X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/e108a48ac415ab2b1fc212c63ad1a2e68efd5e4e..2ce218042d2aebdfa4c5a58f19e6550f367c5d81:/client/cmdhfmf.c diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 0ea171af..36438d7f 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -24,19 +24,20 @@ int usage_hf14_mifare(void){ return 0; } int usage_hf14_mf1ksim(void){ - PrintAndLog("Usage: hf mf sim [h] u n i x"); + PrintAndLog("Usage: hf mf sim [h] u n [i] [x] [e] [v]"); PrintAndLog("options:"); PrintAndLog(" h this help"); PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID 4b from emulator memory will be used"); PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); - PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); - PrintAndLog(" e (Optional) Fill simulator keys from what we crack"); - PrintAndLog(" v (Optional) Show maths used for cracking reader. Useful for debugging."); + PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a reader"); + PrintAndLog(" e (Optional) Fill simulator keys from found keys"); + PrintAndLog(" v (Optional) Verbose"); PrintAndLog("samples:"); PrintAndLog(" hf mf sim u 0a0a0a0a"); PrintAndLog(" hf mf sim u 11223344556677"); PrintAndLog(" hf mf sim u 112233445566778899AA"); + PrintAndLog(" hf mf sim u 11223344 i x"); return 0; } int usage_hf14_dbg(void){ @@ -1381,64 +1382,67 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) { k_sector[i].foundKey[1] = FALSE; } - printf("enter reader attack\n"); + if (verbose) printf("enter Moebius attack (mfkey32v2) \n"); + for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) { - if (data[i].ar2 > 0) { + + // if no-collected data + if (data[i].ar2 == 0) continue; - // We can probably skip this, mfkey32v2 is more reliable. + // We can probably skip this, mfkey32v2 is more reliable. #ifdef HFMF_TRYMFK32 - if (tryMfk32(data[i], &key, verbose)) { - PrintAndLog("Found Key%s for sector %02d: [%012"llx"]" - , (data[i].keytype) ? "B" : "A" - , data[i].sector - , key - ); - - k_sector[i].Key[data[i].keytype] = key; - k_sector[i].foundKey[data[i].keytype] = TRUE; - - //set emulator memory for keys - if (setEmulatorMem) { - uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0}; - num_to_bytes( k_sector[i].Key[0], 6, memBlock); - num_to_bytes( k_sector[i].Key[1], 6, memBlock+10); - PrintAndLog("Setting Emulator Memory Block %02d: [%s]" - , ((data[i].sector)*4) + 3 - , sprint_hex( memBlock, sizeof(memBlock)) - ); - mfEmlSetMem( memBlock, ((data[i].sector)*4) + 3, 1); - } - continue; + if (tryMfk32(data[i], &key, verbose)) { + PrintAndLog("Found Key%s for sector %02d: [%012"llx"]" + , (data[i].keytype) ? "B" : "A" + , data[i].sector + , key + ); + + k_sector[i].Key[data[i].keytype] = key; + k_sector[i].foundKey[data[i].keytype] = TRUE; + + //set emulator memory for keys + if (setEmulatorMem) { + uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0}; + num_to_bytes( k_sector[i].Key[0], 6, memBlock); + num_to_bytes( k_sector[i].Key[1], 6, memBlock+10); + PrintAndLog("Setting Emulator Memory Block %02d: [%s]" + , ((data[i].sector)*4) + 3 + , sprint_hex( memBlock, sizeof(memBlock)) + ); + mfEmlSetMem( memBlock, ((data[i].sector)*4) + 3, 1); } + continue; + } #endif - //moebius attack - if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) { - uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector; - uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype; - - PrintAndLog("M-Found Key%s for sector %02d: [%012"llx"]" - , keyType ? "B" : "A" - , sectorNum - , key - ); - - k_sector[sectorNum].Key[keyType] = key; - k_sector[sectorNum].foundKey[keyType] = TRUE; - - //set emulator memory for keys - if (setEmulatorMem) { - uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0}; - num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock); - num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10); - PrintAndLog("Setting Emulator Memory Block %02d: [%s]" - , (sectorNum*4) + 3 - , sprint_hex( memBlock, sizeof(memBlock)) - ); - mfEmlSetMem( memBlock, (sectorNum*4) + 3, 1); - } - continue; + + //moebius attack + if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) { + uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector; + uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype; + + PrintAndLog("Reader is trying authenticate with: Key %s, sector %02d: [%012"llx"]" + , keyType ? "B" : "A" + , sectorNum + , key + ); + + k_sector[sectorNum].Key[keyType] = key; + k_sector[sectorNum].foundKey[keyType] = TRUE; + + //set emulator memory for keys + if (setEmulatorMem) { + uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0}; + num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock); + num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10); + //iceman, guessing this will not work so well for 4K tags. + PrintAndLog("Setting Emulator Memory Block %02d: [%s]" + , (sectorNum*4) + 3 + , sprint_hex( memBlock, sizeof(memBlock)) + ); + mfEmlSetMem( memBlock, (sectorNum*4) + 3, 1); } - + continue; } } } @@ -1526,7 +1530,6 @@ int CmdHF14AMf1kSim(const char *Cmd) { while( !ukbhit() ){ if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue; - if ( !(flags & FLAG_NR_AR_ATTACK) ) break; if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break; @@ -1535,7 +1538,7 @@ int CmdHF14AMf1kSim(const char *Cmd) { } if (k_sector != NULL) { - printKeyTable(k_sectorsCount, k_sector ); + printKeyTable(k_sectorsCount, k_sector); free(k_sector); k_sector = NULL; }