]> cvs.zerfleddert.de Git - proxmark3-svn/commitdiff
FIX: dumptoemul.lua removed the extra linebreak in the end, making some load commands...
authoriceman1001 <iceman@iuse.se>
Mon, 25 May 2015 11:10:55 +0000 (13:10 +0200)
committericeman1001 <iceman@iuse.se>
Mon, 25 May 2015 11:10:55 +0000 (13:10 +0200)
MOV: moved the try32/try64 attacks (mfkey32/mfkey64) into the nonce2key.c file
CHG: added @marshmellow42 changes to hf mfu dump layout.
ADD: an extra call to BigBuf_free in readcard..  just to make sure that it doesn't leak memory.
ADD: expermimental call to "try32" for "hf mf sim x".

armsrc/iso14443a.c
armsrc/mifarecmd.c
client/cmdhf14a.c
client/cmdhf14a.h
client/cmdhfmf.c
client/cmdhfmfu.c
client/nonce2key/nonce2key.c
client/nonce2key/nonce2key.h
client/scripts/dumptoemul.lua

index e1943b2654eea613892db908e836991b8c381c5a..8e547147330f9de71de8a15fc9fc51a6adaa6421 100644 (file)
@@ -1186,7 +1186,6 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
                                        cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
                                        ar_nr_collected = 0;
                                        memset(ar_nr_responses, 0x00, len);
-                                       Dbprintf("ICE");
                                }
                        }
                } else {
@@ -2490,7 +2489,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
 
                                //Collect AR/NR
-                               if(ar_nr_collected < 2 && cardAUTHSC == 2){
+                               //if(ar_nr_collected < 2 && cardAUTHSC == 2){
+                               if(ar_nr_collected < 2){
                                        if(ar_nr_responses[2] != ar)
                                        {// Avoid duplicates... probably not necessary, ar should vary. 
                                                ar_nr_responses[ar_nr_collected*4] = cuid;
@@ -2503,7 +2503,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                        if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2)
                                        {
                                                finished = true;
-                               }
+                                       }
                                }
 
                                // --- crypto
index 7eb27abe6657d0c76862b9deb9210b62813073af..9c17ce3cb3490b066a1f6c65d4c71d084604d256 100644 (file)
@@ -335,7 +335,8 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)
        cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(),0 , 0);\r
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
        LEDsoff();\r
-\r
+       \r
+       BigBuf_free();\r
 }\r
 \r
 //-----------------------------------------------------------------------------\r
index 0527ad4d7bcee4eaa846d8961f08492d273f430c..8f53bebed5c0c409a8bd3cd32bf62c3ac8687cb3 100644 (file)
@@ -24,7 +24,7 @@
 #include "cmdmain.h"
 #include "mifare.h"
 #include "cmdhfmfu.h"
-#include "nonce2key/crapto1.h"
+#include "nonce2key/nonce2key.h"
 
 #define llx PRIx64
 
@@ -531,125 +531,30 @@ int CmdHF14ASim(const char *Cmd)
        PrintAndLog("Press pm3-button to abort simulation");
        
        UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }};
+       
        num_to_bytes(uid, 7, c.d.asBytes);
        SendCommand(&c);        
 
+       uint8_t data[40];
+       uint8_t key[6];
+
        while(!ukbhit()){
                UsbCommand resp;
                WaitForResponseTimeout(CMD_ACK,&resp,1500);
-               PrintAndLog("Got %04X %02X", resp.arg[0], resp.arg[0]);
+               PrintAndLog("CMD_SIMULATE_MIFARE_CARD [%04X] -- %04X", CMD_SIMULATE_MIFARE_CARD, resp.arg[0]);
                if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
-                       uint8_t data[40];
-                       uint8_t key[6];
+                       memset(data, 0x00, sizeof(data));
+                       memset(key, 0x00, sizeof(key));
                        int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
                        memcpy(data, resp.d.asBytes, len);
                        tryMfk32(uid, data, key);
                        //tryMfk64(uid, data, key);
                        PrintAndLog("--");
-                       memset(data,0x00, 40);
                }
        }
        return 0;
 }
 
-int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
-
-       struct Crypto1State *s,*t;
-       uint64_t key;     // recovered key
-       uint32_t uid;     // serial number
-       uint32_t nt;      // tag challenge
-       uint32_t nr0_enc; // first encrypted reader challenge
-       uint32_t ar0_enc; // first encrypted reader response
-       uint32_t nr1_enc; // second encrypted reader challenge
-       uint32_t ar1_enc; // second encrypted reader response   
-       bool isSuccess = FALSE;
-       int counter = 0;
-       
-       uid     = myuid;//(uint32_t)bytes_to_num(data +  0, 4);
-       nt              = *(uint32_t*)(data+8);
-       nr0_enc = *(uint32_t*)(data+12);
-       ar0_enc = *(uint32_t*)(data+16);
-       nr1_enc = *(uint32_t*)(data+32);
-       ar1_enc = *(uint32_t*)(data+36);
-
-       // PrintAndLog("Recovering key for:");
-       // PrintAndLog("    uid: %08x",uid);
-       // PrintAndLog("     nt: %08x",nt);
-       // PrintAndLog(" {nr_0}: %08x",nr0_enc);
-       // PrintAndLog(" {ar_0}: %08x",ar0_enc);
-       // PrintAndLog(" {nr_1}: %08x",nr1_enc);
-       // PrintAndLog(" {ar_1}: %08x",ar1_enc);
-
-       s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
-  
-       for(t = s; t->odd | t->even; ++t) {
-               lfsr_rollback_word(t, 0, 0);
-               lfsr_rollback_word(t, nr0_enc, 1);
-               lfsr_rollback_word(t, uid ^ nt, 0);
-               crypto1_get_lfsr(t, &key);
-               crypto1_word(t, uid ^ nt, 0);
-               crypto1_word(t, nr1_enc, 1);
-               if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
-                       PrintAndLog("Found Key: [%012"llx"]",key);
-                       isSuccess = TRUE;
-                       ++counter;
-                       if (counter==10)
-                               break;
-               }
-       }
-       free(s);
-       return isSuccess;
-}
-
-int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
-
-       struct Crypto1State *revstate;
-       uint64_t key;     // recovered key
-       uint32_t uid;     // serial number
-       uint32_t nt;      // tag challenge
-       uint32_t nr_enc;  // encrypted reader challenge
-       uint32_t ar_enc;  // encrypted reader response
-       uint32_t at_enc;  // encrypted tag response
-       uint32_t ks2;     // keystream used to encrypt reader response
-       uint32_t ks3;     // keystream used to encrypt tag response
-
-       struct Crypto1State mpcs = {0, 0};
-       struct Crypto1State *pcs;
-       pcs = &mpcs;
-       
-
-
-       uid     = myuid;//(uint32_t)bytes_to_num(data +  0, 4);
-       nt              = *(uint32_t*)(data+8);
-       nr_enc = *(uint32_t*)(data+12);
-       ar_enc = *(uint32_t*)(data+16);
-       
-       crypto1_word(pcs, nr_enc , 1);
-       at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);
-
-       // printf("Recovering key for:\n");
-       // printf("  uid: %08x\n",uid);
-       // printf("   nt: %08x\n",nt);
-       // printf(" {nr}: %08x\n",nr_enc);
-       // printf(" {ar}: %08x\n",ar_enc);
-       // printf(" {at}: %08x\n",at_enc);
-
-       // Extract the keystream from the messages
-       ks2 = ar_enc ^ prng_successor(nt, 64);
-       ks3 = at_enc ^ prng_successor(nt, 96);
-
-       revstate = lfsr_recovery64(ks2, ks3);
-       lfsr_rollback_word(revstate, 0, 0);
-       lfsr_rollback_word(revstate, 0, 0);
-       lfsr_rollback_word(revstate, nr_enc, 1);
-       lfsr_rollback_word(revstate, uid ^ nt, 0);
-       crypto1_get_lfsr(revstate, &key);
-       PrintAndLog("Found Key: [%012"llx"]",key);
-       crypto1_destroy(revstate);
-       crypto1_destroy(pcs);
-       return 0;
-}
-
 int CmdHF14ASniff(const char *Cmd) {
        int param = 0;
        
index 67c6ec4e2f46bb6b9e688619bc0750ee7169f780..17c40bac1db68442fbe85d34489fbd5be2c6185b 100644 (file)
@@ -21,6 +21,5 @@ int CmdHF14ASim(const char *Cmd);
 int CmdHF14ASniff(const char *Cmd);
 
 char* getTagInfo(uint8_t uid);
-int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey );
-int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey );
+
 #endif
index f486fc2540ba16377439530ac7ef03a1856abc4d..94c4707206273e9fd8c25997a023db18560a944b 100644 (file)
@@ -9,6 +9,7 @@
 //-----------------------------------------------------------------------------\r
 \r
 #include "cmdhfmf.h"\r
+#include "nonce2key/nonce2key.h"\r
 \r
 static int CmdHelp(const char *Cmd);\r
 \r
@@ -1063,15 +1064,29 @@ int CmdHF14AMf1kSim(const char *Cmd)
        SendCommand(&c);\r
 \r
        if(flags & FLAG_INTERACTIVE)\r
-       {\r
-               UsbCommand resp;\r
+       {               \r
+               uint64_t corr_uid =  bytes_to_num(uid,  ( flags & FLAG_4B_UID_IN_DATA ) ? 4 : 7 );\r
+\r
                PrintAndLog("Press pm3-button to abort simulation");\r
-               while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
-                       //We're waiting only 1.5 s at a time, otherwise we get the\r
-                       // annoying message about "Waiting for a response... "\r
+               \r
+               uint8_t data[40];\r
+               uint8_t key[6];\r
+\r
+               while(!ukbhit()){\r
+                       UsbCommand resp;                \r
+                       WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                       PrintAndLog("CMD_SIMULATE_MIFARE_CARD [%04X] -- %04X", CMD_SIMULATE_MIFARE_CARD, resp.arg[0]);                  \r
+                       if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){\r
+                               memset(data, 0x00, sizeof(data));\r
+                               memset(key, 0x00, sizeof(key));\r
+                               int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];\r
+                               memcpy(data, resp.d.asBytes, len);\r
+                               tryMfk32(corr_uid, data, key);\r
+                               //tryMfk64(corr_uid, data, key);\r
+                               PrintAndLog("--");\r
+                       }\r
                }\r
        }\r
-       \r
        return 0;\r
 }\r
 \r
@@ -1200,7 +1215,7 @@ int CmdHF14AMfELoad(const char *Cmd)
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
-       if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4;\r
+       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
 \r
        fnameptr += len;\r
 \r
@@ -1299,7 +1314,7 @@ int CmdHF14AMfESave(const char *Cmd)
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
-       if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4;\r
+       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
        \r
        // user supplied filename?\r
        if (len < 1) {\r
@@ -1575,7 +1590,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4;\r
+               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
 \r
                memcpy(filename, Cmd, len);\r
                fnameptr += len;\r
@@ -1745,7 +1760,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4;\r
+               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
        \r
                if (len < 1) {\r
                        // get filename\r
index c02dff83d5aacc69baa414b634bcee1b3264f69e..0c116eb4922e39eb5350cd269cdbd922e417646b 100644 (file)
@@ -280,7 +280,7 @@ static int ul_print_default( uint8_t *data){
        uid[6] = data[7];
 
        PrintAndLog("       UID : %s ", sprint_hex(uid, 7));
-       PrintAndLog("    UID[0] : %02X, Manufacturer: %s",  uid[0], getTagInfo(uid[0]) );
+       PrintAndLog("    UID[0] : %02X, %s",  uid[0], getTagInfo(uid[0]) );
        if ( uid[0] == 0x05 ) {
                uint8_t chip = (data[8] & 0xC7); // 11000111  mask, bit 3,4,5 RFU
                switch (chip){
@@ -855,7 +855,7 @@ int CmdHF14AMfUWrBl(const char *Cmd){
        uint8_t blockdata[20] = {0x00};
        uint8_t data[16] = {0x00};
        uint8_t authenticationkey[16] = {0x00};
-       uint8_t *authkeyptr = authenticationkey;
+       uint8_t *authKeyPtr = authenticationkey;
        
        // starting with getting tagtype
        TagTypeUL_t tagtype = GetHF14AMfU_Type();
@@ -896,7 +896,7 @@ int CmdHF14AMfUWrBl(const char *Cmd){
                                uint8_t maxblockno = 0;
                                for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
                                        if (tagtype & UL_TYPES_ARRAY[idx])
-                                               maxblockno = UL_MEMORY_ARRAY[idx]+1;
+                                               maxblockno = UL_MEMORY_ARRAY[idx];
                                }
                
                                if (blockNo < 0) {
@@ -904,7 +904,7 @@ int CmdHF14AMfUWrBl(const char *Cmd){
                                        errors = true;                                  
                                }
                                if (blockNo > maxblockno){
-                                       PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
+                                       PrintAndLog("block number too large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
                                        errors = true;                                                                  
                                }
                                cmdp += 2;
@@ -935,28 +935,25 @@ int CmdHF14AMfUWrBl(const char *Cmd){
        if ( blockNo == -1 ) return usage_hf_mfu_wrbl();
        
        // Swap endianness 
-       if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8);
-       if (swapEndian && hasPwdKey)  authkeyptr = SwapEndian64(authenticationkey, 4, 4);
-
+       if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8);
+       if (swapEndian && hasPwdKey)  authKeyPtr = SwapEndian64(authenticationkey, 4, 4);
 
        if ( blockNo <= 3)              
                PrintAndLog("Special Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4));
        else
                PrintAndLog("Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4));
        
-       
-
        //Send write Block
        UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}};
        memcpy(c.d.asBytes,blockdata,4);
 
        if ( hasAuthKey ){
                c.arg[1] = 1;
-               memcpy(c.d.asBytes+4,authkeyptr,16);
+               memcpy(c.d.asBytes+4,authKeyPtr,16);
        }
        else if ( hasPwdKey ) {
                c.arg[1] = 2;
-               memcpy(c.d.asBytes+4,authkeyptr,4);
+               memcpy(c.d.asBytes+4,authKeyPtr,4);
        }
        
        SendCommand(&c);
@@ -984,7 +981,7 @@ int CmdHF14AMfURdBl(const char *Cmd){
        uint8_t keylen = 0;
        uint8_t data[16] = {0x00};
        uint8_t authenticationkey[16] = {0x00};
-       uint8_t *authkeyptr = authenticationkey;
+       uint8_t *authKeyPtr = authenticationkey;
                
        // starting with getting tagtype
        TagTypeUL_t tagtype = GetHF14AMfU_Type();
@@ -1025,7 +1022,7 @@ int CmdHF14AMfURdBl(const char *Cmd){
                                uint8_t maxblockno = 0;
                                for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
                                        if (tagtype & UL_TYPES_ARRAY[idx])
-                                               maxblockno = UL_MEMORY_ARRAY[idx]+1;
+                                               maxblockno = UL_MEMORY_ARRAY[idx];
                                }
                
                                if (blockNo < 0) {
@@ -1054,18 +1051,18 @@ int CmdHF14AMfURdBl(const char *Cmd){
        if ( blockNo == -1 ) return usage_hf_mfu_rdbl();
        
        // Swap endianness 
-       if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8);
-       if (swapEndian && hasPwdKey)  authkeyptr = SwapEndian64(authenticationkey, 4, 4);
+       if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8);
+       if (swapEndian && hasPwdKey)  authKeyPtr = SwapEndian64(authenticationkey, 4, 4);
        
        //Read Block
        UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}};
        if ( hasAuthKey ){
                c.arg[1] = 1;
-               memcpy(c.d.asBytes,authkeyptr,16);
+               memcpy(c.d.asBytes,authKeyPtr,16);
        }
        else if ( hasPwdKey ) {
                c.arg[1] = 2;
-               memcpy(c.d.asBytes,authkeyptr,4);
+               memcpy(c.d.asBytes,authKeyPtr,4);
        }
        
        SendCommand(&c);
@@ -1082,7 +1079,6 @@ int CmdHF14AMfURdBl(const char *Cmd){
        } else {
                PrintAndLog("Command execute time-out");
        }
-
        return 0;
 }
 
@@ -1156,8 +1152,6 @@ int usage_hf_mfu_wrbl(void) {
 //
 //  Mifare Ultralight / Ultralight-C / Ultralight-EV1
 //  Read and Dump Card Contents,  using auto detection of tag size.
-//
-//  TODO: take a password to read UL-C / UL-EV1 tags.
 int CmdHF14AMfUDump(const char *Cmd){
 
        FILE *fout;
@@ -1246,10 +1240,10 @@ int CmdHF14AMfUDump(const char *Cmd){
        TagTypeUL_t tagtype = GetHF14AMfU_Type();
        if (tagtype == UL_ERROR) return -1;
 
-       if (!manualPages)
+       if (!manualPages) //get number of pages to read
                for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++)
                        if (tagtype & UL_TYPES_ARRAY[idx])
-                               Pages = UL_MEMORY_ARRAY[idx]+1;
+                               Pages = UL_MEMORY_ARRAY[idx]+1; //add one as maxblks starts at 0
 
        ul_print_type(tagtype, 0);
        PrintAndLog("Reading tag memory...");
@@ -1320,8 +1314,8 @@ int CmdHF14AMfUDump(const char *Cmd){
                }
        }
 
-       PrintAndLog("Block#    Data         lck Ascii");
-       PrintAndLog("----------------------------------");
+       PrintAndLog("Block#  | Data        |lck| Ascii");
+       PrintAndLog("---------------------------------");
        for (i = 0; i < Pages; ++i) {
                if ( i < 3 ) {
                        PrintAndLog("%02d/0x%02X | %s | |", i, i,sprint_hex(data + i * 4, 4));
@@ -1373,7 +1367,7 @@ int CmdHF14AMfUDump(const char *Cmd){
                }
                PrintAndLog("%02d/0x%02X | %s |%d| %.4s",i , i, sprint_hex(data + i * 4, 4), tmplockbit, data+i*4);
        }
-       PrintAndLog("----------------------------------");
+       PrintAndLog("---------------------------------");
 
        // user supplied filename?
        if (fileNlen < 1) {
@@ -1769,7 +1763,7 @@ static command_t CommandTable[] =
        {"help",        CmdHelp,                        1, "This help"},
        {"dbg",         CmdHF14AMfDbg,          0, "Set default debug mode"},
        {"info",        CmdHF14AMfUInfo,        0, "Tag information"},
-       {"dump",        CmdHF14AMfUDump,        0, "Dump Ultralight / Ultralight-C tag to binary file"},
+       {"dump",        CmdHF14AMfUDump,        0, "Dump Ultralight / Ultralight-C / NTAG tag to binary file"},
        {"rdbl",        CmdHF14AMfURdBl,        0, "Read block"},
        {"wrbl",        CmdHF14AMfUWrBl,        0, "Write block"},    
        {"cauth",       CmdHF14AMfucAuth,       0, "Authentication    - Ultralight C"},
index 111f58cd6b07a8d21ddff7e006e5de485bf4830b..968e1a9d23eeac19e083473c5327703c43ed320f 100644 (file)
@@ -149,3 +149,99 @@ int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_
        
        return 1;
 }
+
+int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
+
+       struct Crypto1State *s,*t;
+       uint64_t key;     // recovered key
+       uint32_t uid;     // serial number
+       uint32_t nt;      // tag challenge
+       uint32_t nr0_enc; // first encrypted reader challenge
+       uint32_t ar0_enc; // first encrypted reader response
+       uint32_t nr1_enc; // second encrypted reader challenge
+       uint32_t ar1_enc; // second encrypted reader response   
+       bool isSuccess = FALSE;
+       int counter = 0;
+       
+       uid     = myuid;//(uint32_t)bytes_to_num(data +  0, 4);
+       nt              = *(uint32_t*)(data+8);
+       nr0_enc = *(uint32_t*)(data+12);
+       ar0_enc = *(uint32_t*)(data+16);
+       nr1_enc = *(uint32_t*)(data+32);
+       ar1_enc = *(uint32_t*)(data+36);
+
+       // PrintAndLog("Recovering key for:");
+       // PrintAndLog("    uid: %08x",uid);
+       // PrintAndLog("     nt: %08x",nt);
+       // PrintAndLog(" {nr_0}: %08x",nr0_enc);
+       // PrintAndLog(" {ar_0}: %08x",ar0_enc);
+       // PrintAndLog(" {nr_1}: %08x",nr1_enc);
+       // PrintAndLog(" {ar_1}: %08x",ar1_enc);
+
+       s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
+  
+       for(t = s; t->odd | t->even; ++t) {
+               lfsr_rollback_word(t, 0, 0);
+               lfsr_rollback_word(t, nr0_enc, 1);
+               lfsr_rollback_word(t, uid ^ nt, 0);
+               crypto1_get_lfsr(t, &key);
+               crypto1_word(t, uid ^ nt, 0);
+               crypto1_word(t, nr1_enc, 1);
+               if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
+                       PrintAndLog("Found Key: [%012"llx"]",key);
+                       isSuccess = TRUE;
+                       ++counter;
+                       if (counter==10)
+                               break;
+               }
+       }
+       free(s);
+       return isSuccess;
+}
+
+int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
+
+       struct Crypto1State *revstate;
+       uint64_t key;     // recovered key
+       uint32_t uid;     // serial number
+       uint32_t nt;      // tag challenge
+       uint32_t nr_enc;  // encrypted reader challenge
+       uint32_t ar_enc;  // encrypted reader response
+       uint32_t at_enc;  // encrypted tag response
+       uint32_t ks2;     // keystream used to encrypt reader response
+       uint32_t ks3;     // keystream used to encrypt tag response
+
+       struct Crypto1State mpcs = {0, 0};
+       struct Crypto1State *pcs;
+       pcs = &mpcs;
+       
+       uid     = myuid;//(uint32_t)bytes_to_num(data +  0, 4);
+       nt              = *(uint32_t*)(data+8);
+       nr_enc = *(uint32_t*)(data+12);
+       ar_enc = *(uint32_t*)(data+16);
+       
+       crypto1_word(pcs, nr_enc , 1);
+       at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);
+
+       // printf("Recovering key for:\n");
+       // printf("  uid: %08x\n",uid);
+       // printf("   nt: %08x\n",nt);
+       // printf(" {nr}: %08x\n",nr_enc);
+       // printf(" {ar}: %08x\n",ar_enc);
+       // printf(" {at}: %08x\n",at_enc);
+
+       // Extract the keystream from the messages
+       ks2 = ar_enc ^ prng_successor(nt, 64);
+       ks3 = at_enc ^ prng_successor(nt, 96);
+
+       revstate = lfsr_recovery64(ks2, ks3);
+       lfsr_rollback_word(revstate, 0, 0);
+       lfsr_rollback_word(revstate, 0, 0);
+       lfsr_rollback_word(revstate, nr_enc, 1);
+       lfsr_rollback_word(revstate, uid ^ nt, 0);
+       crypto1_get_lfsr(revstate, &key);
+       PrintAndLog("Found Key: [%012"llx"]",key);
+       crypto1_destroy(revstate);
+       crypto1_destroy(pcs);
+       return 0;
+}
index e7d5f431194f92a4777bc2726c66aad8038ff0b4..82c65b55617fbef1edbb85ea33b324f82ee3bdae 100644 (file)
@@ -2,7 +2,7 @@
 // Merlok - June 2011
 // Roel - Dec 2009
 // Unknown author
-//
+// icemane - may 2015
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
 // the license.
@@ -19,5 +19,6 @@
 #include "common.h"
 
 int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key); 
-
+int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey );
+int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey );
 #endif
index f9b715091c7e2ebe92b2532d02f4249c13538501..f8cc11d455da2fa0bbea72fab9bb0c389b680d0d 100644 (file)
@@ -73,7 +73,8 @@ local function convert_to_emulform(hexdata)
        for i = 1, string.len(hexdata),32 do
                ascii = ascii  ..string.sub(hexdata,i,i+31).."\n"
        end
-       return ascii
+       
+       return string.sub(ascii,1,-1)
 end
 
 local function main(args)
Impressum, Datenschutz