = bytes_to_num(keyBlock, 6); - if (key64) { - PrintAndLog("Found valid key:%012"llx, key64); - - // transfer key to the emulator - if (transferToEml) { - uint8_t sectortrailer; - if (trgBlockNo < 32*4) { // 4 block sector - sectortrailer = (trgBlockNo & 0x03) + 3; - } else { // 16 block sector - sectortrailer = (trgBlockNo & 0x0f) + 15; + switch (isOK) { + case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; + case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; + case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; + case -4 : PrintAndLog("No valid key found"); break; + case -5 : + key64 = bytes_to_num(keyBlock, 6); + + // transfer key to the emulator + if (transferToEml) { + uint8_t sectortrailer; + if (trgBlockNo < 32*4) { // 4 block sector + sectortrailer = (trgBlockNo & 0x03) + 3; + } else { // 16 block sector + sectortrailer = (trgBlockNo & 0x0f) + 15; + } + mfEmlGetMem(keyBlock, sectortrailer, 1); + + if (!trgKeyType) + num_to_bytes(key64, 6, keyBlock); + else + num_to_bytes(key64, 6, &keyBlock[10]); + mfEmlSetMem(keyBlock, sectortrailer, 1); } - mfEmlGetMem(keyBlock, sectortrailer, 1); - - if (!trgKeyType) - num_to_bytes(key64, 6, keyBlock); - else - num_to_bytes(key64, 6, &keyBlock[10]); - mfEmlSetMem(keyBlock, sectortrailer, 1); - } - } else { - PrintAndLog("No valid key found"); + return 0; + default : PrintAndLog("Unknown Error.\n"); } + return 2; } else { // ------------------------------------ multiple sectors working clock_t t1 = clock(); @@ -688,14 +691,6 @@ int CmdHF14AMfNested(const char *Cmd) num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 3 * 6)); num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 4 * 6)); num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6)); - num_to_bytes(0x4d3a99c351dd, 6, (uint8_t*)(keyBlock + 6 * 6)); - num_to_bytes(0x1a982c7e459a, 6, (uint8_t*)(keyBlock + 7 * 6)); - num_to_bytes(0xd3f7d3f7d3f7, 6, (uint8_t*)(keyBlock + 8 * 6)); - num_to_bytes(0x714c5c886e97, 6, (uint8_t*)(keyBlock + 9 * 6)); - num_to_bytes(0x587ee5f9350f, 6, (uint8_t*)(keyBlock + 10 * 6)); - num_to_bytes(0xa0478cc39091, 6, (uint8_t*)(keyBlock + 11 * 6)); - num_to_bytes(0x533cb6c723f6, 6, (uint8_t*)(keyBlock + 12 * 6)); - num_to_bytes(0x8fd0a4f256e9, 6, (uint8_t*)(keyBlock + 13 * 6)); PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt); for (i = 0; i < SectorsCnt; i++) { @@ -710,50 +705,60 @@ int CmdHF14AMfNested(const char *Cmd) } } } + clock_t t2 = clock() - t1; + if ( t2 > 0 ) + PrintAndLog("Time to check 6 known keys: %.0f ticks", (float)t2 ); + + PrintAndLog("enter nested..."); // nested sectors iterations = 0; - PrintAndLog("nested..."); bool calibrate = true; + for (i = 0; i < NESTED_SECTOR_RETRY; i++) { - for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) { - for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { + for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; ++sectorNo) { + for (trgKeyType = 0; trgKeyType < 2; ++trgKeyType) { + if (e_sector[sectorNo].foundKey[trgKeyType]) continue; - PrintAndLog("-----------------------------------------------"); - int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate); - if(isOK) { - switch (isOK) { - case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; - case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; - default : PrintAndLog("Unknown Error.\n"); - } - free(e_sector); - return 2; - } else { - calibrate = false; - } - iterations++; - - key64 = bytes_to_num(keyBlock, 6); - if (key64) { - PrintAndLog("Found valid key:%012"llx, key64); - e_sector[sectorNo].foundKey[trgKeyType] = 1; - e_sector[sectorNo].Key[trgKeyType] = key64; + int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate); + switch (isOK) { + case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; + case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; + case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; + case -4 : //key not found + calibrate = false; + iterations++; + continue; + case -5 : + calibrate = false; + iterations++; + e_sector[sectorNo].foundKey[trgKeyType] = 1; + e_sector[sectorNo].Key[trgKeyType] = bytes_to_num(keyBlock, 6); + continue; + + default : PrintAndLog("Unknown Error.\n"); } + free(e_sector); + return 2; } } } + + t1 = clock() - t1; + if ( t1 > 0 ) + PrintAndLog("Time in nested: %.0f ticks \n", (float)t1); // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? - PrintAndLog("testing to read B..."); + PrintAndLog("trying to read key B..."); for (i = 0; i < SectorsCnt; i++) { // KEY A but not KEY B if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) { uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); + PrintAndLog("Reading block %d", sectrail); + UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A clearCommandBuffer(); @@ -769,15 +774,12 @@ int CmdHF14AMfNested(const char *Cmd) key64 = bytes_to_num(data+10, 6); if (key64) { PrintAndLog("Data:%s", sprint_hex(data+10, 6)); - e_sector[i].foundKey[1] = 1; + e_sector[i].foundKey[1] = TRUE; e_sector[i].Key[1] = key64; } } } - - t1 = clock() - t1; - if ( t1 > 0 ) - PrintAndLog("Time in nested: %.0f ticks %4.2f sec (%4.2f sec per key)\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/iterations/CLOCKS_PER_SEC); + //print them printKeyTable( SectorsCnt, e_sector ); @@ -982,8 +984,7 @@ int CmdHF14AMfChk(const char *Cmd) keyBlock = calloc(stKeyBlock, 6); if (keyBlock == NULL) return 1; - uint64_t defaultKeys[] = - { + uint64_t defaultKeys[] = { 0xffffffffffff, // Default key (first key used by program if no user defined key) 0x000000000000, // Blank key 0xa0a1a2a3a4a5, // NFCForum MAD key @@ -1001,9 +1002,8 @@ int CmdHF14AMfChk(const char *Cmd) int defaultKeysSize = sizeof(defaultKeys) / sizeof(uint64_t); for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++) - { num_to_bytes(defaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6)); - } + if (param_getchar(Cmd, 0)=='*') { blockNo = 3; @@ -1014,9 +1014,9 @@ int CmdHF14AMfChk(const char *Cmd) case '4': SectorsCnt = 40; break; default: SectorsCnt = 16; } - } - else + } else { blockNo = param_get8(Cmd, 0); + } ctmp = param_getchar(Cmd, 1); switch (ctmp) { @@ -1050,7 +1050,7 @@ int CmdHF14AMfChk(const char *Cmd) } keyBlock = p; } - PrintAndLog("chk key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, + PrintAndLog("key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2], (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6); keycnt++; @@ -1090,7 +1090,7 @@ int CmdHF14AMfChk(const char *Cmd) } memset(keyBlock + 6 * keycnt, 0, 6); num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt); - PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6)); + PrintAndLog("check key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6)); keycnt++; memset(buf, 0, sizeof(buf)); } @@ -1107,7 +1107,7 @@ int CmdHF14AMfChk(const char *Cmd) if (keycnt == 0) { PrintAndLog("No key specified, trying default keys"); for (;keycnt < defaultKeysSize; keycnt++) - PrintAndLog("chk default key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, + PrintAndLog("key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2], (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6); } @@ -1120,21 +1120,20 @@ int CmdHF14AMfChk(const char *Cmd) } uint8_t trgKeyType = 0; + uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt; // time clock_t t1 = clock(); // check keys. - for (trgKeyType = 0; trgKeyType < 2; ++trgKeyType) { + for (trgKeyType = !keyType; trgKeyType < 2; (keyType==2) ? (++trgKeyType) : (trgKeyType=2) ) { + int b = blockNo; for (int i = 0; i < SectorsCnt; ++i) { // skip already found keys. if (e_sector[i].foundKey[trgKeyType]) continue; - PrintAndLog("--sector:%2d, block:%3d, key type:%C, key count:%2d ", i, b, trgKeyType ? 'B':'A', keycnt); - - uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt; for (uint32_t c = 0; c < keycnt; c += max_keys) { @@ -1142,26 +1141,35 @@ int CmdHF14AMfChk(const char *Cmd) res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64); if (!res) { - PrintAndLog("Found valid key:[%012"llx"]",key64); + //PrintAndLog("Sector:%3d Block:%3d, key type: %C -- Found key [%012"llx"]", i, b, trgKeyType ? 'B':'A', key64); + e_sector[i].Key[trgKeyType] = key64; e_sector[i].foundKey[trgKeyType] = TRUE; break; - } else { + } else { e_sector[i].Key[trgKeyType] = 0xffffffffffff; e_sector[i].foundKey[trgKeyType] = FALSE; } + printf("."); + fflush(stdout); } b < 127 ? ( b +=4 ) : ( b += 16 ); } } + t1 = clock() - t1; + if ( t1 > 0 ) + printf("\nTime in checkkeys: %.0f ticks\n", (float)t1); + // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? PrintAndLog("testing to read B..."); for (i = 0; i < SectorsCnt; i++) { // KEY A but not KEY B if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) { - + uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); + PrintAndLog("Reading block %d", sectrail); + UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A clearCommandBuffer(); @@ -1182,10 +1190,7 @@ int CmdHF14AMfChk(const char *Cmd) } } } - - t1 = clock() - t1; - if ( t1 > 0 ) - printf("Time in checkkeys: %.0f ticks %1.2f sec (%1.2f sec per key)\n\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/keycnt/CLOCKS_PER_SEC); + //print them printKeyTable( SectorsCnt, e_sector ); @@ -1231,48 +1236,38 @@ int CmdHF14AMfChk(const char *Cmd) return 0; } -void printKeyTable( uint8_t sectorscnt, sector *e_sector ){ - PrintAndLog("|---|----------------|---|----------------|---|"); - PrintAndLog("|sec|key A |res|key B |res|"); - PrintAndLog("|---|----------------|---|----------------|---|"); - for (uint8_t i = 0; i < sectorscnt; ++i) { - PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i, - e_sector[i].Key[0], e_sector[i].foundKey[0], - e_sector[i].Key[1], e_sector[i].foundKey[1] - ); - } - PrintAndLog("|---|----------------|---|----------------|---|"); -} -int CmdHF14AMf1kSim(const char *Cmd) -{ - uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0}; +int CmdHF14AMf1kSim(const char *Cmd) { + uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; uint8_t exitAfterNReads = 0; uint8_t flags = 0; - + int uidlen = 0; uint8_t cmdp = param_getchar(Cmd, 0); if (cmdp == 'h' || cmdp == 'H') { PrintAndLog("Usage: hf mf sim u n i x"); PrintAndLog(" h this help"); - PrintAndLog(" u (Optional) UID. If not specified, the UID from emulator memory will be used"); + PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID from emulator memory will be used"); PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); - PrintAndLog(""); - PrintAndLog(" sample: hf mf sim u 0a0a0a0a "); + PrintAndLog("samples:"); + PrintAndLog(" hf mf sim u 0a0a0a0a"); + PrintAndLog(" hf mf sim u 11223344556677"); + PrintAndLog(" hf mf sim u 112233445566778899AA"); return 0; } uint8_t pnr = 0; if (param_getchar(Cmd, pnr) == 'u') { - if(param_gethex(Cmd, pnr+1, uid, 8) == 0) - { - flags |= FLAG_4B_UID_IN_DATA; // UID from packet - } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) { - flags |= FLAG_7B_UID_IN_DATA;// UID from packet - } else { - PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols"); - return 1; + + param_gethex_ex(Cmd, pnr+1, uid, &uidlen); + switch(uidlen){ + case 20: flags |= FLAG_10B_UID_IN_DATA; break; + case 14: flags |= FLAG_7B_UID_IN_DATA; break; + case 8: flags |= FLAG_4B_UID_IN_DATA; break; + default: + PrintAndLog("UID, if specified, must include 8, 14 or 20 HEX symbols , %d", uidlen>>1); + return 1; } pnr +=2; } @@ -1283,24 +1278,20 @@ int CmdHF14AMf1kSim(const char *Cmd) } if (param_getchar(Cmd, pnr) == 'i' ) { - //Using a flag to signal interactiveness, least significant bit flags |= FLAG_INTERACTIVE; pnr++; } if (param_getchar(Cmd, pnr) == 'x' ) { - //Using a flag to signal interactiveness, least significant bit flags |= FLAG_NR_AR_ATTACK; } - PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ", - flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4): - flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A" + PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) " + , (uidlen == 0 ) ? "N/A" : sprint_hex(uid, uidlen) , exitAfterNReads , flags , flags); - UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}}; memcpy(c.d.asBytes, uid, sizeof(uid)); clearCommandBuffer(); @@ -1318,43 +1309,32 @@ int CmdHF14AMf1kSim(const char *Cmd) if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue; if ( !(flags & FLAG_NR_AR_ATTACK) ) break; - if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break; - memset(data, 0x00, sizeof(data)); - memset(key, 0x00, sizeof(key)); - int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1]; - - memcpy(data, resp.d.asBytes, len); - - uint64_t corr_uid = 0; - - // this IF? what was I thinking of? - if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) { - corr_uid = ((uint64_t)(data[3] << 24)) | (data[2] << 16) | (data[1] << 8) | data[0]; - tryMfk32(corr_uid, data, key); - } else { - corr_uid |= (uint64_t)data[2] << 48; - corr_uid |= (uint64_t)data[1] << 40; - corr_uid |= (uint64_t)data[0] << 32; - corr_uid |= (uint64_t)data[7] << 24; - corr_uid |= (uint64_t)data[6] << 16; - corr_uid |= (uint64_t)data[5] << 8; - corr_uid |= (uint64_t)data[4]; - tryMfk64(corr_uid, data, key); - } - PrintAndLog("--"); + memset(data, 0x00, sizeof(data)); + memset(key, 0x00, sizeof(key)); + int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1]; + + memcpy(data, resp.d.asBytes, len); + + // CUID is always 4 first bytes. + uint64_t cuid = bytes_to_num(data, 4 ); + + // this needs to be fixed. ICEMAN + if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) { + tryMfk32(cuid, data, key); + } else { + tryMfk64(cuid, data, key); + } } } return 0; } -int CmdHF14AMfDbg(const char *Cmd) -{ +int CmdHF14AMfDbg(const char *Cmd) { int dbgMode = param_get32ex(Cmd, 0, 0, 10); - if (dbgMode > 4) { + if (dbgMode > 4) PrintAndLog("Max debug mode parameter is 4 \n"); - } if (strlen(Cmd) < 1 || !param_getchar(Cmd, 0) || dbgMode > 4) { PrintAndLog("Usage: hf mf dbg "); @@ -1369,10 +1349,24 @@ int CmdHF14AMfDbg(const char *Cmd) UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}}; SendCommand(&c); - return 0; } +void printKeyTable( uint8_t sectorscnt, sector *e_sector ){ + PrintAndLog("|---|----------------|---|----------------|---|"); + PrintAndLog("|sec|key A |res|key B |res|"); + PrintAndLog("|---|----------------|---|----------------|---|"); + for (uint8_t i = 0; i < sectorscnt; ++i) { + PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i, + e_sector[i].Key[0], e_sector[i].foundKey[0], + e_sector[i].Key[1], e_sector[i].foundKey[1] + ); + } + PrintAndLog("|---|----------------|---|----------------|---|"); +} + +// EMULATOR COMMANDS + int CmdHF14AMfEGet(const char *Cmd) { uint8_t blockNo = 0; @@ -1702,8 +1696,9 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) return 0; } -int CmdHF14AMfCSetUID(const char *Cmd) -{ +// CHINESE MAGIC COMMANDS + +int CmdHF14AMfCSetUID(const char *Cmd) { uint8_t wipeCard = 0; uint8_t uid[8] = {0x00}; uint8_t oldUid[8] = {0x00}; @@ -1715,11 +1710,13 @@ int CmdHF14AMfCSetUID(const char *Cmd) int argi=0; if (strlen(Cmd) < 1 || param_getchar(Cmd, argi) == 'h') { - PrintAndLog("Usage: hf mf csetuid [ATQA 4 hex symbols SAK 2 hex symbols] [w]"); - PrintAndLog("sample: hf mf csetuid 01020304"); - PrintAndLog("sample: hf mf csetuid 01020304 0004 08 w"); PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)"); PrintAndLog("If you also want to wipe the card then add 'w' at the end of the command line."); + PrintAndLog(""); + PrintAndLog("Usage: hf mf csetuid [ATQA 4 hex symbols SAK 2 hex symbols] [w]"); + PrintAndLog(""); + PrintAndLog("sample: hf mf csetuid 01020304"); + PrintAndLog(" hf mf csetuid 01020304 0004 08 w"); return 0; } @@ -1760,7 +1757,7 @@ int CmdHF14AMfCSetUID(const char *Cmd) PrintAndLog("--wipe card:%s uid:%s", (wipeCard)?"YES":"NO", sprint_hex(uid, 4)); - res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid, wipeCard); + res = mfCSetUID(uid, (atqaPresent) ? atqa : NULL, (atqaPresent) ? sak : NULL, oldUid, wipeCard); if (res) { PrintAndLog("Can't set UID. error=%d", res); return 1; @@ -1771,8 +1768,7 @@ int CmdHF14AMfCSetUID(const char *Cmd) return 0; } -int CmdHF14AMfCSetBlk(const char *Cmd) -{ +int CmdHF14AMfCSetBlk(const char *Cmd) { uint8_t block[16] = {0x00}; uint8_t blockNo = 0; uint8_t params = MAGIC_SINGLE; @@ -1807,8 +1803,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd) return 0; } -int CmdHF14AMfCLoad(const char *Cmd) -{ +int CmdHF14AMfCLoad(const char *Cmd) { FILE * f; char filename[FILE_PATH_SIZE]; char * fnameptr = filename; @@ -2071,6 +2066,8 @@ int CmdHF14AMfCSave(const char *Cmd) { } } + + int CmdHF14AMfSniff(const char *Cmd){ bool wantLogToFile = 0; @@ -2085,15 +2082,17 @@ int CmdHF14AMfSniff(const char *Cmd){ int blockLen = 0; int pckNum = 0; int num = 0; - uint8_t uid[7]; - uint8_t uid_len; - uint8_t atqa[2] = {0x00}; - uint8_t sak; + uint8_t uid[10]; + uint8_t uid_len = 0; + uint8_t atqa[2] = {0x00, 0x00}; + uint8_t sak = 0; bool isTag; uint8_t *buf = NULL; uint16_t bufsize = 0; uint8_t *bufPtr = NULL; + memset(uid, 0x00, sizeof(uid)); + char ctmp = param_getchar(Cmd, 0); if ( ctmp == 'h' || ctmp == 'H' ) { PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file."); @@ -2142,9 +2141,10 @@ int CmdHF14AMfSniff(const char *Cmd){ uint16_t traceLen = resp.arg[1]; len = resp.arg[2]; + // we are done? if (res == 0) { free(buf); - return 0; // we are done + return 0; } if (res == 1) { // there is (more) data to be transferred @@ -2197,21 +2197,21 @@ int CmdHF14AMfSniff(const char *Cmd){ memcpy(atqa, bufPtr + 2 + 7, 2); uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4; sak = bufPtr[11]; - PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x", + PrintAndLog("tag select uid| %s atqa:0x%02x%02x sak:0x%02x", sprint_hex(uid + (7 - uid_len), uid_len), atqa[1], atqa[0], sak); if (wantLogToFile || wantDecrypt) { - FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len); + FillFileNameByUID(logHexFileName, uid + (10 - uid_len), ".log", uid_len); AddLogCurrentDT(logHexFileName); } if (wantDecrypt) mfTraceInit(uid, atqa, sak, wantSaveToEmlFile); } else { - PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len)); + PrintAndLog("%03d| %s |%s", num, isTag ? "TAG" : "RDR", sprint_hex(bufPtr, len)); if (wantLogToFile) - AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len); + AddLogHex(logHexFileName, isTag ? "TAG| ":"RDR| ", bufPtr, len); if (wantDecrypt) mfTraceDecode(bufPtr, len, wantSaveToEmlFile); num++;