X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/c830303d7efc90879cf2124a484991f38c58654d..94422fa23f2a9fe21d9d13286bde0e4e06a74c4f:/client/cmdhfmf.c
diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 58d2061a..e41afb6a 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -19,7 +19,6 @@ int CmdHF14AMifare(const char *Cmd)
uint32_t nt = 0, nr = 0;
uint64_t par_list = 0, ks_list = 0, r_key = 0;
int16_t isOK = 0;
- uint8_t keyBlock[8] = {0};
UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};
@@ -35,7 +34,7 @@ start:
SendCommand(&c);
//flush queue
- while (ukbhit()) getchar();
+ while (ukbhit()) getchar();
// wait cycle
while (true) {
@@ -60,6 +59,8 @@ start:
case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;
case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;
case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;
+ case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");
+ PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;
default: ;
}
break;
@@ -75,22 +76,13 @@ start:
if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {
isOK = 2;
PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);
- } else {
- printf("------------------------------------------------------------------\n");
- PrintAndLog("Key found:%012"llx" \n", r_key);
-
- num_to_bytes(r_key, 6, keyBlock);
- isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);
- }
-
- if (!isOK)
- PrintAndLog("Found valid key:%012"llx, r_key);
- else
- {
- if (isOK != 2) PrintAndLog("Found invalid key. ");
PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");
c.arg[0] = false;
goto start;
+ } else {
+ isOK = 0;
+ printf("------------------------------------------------------------------\n");
+ PrintAndLog("Found valid key: %012"llx" \n", r_key);
}
PrintAndLog("");
@@ -130,10 +122,11 @@ int CmdHF14AMfWrBl(const char *Cmd)
PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6));
PrintAndLog("--data: %s", sprint_hex(bldata, 16));
- UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
+ UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
memcpy(c.d.asBytes + 10, bldata, 16);
- SendCommand(&c);
+ clearCommandBuffer();
+ SendCommand(&c);
UsbCommand resp;
if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
@@ -174,9 +167,10 @@ int CmdHF14AMfRdBl(const char *Cmd)
}
PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6));
- UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
+ UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
- SendCommand(&c);
+ clearCommandBuffer();
+ SendCommand(&c);
UsbCommand resp;
if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
@@ -229,6 +223,7 @@ int CmdHF14AMfRdSc(const char *Cmd)
UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
+ clearCommandBuffer();
SendCommand(&c);
PrintAndLog(" ");
@@ -335,6 +330,7 @@ int CmdHF14AMfDump(const char *Cmd)
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};
memcpy(c.d.asBytes, keyA[sectorNo], 6);
+ clearCommandBuffer();
SendCommand(&c);
if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
@@ -369,6 +365,7 @@ int CmdHF14AMfDump(const char *Cmd)
if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A.
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
memcpy(c.d.asBytes, keyA[sectorNo], 6);
+ clearCommandBuffer();
SendCommand(&c);
received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
} else { // data block. Check if it can be read with key A or key B
@@ -384,6 +381,7 @@ int CmdHF14AMfDump(const char *Cmd)
} else { // key A would work
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
memcpy(c.d.asBytes, keyA[sectorNo], 6);
+ clearCommandBuffer();
SendCommand(&c);
received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
}
@@ -476,7 +474,6 @@ int CmdHF14AMfRestore(const char *Cmd)
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {
PrintAndLog("File reading error (dumpkeys.bin).");
-
fclose(fkeys);
return 2;
}
@@ -527,6 +524,7 @@ int CmdHF14AMfRestore(const char *Cmd)
PrintAndLog("Writing to block %3d: %s", FirstBlockOfSector(sectorNo) + blockNo, sprint_hex(bldata, 16));
memcpy(c.d.asBytes + 10, bldata, 16);
+ clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
@@ -690,7 +688,7 @@ int CmdHF14AMfNested(const char *Cmd)
for (j = 0; j < 2; j++) {
if (e_sector[i].foundKey[j]) continue;
- res = mfCheckKeys(FirstBlockOfSector(i), j, 6, keyBlock, &key64);
+ res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);
if (!res) {
e_sector[i].Key[j] = key64;
@@ -974,7 +972,7 @@ int CmdHF14AMfChk(const char *Cmd)
uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;
for (uint32_t c = 0; c < keycnt; c+=max_keys) {
uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;
- res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64);
+ res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);
if (res != 1) {
if (!res) {
PrintAndLog("Found valid key:[%012"llx"]",key64);
@@ -1032,8 +1030,6 @@ int CmdHF14AMf1kSim(const char *Cmd)
uint8_t cmdp = param_getchar(Cmd, 0);
- clearCommandBuffer();
-
if (cmdp == 'h' || cmdp == 'H') {
PrintAndLog("Usage: hf mf sim u <uid (8 hex symbols)> n <numreads> i x");
PrintAndLog(" h this help");
@@ -1080,6 +1076,7 @@ int CmdHF14AMf1kSim(const char *Cmd)
UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
memcpy(c.d.asBytes, uid, sizeof(uid));
+ clearCommandBuffer();
SendCommand(&c);
if(flags & FLAG_INTERACTIVE)
@@ -1140,10 +1137,10 @@ int CmdHF14AMfDbg(const char *Cmd)
return 0;
}
- UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};
- SendCommand(&c);
+ UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}};
+ SendCommand(&c);
- return 0;
+ return 0;
}
int CmdHF14AMfEGet(const char *Cmd)
@@ -1177,12 +1174,11 @@ int CmdHF14AMfEClear(const char *Cmd)
return 0;
}
- UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};
- SendCommand(&c);
- return 0;
+ UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}};
+ SendCommand(&c);
+ return 0;
}
-
int CmdHF14AMfESet(const char *Cmd)
{
uint8_t memBlock[16];
@@ -1210,7 +1206,6 @@ int CmdHF14AMfESet(const char *Cmd)
return 0;
}
-
int CmdHF14AMfELoad(const char *Cmd)
{
FILE * f;
@@ -1220,13 +1215,13 @@ int CmdHF14AMfELoad(const char *Cmd)
uint8_t buf8[64] = {0x00};
int i, len, blockNum, numBlocks;
int nameParamNo = 1;
-
+ uint8_t blockWidth = 32;
char ctmp = param_getchar(Cmd, 0);
- if ( ctmp == 'h' || ctmp == 0x00) {
+ if ( ctmp == 'h' || ctmp == 'H' || ctmp == 0x00) {
PrintAndLog("It loads emul dump from the file `filename.eml`");
PrintAndLog("Usage: hf mf eload [card memory] <file name w/o `.eml`>");
- PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
+ PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL");
PrintAndLog("");
PrintAndLog(" sample: hf mf eload filename");
PrintAndLog(" hf mf eload 4 filename");
@@ -1239,6 +1234,8 @@ int CmdHF14AMfELoad(const char *Cmd)
case '\0': numBlocks = 16*4; break;
case '2' : numBlocks = 32*4; break;
case '4' : numBlocks = 256; break;
+ case 'U' : // fall through , NTAG 215 has 135blocks a 540 bytes.
+ case 'u' : numBlocks = 135; blockWidth = 8; break;
default: {
numBlocks = 16*4;
nameParamNo = 0;
@@ -1273,19 +1270,18 @@ int CmdHF14AMfELoad(const char *Cmd)
return 2;
}
- if (strlen(buf) < 32){
+ if (strlen(buf) < blockWidth){
if(strlen(buf) && feof(f))
break;
- PrintAndLog("File content error. Block data must include 32 HEX symbols");
+ PrintAndLog("File content error. Block data must include %d HEX symbols", blockWidth);
fclose(f);
return 2;
}
- for (i = 0; i < 32; i += 2) {
+ for (i = 0; i < blockWidth; i += 2) {
sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);
}
-
- if (mfEmlSetMem(buf8, blockNum, 1)) {
+ if (mfEmlSetMem_xt(buf8, blockNum, 1, blockWidth/2)) {
PrintAndLog("Cant set emul block: %3d", blockNum);
fclose(f);
return 3;
@@ -1306,7 +1302,6 @@ int CmdHF14AMfELoad(const char *Cmd)
return 0;
}
-
int CmdHF14AMfESave(const char *Cmd)
{
FILE * f;
@@ -1392,7 +1387,6 @@ int CmdHF14AMfESave(const char *Cmd)
return 0;
}
-
int CmdHF14AMfECFill(const char *Cmd)
{
uint8_t keyType = 0;
@@ -1432,15 +1426,16 @@ int CmdHF14AMfECFill(const char *Cmd)
return 0;
}
-
int CmdHF14AMfEKeyPrn(const char *Cmd)
{
int i;
uint8_t numSectors;
uint8_t data[16];
uint64_t keyA, keyB;
+
+ char cmdp = param_getchar(Cmd, 0);
- if (param_getchar(Cmd, 0) == 'h') {
+ if ( cmdp == 'h' || cmdp == 'H' ) {
PrintAndLog("It prints the keys loaded in the emulator memory");
PrintAndLog("Usage: hf mf ekeyprn [card memory]");
PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K");
@@ -1449,8 +1444,6 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
return 0;
}
- char cmdp = param_getchar(Cmd, 0);
-
switch (cmdp) {
case '0' : numSectors = 5; break;
case '1' :
@@ -1477,7 +1470,6 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
return 0;
}
-
int CmdHF14AMfCSetUID(const char *Cmd)
{
uint8_t wipeCard = 0;
@@ -1581,7 +1573,6 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
return 0;
}
-
int CmdHF14AMfCLoad(const char *Cmd)
{
FILE * f;
@@ -1591,8 +1582,10 @@ int CmdHF14AMfCLoad(const char *Cmd)
uint8_t buf8[64] = {0x00};
uint8_t fillFromEmulator = 0;
int i, len, blockNum, flags=0;
+
+ char ctmp = param_getchar(Cmd, 0);
- if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
+ if (ctmp == 'h' || ctmp == 'H' || ctmp == 0x00) {
PrintAndLog("It loads magic Chinese card from the file `filename.eml`");
PrintAndLog("or from emulator memory (option `e`)");
PrintAndLog("Usage: hf mf cload <file name w/o `.eml`>");
@@ -1601,7 +1594,6 @@ int CmdHF14AMfCLoad(const char *Cmd)
return 0;
}
- char ctmp = param_getchar(Cmd, 0);
if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;
if (fillFromEmulator) {
@@ -1708,7 +1700,6 @@ int CmdHF14AMfCGetBlk(const char *Cmd) {
return 0;
}
-
int CmdHF14AMfCGetSc(const char *Cmd) {
uint8_t memBlock[16] = {0x00};
uint8_t sectorNo = 0;
@@ -1745,7 +1736,6 @@ int CmdHF14AMfCGetSc(const char *Cmd) {
return 0;
}
-
int CmdHF14AMfCSave(const char *Cmd) {
FILE * f;
@@ -1757,8 +1747,9 @@ int CmdHF14AMfCSave(const char *Cmd) {
// memset(filename, 0, sizeof(filename));
// memset(buf, 0, sizeof(buf));
-
- if (param_getchar(Cmd, 0) == 'h') {
+ char ctmp = param_getchar(Cmd, 0);
+
+ if ( ctmp == 'h' || ctmp == 'H' ) {
PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`");
PrintAndLog("or into emulator memory (option `e`)");
PrintAndLog("Usage: hf mf esave [file name w/o `.eml`][e]");
@@ -1767,8 +1758,6 @@ int CmdHF14AMfCSave(const char *Cmd) {
PrintAndLog(" hf mf esave e \n");
return 0;
}
-
- char ctmp = param_getchar(Cmd, 0);
if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;
if (fillFromEmulator) {
@@ -1840,7 +1829,6 @@ int CmdHF14AMfCSave(const char *Cmd) {
}
}
-
int CmdHF14AMfSniff(const char *Cmd){
bool wantLogToFile = 0;
@@ -1988,6 +1976,25 @@ int CmdHF14AMfSniff(const char *Cmd){
return 0;
}
+//needs nt, ar, at, Data to decrypt
+int CmdHf14MfDecryptBytes(const char *Cmd){
+ uint8_t data[50];
+
+ uint32_t nt = param_get32ex(Cmd,0,0,16);
+ uint32_t ar_enc = param_get32ex(Cmd,1,0,16);
+ uint32_t at_enc = param_get32ex(Cmd,2,0,16);
+
+ int len = 0;
+ param_gethex_ex(Cmd, 3, data, &len);
+
+ len /= 2;
+ int limit = sizeof(data) / 2;
+
+ if ( len >= limit )
+ len = limit;
+
+ return tryDecryptWord( nt, ar_enc, at_enc, data, len);
+}
static command_t CommandTable[] =
{
@@ -2016,6 +2023,7 @@ static command_t CommandTable[] =
{"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},
{"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},
{"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},
+ {"decrypt", CmdHf14MfDecryptBytes, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
{NULL, NULL, 0, NULL}
};