X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/e98572a1e2dde603f31cc06f330c6abd295139de..495d7f13265a727673b71451cf1906a082ca7fb4:/client/cmdhfmf.c diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index ab7d913e..1d516ebc 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -9,6 +9,7 @@ //----------------------------------------------------------------------------- #include "cmdhfmf.h" +#include "cmdhfmfhard.h" #include "nonce2key/nonce2key.h" static int CmdHelp(const char *Cmd); @@ -19,7 +20,8 @@ int CmdHF14AMifare(const char *Cmd) uint32_t nt = 0, nr = 0; uint64_t par_list = 0, ks_list = 0, r_key = 0; int16_t isOK = 0; - + int tmpchar; + UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}}; // message @@ -28,20 +30,25 @@ int CmdHF14AMifare(const char *Cmd) printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n"); printf("-------------------------------------------------------------------------\n"); + clock_t t1 = clock(); start: clearCommandBuffer(); SendCommand(&c); //flush queue - while (ukbhit()) getchar(); + while (ukbhit()) { + tmpchar = getchar(); + (void)tmpchar; + } // wait cycle while (true) { printf("."); fflush(stdout); if (ukbhit()) { - getchar(); + tmpchar = getchar(); + (void)tmpchar; printf("\naborted via keyboard!\n"); break; } @@ -59,7 +66,8 @@ start: case -1 : PrintAndLog("Button pressed. Aborted.\n"); break; case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break; case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break; - case -4 : PrintAndLog("The card's random number generator is vulnerable but behaves somewhat weird (Mifare clone?). This needs to be fixed.\n"); break; + case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown"); + PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break; default: ; } break; @@ -83,8 +91,10 @@ start: printf("------------------------------------------------------------------\n"); PrintAndLog("Found valid key: %012"llx" \n", r_key); } - - PrintAndLog(""); + t1 = clock() - t1; + if ( t1 > 0 ){ + PrintAndLog("Time in darkside: %f ticks - %1.2f sec\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC); + } return 0; } @@ -121,10 +131,11 @@ int CmdHF14AMfWrBl(const char *Cmd) PrintAndLog("--block no:%d, key type:%c, key:%s", blockNo, keyType?'B':'A', sprint_hex(key, 6)); PrintAndLog("--data: %s", sprint_hex(bldata, 16)); - UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}}; + UsbCommand c = {CMD_MIFARE_WRITEBL, {blockNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); memcpy(c.d.asBytes + 10, bldata, 16); - SendCommand(&c); + clearCommandBuffer(); + SendCommand(&c); UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { @@ -165,9 +176,10 @@ int CmdHF14AMfRdBl(const char *Cmd) } PrintAndLog("--block no:%d, key type:%c, key:%s ", blockNo, keyType?'B':'A', sprint_hex(key, 6)); - UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}}; + UsbCommand c = {CMD_MIFARE_READBL, {blockNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); - SendCommand(&c); + clearCommandBuffer(); + SendCommand(&c); UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) { @@ -220,6 +232,7 @@ int CmdHF14AMfRdSc(const char *Cmd) UsbCommand c = {CMD_MIFARE_READSC, {sectorNo, keyType, 0}}; memcpy(c.d.asBytes, key, 6); + clearCommandBuffer(); SendCommand(&c); PrintAndLog(" "); @@ -300,8 +313,10 @@ int CmdHF14AMfDump(const char *Cmd) } // Read keys A from file + size_t bytes_read; for (sectorNo=0; sectorNo 0 ) { + PrintAndLog("Time in nested: %f ticks %1.2f sec (%1.2f sec per key)\n\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/iterations/CLOCKS_PER_SEC); + } PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations); //print them @@ -734,7 +789,11 @@ int CmdHF14AMfNested(const char *Cmd) PrintAndLog("|---|----------------|---|----------------|---|"); for (i = 0; i < SectorsCnt; i++) { PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i, - e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]); + e_sector[i].Key[0], + e_sector[i].foundKey[0], + e_sector[i].Key[1], + e_sector[i].foundKey[1] + ); } PrintAndLog("|---|----------------|---|----------------|---|"); @@ -784,6 +843,122 @@ int CmdHF14AMfNested(const char *Cmd) return 0; } +int CmdHF14AMfNestedHard(const char *Cmd) +{ + uint8_t blockNo = 0; + uint8_t keyType = 0; + uint8_t trgBlockNo = 0; + uint8_t trgKeyType = 0; + uint8_t key[6] = {0, 0, 0, 0, 0, 0}; + uint8_t trgkey[6] = {0, 0, 0, 0, 0, 0}; + + char ctmp; + ctmp = param_getchar(Cmd, 0); + + if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) { + PrintAndLog("Usage:"); + PrintAndLog(" hf mf hardnested "); + PrintAndLog(" [known target key (12 hex symbols)] [w] [s]"); + PrintAndLog(" or hf mf hardnested r [known target key]"); + PrintAndLog(" "); + PrintAndLog("Options: "); + PrintAndLog(" w: Acquire nonces and write them to binary file nonces.bin"); + PrintAndLog(" s: Slower acquisition (required by some non standard cards)"); + PrintAndLog(" r: Read nonces.bin and start attack"); + PrintAndLog(" "); + PrintAndLog(" sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A"); + PrintAndLog(" sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w"); + PrintAndLog(" sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s"); + PrintAndLog(" sample4: hf mf hardnested r"); + PrintAndLog(" "); + PrintAndLog("Add the known target key to check if it is present in the remaining key space:"); + PrintAndLog(" sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF"); + return 0; + } + + bool know_target_key = false; + bool nonce_file_read = false; + bool nonce_file_write = false; + bool slow = false; + int tests = 0; + + + if (ctmp == 'R' || ctmp == 'r') { + nonce_file_read = true; + if (!param_gethex(Cmd, 1, trgkey, 12)) { + know_target_key = true; + } + } else if (ctmp == 'T' || ctmp == 't') { + tests = param_get32ex(Cmd, 1, 100, 10); + } else { + blockNo = param_get8(Cmd, 0); + ctmp = param_getchar(Cmd, 1); + if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') { + PrintAndLog("Key type must be A or B"); + return 1; + } + if (ctmp != 'A' && ctmp != 'a') { + keyType = 1; + } + + if (param_gethex(Cmd, 2, key, 12)) { + PrintAndLog("Key must include 12 HEX symbols"); + return 1; + } + + trgBlockNo = param_get8(Cmd, 3); + ctmp = param_getchar(Cmd, 4); + if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') { + PrintAndLog("Target key type must be A or B"); + return 1; + } + if (ctmp != 'A' && ctmp != 'a') { + trgKeyType = 1; + } + + uint16_t i = 5; + + if (!param_gethex(Cmd, 5, trgkey, 12)) { + know_target_key = true; + i++; + } + + while ((ctmp = param_getchar(Cmd, i))) { + if (ctmp == 's' || ctmp == 'S') { + slow = true; + } else if (ctmp == 'w' || ctmp == 'W') { + nonce_file_write = true; + } else { + PrintAndLog("Possible options are w and/or s"); + return 1; + } + i++; + } + } + + PrintAndLog("--target block no:%3d, target key type:%c, known target key: 0x%02x%02x%02x%02x%02x%02x%s, file action: %s, Slow: %s, Tests: %d ", + trgBlockNo, + trgKeyType?'B':'A', + trgkey[0], trgkey[1], trgkey[2], trgkey[3], trgkey[4], trgkey[5], + know_target_key?"":" (not set)", + nonce_file_write?"write":nonce_file_read?"read":"none", + slow?"Yes":"No", + tests); + + int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key?trgkey:NULL, nonce_file_read, nonce_file_write, slow, tests); + + if (isOK) { + switch (isOK) { + case 1 : PrintAndLog("Error: No response from Proxmark.\n"); break; + case 2 : PrintAndLog("Button pressed. Aborted.\n"); break; + default : break; + } + return 2; + } + + return 0; +} + int CmdHF14AMfChk(const char *Cmd) { if (strlen(Cmd)<3) { @@ -867,6 +1042,7 @@ int CmdHF14AMfChk(const char *Cmd) break; default: PrintAndLog("Key type must be A , B or ?"); + free(keyBlock); return 1; }; @@ -918,6 +1094,7 @@ int CmdHF14AMfChk(const char *Cmd) if (!p) { PrintAndLog("Cannot allocate memory for defKeys"); free(keyBlock); + fclose(f); return 2; } keyBlock = p; @@ -957,7 +1134,9 @@ int CmdHF14AMfChk(const char *Cmd) } } } - + // time + clock_t t1 = clock(); + for ( int t = !keyType; t < 2; keyType==2?(t++):(t=2) ) { int b=blockNo; for (int i = 0; i < SectorsCnt; ++i) { @@ -979,6 +1158,10 @@ int CmdHF14AMfChk(const char *Cmd) b<127?(b+=4):(b+=16); } } + t1 = clock() - t1; + if ( t1 > 0 ){ + printf("Time in checkkeys: %f ticks %1.2f sec (%1.2f sec per key)\n\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/keycnt/CLOCKS_PER_SEC); + } if (transferToEml) { uint8_t block[16]; @@ -1023,8 +1206,6 @@ int CmdHF14AMf1kSim(const char *Cmd) uint8_t cmdp = param_getchar(Cmd, 0); - clearCommandBuffer(); - if (cmdp == 'h' || cmdp == 'H') { PrintAndLog("Usage: hf mf sim u n i x"); PrintAndLog(" h this help"); @@ -1049,10 +1230,12 @@ int CmdHF14AMf1kSim(const char *Cmd) } pnr +=2; } + if (param_getchar(Cmd, pnr) == 'n') { exitAfterNReads = param_get8(Cmd,pnr+1); pnr += 2; } + if (param_getchar(Cmd, pnr) == 'i' ) { //Using a flag to signal interactiveness, least significant bit flags |= FLAG_INTERACTIVE; @@ -1063,51 +1246,58 @@ int CmdHF14AMf1kSim(const char *Cmd) //Using a flag to signal interactiveness, least significant bit flags |= FLAG_NR_AR_ATTACK; } + PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ", flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4): flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A" - , exitAfterNReads, flags,flags); + , exitAfterNReads + , flags + , flags); UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}}; memcpy(c.d.asBytes, uid, sizeof(uid)); + clearCommandBuffer(); SendCommand(&c); if(flags & FLAG_INTERACTIVE) { - PrintAndLog("Press pm3-button to abort simulation"); - uint8_t data[40]; uint8_t key[6]; UsbCommand resp; - while(!ukbhit() ){ - if ( WaitForResponseTimeout(CMD_ACK,&resp,1500) ) { - if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){ - memset(data, 0x00, sizeof(data)); - memset(key, 0x00, sizeof(key)); - int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1]; - - memcpy(data, resp.d.asBytes, len); - - uint64_t corr_uid = 0; - if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) { - corr_uid = (data[3] << 24) | (data[2] << 16) | (data[1] << 8) | data[0]; - } - else { - corr_uid |= (uint64_t)data[2] << 48; - corr_uid |= (uint64_t)data[1] << 40; - corr_uid |= (uint64_t)data[0] << 32; - corr_uid |= data[7] << 24; - corr_uid |= data[6] << 16; - corr_uid |= data[5] << 8; - corr_uid |= data[4]; - } + PrintAndLog("Press pm3-button or send another cmd to abort simulation"); + + while( !ukbhit() ){ + if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue; + + if ( !(flags & FLAG_NR_AR_ATTACK) ) break; + + if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break; + + memset(data, 0x00, sizeof(data)); + memset(key, 0x00, sizeof(key)); + int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1]; + + memcpy(data, resp.d.asBytes, len); + + uint64_t corr_uid = 0; + + // this IF? what was I thinking of? + if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) { + corr_uid = ((uint64_t)(data[3] << 24)) | (data[2] << 16) | (data[1] << 8) | data[0]; tryMfk32(corr_uid, data, key); - //tryMfk64(corr_uid, data, key); - PrintAndLog("--"); + } else { + corr_uid |= (uint64_t)data[2] << 48; + corr_uid |= (uint64_t)data[1] << 40; + corr_uid |= (uint64_t)data[0] << 32; + corr_uid |= (uint64_t)data[7] << 24; + corr_uid |= (uint64_t)data[6] << 16; + corr_uid |= (uint64_t)data[5] << 8; + corr_uid |= (uint64_t)data[4]; + tryMfk64(corr_uid, data, key); } - } + PrintAndLog("--"); } } return 0; @@ -1131,10 +1321,10 @@ int CmdHF14AMfDbg(const char *Cmd) return 0; } - UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}}; - SendCommand(&c); + UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}}; + SendCommand(&c); - return 0; + return 0; } int CmdHF14AMfEGet(const char *Cmd) @@ -1168,12 +1358,11 @@ int CmdHF14AMfEClear(const char *Cmd) return 0; } - UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}}; - SendCommand(&c); - return 0; + UsbCommand c = {CMD_MIFARE_EML_MEMCLR, {0, 0, 0}}; + SendCommand(&c); + return 0; } - int CmdHF14AMfESet(const char *Cmd) { uint8_t memBlock[16]; @@ -1201,7 +1390,6 @@ int CmdHF14AMfESet(const char *Cmd) return 0; } - int CmdHF14AMfELoad(const char *Cmd) { FILE * f; @@ -1214,9 +1402,9 @@ int CmdHF14AMfELoad(const char *Cmd) uint8_t blockWidth = 32; char ctmp = param_getchar(Cmd, 0); - if ( ctmp == 'h' || ctmp == 0x00) { + if ( ctmp == 'h' || ctmp == 'H' || ctmp == 0x00) { PrintAndLog("It loads emul dump from the file `filename.eml`"); - PrintAndLog("Usage: hf mf eload [card memory] "); + PrintAndLog("Usage: hf mf eload [card memory] [numblocks]"); PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K, u = UL"); PrintAndLog(""); PrintAndLog(" sample: hf mf eload filename"); @@ -1230,17 +1418,19 @@ int CmdHF14AMfELoad(const char *Cmd) case '\0': numBlocks = 16*4; break; case '2' : numBlocks = 32*4; break; case '4' : numBlocks = 256; break; - case 'U' : // fall through , NTAG 215 has 135blocks a 540 bytes. - case 'u' : numBlocks = 135; blockWidth = 8; break; + case 'U' : // fall through + case 'u' : numBlocks = 255; blockWidth = 8; break; default: { numBlocks = 16*4; nameParamNo = 0; } } + uint32_t numblk2 = param_get32ex(Cmd,2,0,10); + if (numblk2 > 0) numBlocks = numblk2; len = param_getstr(Cmd,nameParamNo,filename); - if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; fnameptr += len; @@ -1298,7 +1488,6 @@ int CmdHF14AMfELoad(const char *Cmd) return 0; } - int CmdHF14AMfESave(const char *Cmd) { FILE * f; @@ -1338,7 +1527,7 @@ int CmdHF14AMfESave(const char *Cmd) len = param_getstr(Cmd,nameParamNo,filename); - if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; // user supplied filename? if (len < 1) { @@ -1384,7 +1573,6 @@ int CmdHF14AMfESave(const char *Cmd) return 0; } - int CmdHF14AMfECFill(const char *Cmd) { uint8_t keyType = 0; @@ -1424,15 +1612,16 @@ int CmdHF14AMfECFill(const char *Cmd) return 0; } - int CmdHF14AMfEKeyPrn(const char *Cmd) { int i; uint8_t numSectors; uint8_t data[16]; uint64_t keyA, keyB; + + char cmdp = param_getchar(Cmd, 0); - if (param_getchar(Cmd, 0) == 'h') { + if ( cmdp == 'h' || cmdp == 'H' ) { PrintAndLog("It prints the keys loaded in the emulator memory"); PrintAndLog("Usage: hf mf ekeyprn [card memory]"); PrintAndLog(" [card memory]: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K"); @@ -1441,8 +1630,6 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) return 0; } - char cmdp = param_getchar(Cmd, 0); - switch (cmdp) { case '0' : numSectors = 5; break; case '1' : @@ -1469,7 +1656,6 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) return 0; } - int CmdHF14AMfCSetUID(const char *Cmd) { uint8_t wipeCard = 0; @@ -1541,9 +1727,9 @@ int CmdHF14AMfCSetUID(const char *Cmd) int CmdHF14AMfCSetBlk(const char *Cmd) { - uint8_t memBlock[16] = {0x00}; + uint8_t block[16] = {0x00}; uint8_t blockNo = 0; - bool wipeCard = FALSE; + uint8_t params = MAGIC_SINGLE; int res; if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { @@ -1556,16 +1742,18 @@ int CmdHF14AMfCSetBlk(const char *Cmd) blockNo = param_get8(Cmd, 0); - if (param_gethex(Cmd, 1, memBlock, 32)) { + if (param_gethex(Cmd, 1, block, 32)) { PrintAndLog("block data must include 32 HEX symbols"); return 1; } char ctmp = param_getchar(Cmd, 2); - wipeCard = (ctmp == 'w' || ctmp == 'W'); - PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16)); + if (ctmp == 'w' || ctmp == 'W') + params |= MAGIC_WIPE; + + PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(block, 16)); - res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER); + res = mfCSetBlock(blockNo, block, NULL, params); if (res) { PrintAndLog("Can't write block. error=%d", res); return 1; @@ -1573,18 +1761,21 @@ int CmdHF14AMfCSetBlk(const char *Cmd) return 0; } - int CmdHF14AMfCLoad(const char *Cmd) { FILE * f; - char filename[FILE_PATH_SIZE] = {0x00}; + char filename[FILE_PATH_SIZE]; char * fnameptr = filename; char buf[64] = {0x00}; uint8_t buf8[64] = {0x00}; uint8_t fillFromEmulator = 0; int i, len, blockNum, flags=0; + + memset(filename, 0, sizeof(filename)); - if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) { + char ctmp = param_getchar(Cmd, 0); + + if (ctmp == 'h' || ctmp == 'H' || ctmp == 0x00) { PrintAndLog("It loads magic Chinese card from the file `filename.eml`"); PrintAndLog("or from emulator memory (option `e`)"); PrintAndLog("Usage: hf mf cload "); @@ -1593,7 +1784,6 @@ int CmdHF14AMfCLoad(const char *Cmd) return 0; } - char ctmp = param_getchar(Cmd, 0); if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1; if (fillFromEmulator) { @@ -1602,11 +1792,11 @@ int CmdHF14AMfCLoad(const char *Cmd) PrintAndLog("Cant get block: %d", blockNum); return 2; } - if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence + if (blockNum == 0) flags = MAGIC_INIT + MAGIC_WUPC; // switch on field and send magic sequence if (blockNum == 1) flags = 0; // just write - if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Magic Halt and switch off field. + if (blockNum == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; // Done. Magic Halt and switch off field. - if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) { + if (mfCSetBlock(blockNum, buf8, NULL, flags)) { PrintAndLog("Cant set magic card block: %d", blockNum); return 3; } @@ -1614,7 +1804,7 @@ int CmdHF14AMfCLoad(const char *Cmd) return 0; } else { len = strlen(Cmd); - if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; memcpy(filename, Cmd, len); fnameptr += len; @@ -1649,12 +1839,13 @@ int CmdHF14AMfCLoad(const char *Cmd) for (i = 0; i < 32; i += 2) sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]); - if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; // switch on field and send magic sequence + if (blockNum == 0) flags = MAGIC_INIT + MAGIC_WUPC; // switch on field and send magic sequence if (blockNum == 1) flags = 0; // just write - if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; // Done. Switch off field. + if (blockNum == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; // Done. Switch off field. - if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) { + if (mfCSetBlock(blockNum, buf8, NULL, flags)) { PrintAndLog("Can't set magic card block: %d", blockNum); + fclose(f); return 3; } blockNum++; @@ -1663,6 +1854,7 @@ int CmdHF14AMfCLoad(const char *Cmd) } fclose(f); + // 64 or 256blocks. if (blockNum != 16 * 4 && blockNum != 32 * 4 + 8 * 16){ PrintAndLog("File content error. There must be 64 blocks"); return 4; @@ -1674,12 +1866,13 @@ int CmdHF14AMfCLoad(const char *Cmd) } int CmdHF14AMfCGetBlk(const char *Cmd) { - uint8_t memBlock[16]; + uint8_t data[16]; uint8_t blockNo = 0; int res; - memset(memBlock, 0x00, sizeof(memBlock)); + memset(data, 0x00, sizeof(data)); + char ctmp = param_getchar(Cmd, 0); - if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { + if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') { PrintAndLog("Usage: hf mf cgetblk "); PrintAndLog("sample: hf mf cgetblk 1"); PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n"); @@ -1690,23 +1883,24 @@ int CmdHF14AMfCGetBlk(const char *Cmd) { PrintAndLog("--block number:%2d ", blockNo); - res = mfCGetBlock(blockNo, memBlock, CSETBLOCK_SINGLE_OPER); + res = mfCGetBlock(blockNo, data, MAGIC_SINGLE); if (res) { - PrintAndLog("Can't read block. error=%d", res); - return 1; - } + PrintAndLog("Can't read block. error=%d", res); + return 1; + } - PrintAndLog("block data:%s", sprint_hex(memBlock, 16)); + PrintAndLog("data: %s", sprint_hex(data, sizeof(data))); return 0; } - int CmdHF14AMfCGetSc(const char *Cmd) { - uint8_t memBlock[16] = {0x00}; + uint8_t data[16]; uint8_t sectorNo = 0; int i, res, flags; - - if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { + memset(data, 0x00, sizeof(data)); + char ctmp = param_getchar(Cmd, 0); + + if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') { PrintAndLog("Usage: hf mf cgetsc "); PrintAndLog("sample: hf mf cgetsc 0"); PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n"); @@ -1720,37 +1914,37 @@ int CmdHF14AMfCGetSc(const char *Cmd) { } PrintAndLog("--sector number:%d ", sectorNo); + PrintAndLog("block | data"); - flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; + flags = MAGIC_INIT + MAGIC_WUPC; for (i = 0; i < 4; i++) { if (i == 1) flags = 0; - if (i == 3) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; + if (i == 3) flags = MAGIC_HALT + MAGIC_OFF; - res = mfCGetBlock(sectorNo * 4 + i, memBlock, flags); + res = mfCGetBlock(sectorNo * 4 + i, data, flags); if (res) { PrintAndLog("Can't read block. %d error=%d", sectorNo * 4 + i, res); return 1; - } - - PrintAndLog("block %3d data:%s", sectorNo * 4 + i, sprint_hex(memBlock, 16)); + } + PrintAndLog(" %3d | %s", sectorNo * 4 + i, sprint_hex(data, sizeof(data))); } return 0; } - int CmdHF14AMfCSave(const char *Cmd) { FILE * f; - char filename[FILE_PATH_SIZE] = {0x00}; + char filename[FILE_PATH_SIZE]; char * fnameptr = filename; uint8_t fillFromEmulator = 0; - uint8_t buf[64] = {0x00}; + uint8_t buf[64]; int i, j, len, flags; - // memset(filename, 0, sizeof(filename)); - // memset(buf, 0, sizeof(buf)); - - if (param_getchar(Cmd, 0) == 'h') { + memset(filename, 0, sizeof(filename)); + memset(buf, 0, sizeof(buf)); + char ctmp = param_getchar(Cmd, 0); + + if ( ctmp == 'h' || ctmp == 'H' ) { PrintAndLog("It saves `magic Chinese` card dump into the file `filename.eml` or `cardID.eml`"); PrintAndLog("or into emulator memory (option `e`)"); PrintAndLog("Usage: hf mf esave [file name w/o `.eml`][e]"); @@ -1759,16 +1953,14 @@ int CmdHF14AMfCSave(const char *Cmd) { PrintAndLog(" hf mf esave e \n"); return 0; } - - char ctmp = param_getchar(Cmd, 0); if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1; if (fillFromEmulator) { // put into emulator - flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; + flags = MAGIC_INIT + MAGIC_WUPC; for (i = 0; i < 16 * 4; i++) { if (i == 1) flags = 0; - if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; + if (i == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; if (mfCGetBlock(i, buf, flags)) { PrintAndLog("Cant get block: %d", i); @@ -1783,11 +1975,12 @@ int CmdHF14AMfCSave(const char *Cmd) { return 0; } else { len = strlen(Cmd); - if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; + // get filename based on UID if (len < 1) { - // get filename - if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) { + + if (mfCGetBlock(0, buf, MAGIC_SINGLE)) { PrintAndLog("Cant get block: %d", 0); len = sprintf(fnameptr, "dump"); fnameptr += len; @@ -1800,6 +1993,7 @@ int CmdHF14AMfCSave(const char *Cmd) { fnameptr += len; } + // add .eml extension sprintf(fnameptr, ".eml"); // open file @@ -1811,10 +2005,10 @@ int CmdHF14AMfCSave(const char *Cmd) { } // put hex - flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC; + flags = MAGIC_INIT + MAGIC_WUPC; for (i = 0; i < 16 * 4; i++) { if (i == 1) flags = 0; - if (i == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD; + if (i == 16 * 4 - 1) flags = MAGIC_HALT + MAGIC_OFF; if (mfCGetBlock(i, buf, flags)) { PrintAndLog("Cant get block: %d", i); @@ -1824,15 +2018,13 @@ int CmdHF14AMfCSave(const char *Cmd) { fprintf(f, "%02x", buf[j]); fprintf(f,"\n"); } + fflush(f); fclose(f); - PrintAndLog("Saved to file: %s", filename); - return 0; } } - int CmdHF14AMfSniff(const char *Cmd){ bool wantLogToFile = 0; @@ -1841,6 +2033,7 @@ int CmdHF14AMfSniff(const char *Cmd){ bool wantSaveToEmlFile = 0; //var + int tmpchar; int res = 0; int len = 0; int blockLen = 0; @@ -1891,7 +2084,8 @@ int CmdHF14AMfSniff(const char *Cmd){ printf("."); fflush(stdout); if (ukbhit()) { - getchar(); + tmpchar = getchar(); + (void)tmpchar; printf("\naborted via keyboard!\n"); break; } @@ -1902,7 +2096,10 @@ int CmdHF14AMfSniff(const char *Cmd){ uint16_t traceLen = resp.arg[1]; len = resp.arg[2]; - if (res == 0) return 0; // we are done + if (res == 0) { + free(buf); + return 0; // we are done + } if (res == 1) { // there is (more) data to be transferred if (pckNum == 0) { // first packet, (re)allocate necessary buffer @@ -1924,6 +2121,11 @@ int CmdHF14AMfSniff(const char *Cmd){ bufsize = traceLen; memset(buf, 0x00, traceLen); } + if (bufPtr == NULL) { + PrintAndLog("Cannot allocate memory for trace"); + free(buf); + return 2; + } memcpy(bufPtr, resp.d.asBytes, len); bufPtr += len; pckNum++; @@ -1981,55 +2183,65 @@ int CmdHF14AMfSniff(const char *Cmd){ } //needs nt, ar, at, Data to decrypt -int CmdDecryptTraceCmds(const char *Cmd){ +int CmdHf14MfDecryptBytes(const char *Cmd){ uint8_t data[50]; + + uint32_t nt = param_get32ex(Cmd,0,0,16); + uint32_t ar_enc = param_get32ex(Cmd,1,0,16); + uint32_t at_enc = param_get32ex(Cmd,2,0,16); + int len = 0; - param_gethex_ex(Cmd,3,data,&len); - return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2); + param_gethex_ex(Cmd, 3, data, &len); + + len /= 2; + int limit = sizeof(data) / 2; + + if ( len >= limit ) + len = limit; + + return tryDecryptWord( nt, ar_enc, at_enc, data, len); } -static command_t CommandTable[] = -{ - {"help", CmdHelp, 1, "This help"}, - {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"}, - {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"}, - {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"}, - {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"}, - {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"}, - {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"}, - {"chk", CmdHF14AMfChk, 0, "Test block keys"}, - {"mifare", CmdHF14AMifare, 0, "Read parity error messages."}, - {"nested", CmdHF14AMfNested, 0, "Test nested authentication"}, - {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"}, - {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"}, - {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"}, - {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"}, - {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"}, - {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"}, - {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"}, - {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"}, - {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"}, - {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"}, - {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"}, - {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"}, - {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"}, - {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"}, - {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"}, - {"decrypt", CmdDecryptTraceCmds, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"}, - {NULL, NULL, 0, NULL} +static command_t CommandTable[] = { + {"help", CmdHelp, 1, "This help"}, + {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"}, + {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"}, + {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"}, + {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"}, + {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"}, + {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"}, + {"chk", CmdHF14AMfChk, 0, "Test block keys"}, + {"mifare", CmdHF14AMifare, 0, "Read parity error messages."}, + {"nested", CmdHF14AMfNested, 0, "Test nested authentication"}, + {"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"}, + {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"}, + {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"}, + {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"}, + {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"}, + {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"}, + {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"}, + {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"}, + {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"}, + {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"}, + {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"}, + {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"}, + {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"}, + {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"}, + {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"}, + {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"}, + {"decrypt", CmdHf14MfDecryptBytes, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"}, + {NULL, NULL, 0, NULL} }; -int CmdHFMF(const char *Cmd) -{ +int CmdHFMF(const char *Cmd) { // flush - WaitForResponseTimeout(CMD_ACK,NULL,100); - - CmdsParse(CommandTable, Cmd); - return 0; + clearCommandBuffer(); + //WaitForResponseTimeout(CMD_ACK,NULL,100); + CmdsParse(CommandTable, Cmd); + return 0; } -int CmdHelp(const char *Cmd) -{ - CmdsHelp(CommandTable); - return 0; +int CmdHelp(const char *Cmd) { + CmdsHelp(CommandTable); + return 0; }