cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
ar_nr_collected = 0;
memset(ar_nr_responses, 0x00, len);
- Dbprintf("ICE");
}
}
} else {
uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
//Collect AR/NR
- if(ar_nr_collected < 2 && cardAUTHSC == 2){
+ //if(ar_nr_collected < 2 && cardAUTHSC == 2){
+ if(ar_nr_collected < 2){
if(ar_nr_responses[2] != ar)
{// Avoid duplicates... probably not necessary, ar should vary.
ar_nr_responses[ar_nr_collected*4] = cuid;
if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2)
{
finished = true;
- }
+ }
}
// --- crypto
cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(),0 , 0);\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
-\r
+ \r
+ BigBuf_free();\r
}\r
\r
//-----------------------------------------------------------------------------\r
#include "cmdmain.h"
#include "mifare.h"
#include "cmdhfmfu.h"
-#include "nonce2key/crapto1.h"
+#include "nonce2key/nonce2key.h"
#define llx PRIx64
PrintAndLog("Press pm3-button to abort simulation");
UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }};
+
num_to_bytes(uid, 7, c.d.asBytes);
SendCommand(&c);
+ uint8_t data[40];
+ uint8_t key[6];
+
while(!ukbhit()){
UsbCommand resp;
WaitForResponseTimeout(CMD_ACK,&resp,1500);
- PrintAndLog("Got %04X %02X", resp.arg[0], resp.arg[0]);
+ PrintAndLog("CMD_SIMULATE_MIFARE_CARD [%04X] -- %04X", CMD_SIMULATE_MIFARE_CARD, resp.arg[0]);
if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
- uint8_t data[40];
- uint8_t key[6];
+ memset(data, 0x00, sizeof(data));
+ memset(key, 0x00, sizeof(key));
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
memcpy(data, resp.d.asBytes, len);
tryMfk32(uid, data, key);
//tryMfk64(uid, data, key);
PrintAndLog("--");
- memset(data,0x00, 40);
}
}
return 0;
}
-int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
-
- struct Crypto1State *s,*t;
- uint64_t key; // recovered key
- uint32_t uid; // serial number
- uint32_t nt; // tag challenge
- uint32_t nr0_enc; // first encrypted reader challenge
- uint32_t ar0_enc; // first encrypted reader response
- uint32_t nr1_enc; // second encrypted reader challenge
- uint32_t ar1_enc; // second encrypted reader response
- bool isSuccess = FALSE;
- int counter = 0;
-
- uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
- nt = *(uint32_t*)(data+8);
- nr0_enc = *(uint32_t*)(data+12);
- ar0_enc = *(uint32_t*)(data+16);
- nr1_enc = *(uint32_t*)(data+32);
- ar1_enc = *(uint32_t*)(data+36);
-
- // PrintAndLog("Recovering key for:");
- // PrintAndLog(" uid: %08x",uid);
- // PrintAndLog(" nt: %08x",nt);
- // PrintAndLog(" {nr_0}: %08x",nr0_enc);
- // PrintAndLog(" {ar_0}: %08x",ar0_enc);
- // PrintAndLog(" {nr_1}: %08x",nr1_enc);
- // PrintAndLog(" {ar_1}: %08x",ar1_enc);
-
- s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
-
- for(t = s; t->odd | t->even; ++t) {
- lfsr_rollback_word(t, 0, 0);
- lfsr_rollback_word(t, nr0_enc, 1);
- lfsr_rollback_word(t, uid ^ nt, 0);
- crypto1_get_lfsr(t, &key);
- crypto1_word(t, uid ^ nt, 0);
- crypto1_word(t, nr1_enc, 1);
- if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
- PrintAndLog("Found Key: [%012"llx"]",key);
- isSuccess = TRUE;
- ++counter;
- if (counter==10)
- break;
- }
- }
- free(s);
- return isSuccess;
-}
-
-int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
-
- struct Crypto1State *revstate;
- uint64_t key; // recovered key
- uint32_t uid; // serial number
- uint32_t nt; // tag challenge
- uint32_t nr_enc; // encrypted reader challenge
- uint32_t ar_enc; // encrypted reader response
- uint32_t at_enc; // encrypted tag response
- uint32_t ks2; // keystream used to encrypt reader response
- uint32_t ks3; // keystream used to encrypt tag response
-
- struct Crypto1State mpcs = {0, 0};
- struct Crypto1State *pcs;
- pcs = &mpcs;
-
-
-
- uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
- nt = *(uint32_t*)(data+8);
- nr_enc = *(uint32_t*)(data+12);
- ar_enc = *(uint32_t*)(data+16);
-
- crypto1_word(pcs, nr_enc , 1);
- at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);
-
- // printf("Recovering key for:\n");
- // printf(" uid: %08x\n",uid);
- // printf(" nt: %08x\n",nt);
- // printf(" {nr}: %08x\n",nr_enc);
- // printf(" {ar}: %08x\n",ar_enc);
- // printf(" {at}: %08x\n",at_enc);
-
- // Extract the keystream from the messages
- ks2 = ar_enc ^ prng_successor(nt, 64);
- ks3 = at_enc ^ prng_successor(nt, 96);
-
- revstate = lfsr_recovery64(ks2, ks3);
- lfsr_rollback_word(revstate, 0, 0);
- lfsr_rollback_word(revstate, 0, 0);
- lfsr_rollback_word(revstate, nr_enc, 1);
- lfsr_rollback_word(revstate, uid ^ nt, 0);
- crypto1_get_lfsr(revstate, &key);
- PrintAndLog("Found Key: [%012"llx"]",key);
- crypto1_destroy(revstate);
- crypto1_destroy(pcs);
- return 0;
-}
-
int CmdHF14ASniff(const char *Cmd) {
int param = 0;
int CmdHF14ASniff(const char *Cmd);
char* getTagInfo(uint8_t uid);
-int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey );
-int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey );
+
#endif
//-----------------------------------------------------------------------------\r
\r
#include "cmdhfmf.h"\r
+#include "nonce2key/nonce2key.h"\r
\r
static int CmdHelp(const char *Cmd);\r
\r
SendCommand(&c);\r
\r
if(flags & FLAG_INTERACTIVE)\r
- {\r
- UsbCommand resp;\r
+ { \r
+ uint64_t corr_uid = bytes_to_num(uid, ( flags & FLAG_4B_UID_IN_DATA ) ? 4 : 7 );\r
+\r
PrintAndLog("Press pm3-button to abort simulation");\r
- while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- //We're waiting only 1.5 s at a time, otherwise we get the\r
- // annoying message about "Waiting for a response... "\r
+ \r
+ uint8_t data[40];\r
+ uint8_t key[6];\r
+\r
+ while(!ukbhit()){\r
+ UsbCommand resp; \r
+ WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+ PrintAndLog("CMD_SIMULATE_MIFARE_CARD [%04X] -- %04X", CMD_SIMULATE_MIFARE_CARD, resp.arg[0]); \r
+ if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){\r
+ memset(data, 0x00, sizeof(data));\r
+ memset(key, 0x00, sizeof(key));\r
+ int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];\r
+ memcpy(data, resp.d.asBytes, len);\r
+ tryMfk32(corr_uid, data, key);\r
+ //tryMfk64(corr_uid, data, key);\r
+ PrintAndLog("--");\r
+ }\r
}\r
}\r
- \r
return 0;\r
}\r
\r
\r
len = param_getstr(Cmd,nameParamNo,filename);\r
\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
fnameptr += len;\r
\r
\r
len = param_getstr(Cmd,nameParamNo,filename);\r
\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
// user supplied filename?\r
if (len < 1) {\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
memcpy(filename, Cmd, len);\r
fnameptr += len;\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4;\r
+ if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
\r
if (len < 1) {\r
// get filename\r
uid[6] = data[7];
PrintAndLog(" UID : %s ", sprint_hex(uid, 7));
- PrintAndLog(" UID[0] : %02X, Manufacturer: %s", uid[0], getTagInfo(uid[0]) );
+ PrintAndLog(" UID[0] : %02X, %s", uid[0], getTagInfo(uid[0]) );
if ( uid[0] == 0x05 ) {
uint8_t chip = (data[8] & 0xC7); // 11000111 mask, bit 3,4,5 RFU
switch (chip){
uint8_t blockdata[20] = {0x00};
uint8_t data[16] = {0x00};
uint8_t authenticationkey[16] = {0x00};
- uint8_t *authkeyptr = authenticationkey;
+ uint8_t *authKeyPtr = authenticationkey;
// starting with getting tagtype
TagTypeUL_t tagtype = GetHF14AMfU_Type();
uint8_t maxblockno = 0;
for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
if (tagtype & UL_TYPES_ARRAY[idx])
- maxblockno = UL_MEMORY_ARRAY[idx]+1;
+ maxblockno = UL_MEMORY_ARRAY[idx];
}
if (blockNo < 0) {
errors = true;
}
if (blockNo > maxblockno){
- PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
+ PrintAndLog("block number too large. Max block is %u/0x%02X \n", maxblockno,maxblockno);
errors = true;
}
cmdp += 2;
if ( blockNo == -1 ) return usage_hf_mfu_wrbl();
// Swap endianness
- if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8);
- if (swapEndian && hasPwdKey) authkeyptr = SwapEndian64(authenticationkey, 4, 4);
-
+ if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8);
+ if (swapEndian && hasPwdKey) authKeyPtr = SwapEndian64(authenticationkey, 4, 4);
if ( blockNo <= 3)
PrintAndLog("Special Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4));
else
PrintAndLog("Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4));
-
-
//Send write Block
UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}};
memcpy(c.d.asBytes,blockdata,4);
if ( hasAuthKey ){
c.arg[1] = 1;
- memcpy(c.d.asBytes+4,authkeyptr,16);
+ memcpy(c.d.asBytes+4,authKeyPtr,16);
}
else if ( hasPwdKey ) {
c.arg[1] = 2;
- memcpy(c.d.asBytes+4,authkeyptr,4);
+ memcpy(c.d.asBytes+4,authKeyPtr,4);
}
SendCommand(&c);
uint8_t keylen = 0;
uint8_t data[16] = {0x00};
uint8_t authenticationkey[16] = {0x00};
- uint8_t *authkeyptr = authenticationkey;
+ uint8_t *authKeyPtr = authenticationkey;
// starting with getting tagtype
TagTypeUL_t tagtype = GetHF14AMfU_Type();
uint8_t maxblockno = 0;
for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){
if (tagtype & UL_TYPES_ARRAY[idx])
- maxblockno = UL_MEMORY_ARRAY[idx]+1;
+ maxblockno = UL_MEMORY_ARRAY[idx];
}
if (blockNo < 0) {
if ( blockNo == -1 ) return usage_hf_mfu_rdbl();
// Swap endianness
- if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8);
- if (swapEndian && hasPwdKey) authkeyptr = SwapEndian64(authenticationkey, 4, 4);
+ if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8);
+ if (swapEndian && hasPwdKey) authKeyPtr = SwapEndian64(authenticationkey, 4, 4);
//Read Block
UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}};
if ( hasAuthKey ){
c.arg[1] = 1;
- memcpy(c.d.asBytes,authkeyptr,16);
+ memcpy(c.d.asBytes,authKeyPtr,16);
}
else if ( hasPwdKey ) {
c.arg[1] = 2;
- memcpy(c.d.asBytes,authkeyptr,4);
+ memcpy(c.d.asBytes,authKeyPtr,4);
}
SendCommand(&c);
} else {
PrintAndLog("Command execute time-out");
}
-
return 0;
}
//
// Mifare Ultralight / Ultralight-C / Ultralight-EV1
// Read and Dump Card Contents, using auto detection of tag size.
-//
-// TODO: take a password to read UL-C / UL-EV1 tags.
int CmdHF14AMfUDump(const char *Cmd){
FILE *fout;
TagTypeUL_t tagtype = GetHF14AMfU_Type();
if (tagtype == UL_ERROR) return -1;
- if (!manualPages)
+ if (!manualPages) //get number of pages to read
for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++)
if (tagtype & UL_TYPES_ARRAY[idx])
- Pages = UL_MEMORY_ARRAY[idx]+1;
+ Pages = UL_MEMORY_ARRAY[idx]+1; //add one as maxblks starts at 0
ul_print_type(tagtype, 0);
PrintAndLog("Reading tag memory...");
}
}
- PrintAndLog("Block# Data lck Ascii");
- PrintAndLog("----------------------------------");
+ PrintAndLog("Block# | Data |lck| Ascii");
+ PrintAndLog("---------------------------------");
for (i = 0; i < Pages; ++i) {
if ( i < 3 ) {
PrintAndLog("%02d/0x%02X | %s | |", i, i,sprint_hex(data + i * 4, 4));
}
PrintAndLog("%02d/0x%02X | %s |%d| %.4s",i , i, sprint_hex(data + i * 4, 4), tmplockbit, data+i*4);
}
- PrintAndLog("----------------------------------");
+ PrintAndLog("---------------------------------");
// user supplied filename?
if (fileNlen < 1) {
{"help", CmdHelp, 1, "This help"},
{"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},
{"info", CmdHF14AMfUInfo, 0, "Tag information"},
- {"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C tag to binary file"},
+ {"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C / NTAG tag to binary file"},
{"rdbl", CmdHF14AMfURdBl, 0, "Read block"},
{"wrbl", CmdHF14AMfUWrBl, 0, "Write block"},
{"cauth", CmdHF14AMfucAuth, 0, "Authentication - Ultralight C"},
return 1;
}
+
+int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
+
+ struct Crypto1State *s,*t;
+ uint64_t key; // recovered key
+ uint32_t uid; // serial number
+ uint32_t nt; // tag challenge
+ uint32_t nr0_enc; // first encrypted reader challenge
+ uint32_t ar0_enc; // first encrypted reader response
+ uint32_t nr1_enc; // second encrypted reader challenge
+ uint32_t ar1_enc; // second encrypted reader response
+ bool isSuccess = FALSE;
+ int counter = 0;
+
+ uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
+ nt = *(uint32_t*)(data+8);
+ nr0_enc = *(uint32_t*)(data+12);
+ ar0_enc = *(uint32_t*)(data+16);
+ nr1_enc = *(uint32_t*)(data+32);
+ ar1_enc = *(uint32_t*)(data+36);
+
+ // PrintAndLog("Recovering key for:");
+ // PrintAndLog(" uid: %08x",uid);
+ // PrintAndLog(" nt: %08x",nt);
+ // PrintAndLog(" {nr_0}: %08x",nr0_enc);
+ // PrintAndLog(" {ar_0}: %08x",ar0_enc);
+ // PrintAndLog(" {nr_1}: %08x",nr1_enc);
+ // PrintAndLog(" {ar_1}: %08x",ar1_enc);
+
+ s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
+
+ for(t = s; t->odd | t->even; ++t) {
+ lfsr_rollback_word(t, 0, 0);
+ lfsr_rollback_word(t, nr0_enc, 1);
+ lfsr_rollback_word(t, uid ^ nt, 0);
+ crypto1_get_lfsr(t, &key);
+ crypto1_word(t, uid ^ nt, 0);
+ crypto1_word(t, nr1_enc, 1);
+ if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) {
+ PrintAndLog("Found Key: [%012"llx"]",key);
+ isSuccess = TRUE;
+ ++counter;
+ if (counter==10)
+ break;
+ }
+ }
+ free(s);
+ return isSuccess;
+}
+
+int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){
+
+ struct Crypto1State *revstate;
+ uint64_t key; // recovered key
+ uint32_t uid; // serial number
+ uint32_t nt; // tag challenge
+ uint32_t nr_enc; // encrypted reader challenge
+ uint32_t ar_enc; // encrypted reader response
+ uint32_t at_enc; // encrypted tag response
+ uint32_t ks2; // keystream used to encrypt reader response
+ uint32_t ks3; // keystream used to encrypt tag response
+
+ struct Crypto1State mpcs = {0, 0};
+ struct Crypto1State *pcs;
+ pcs = &mpcs;
+
+ uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4);
+ nt = *(uint32_t*)(data+8);
+ nr_enc = *(uint32_t*)(data+12);
+ ar_enc = *(uint32_t*)(data+16);
+
+ crypto1_word(pcs, nr_enc , 1);
+ at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0);
+
+ // printf("Recovering key for:\n");
+ // printf(" uid: %08x\n",uid);
+ // printf(" nt: %08x\n",nt);
+ // printf(" {nr}: %08x\n",nr_enc);
+ // printf(" {ar}: %08x\n",ar_enc);
+ // printf(" {at}: %08x\n",at_enc);
+
+ // Extract the keystream from the messages
+ ks2 = ar_enc ^ prng_successor(nt, 64);
+ ks3 = at_enc ^ prng_successor(nt, 96);
+
+ revstate = lfsr_recovery64(ks2, ks3);
+ lfsr_rollback_word(revstate, 0, 0);
+ lfsr_rollback_word(revstate, 0, 0);
+ lfsr_rollback_word(revstate, nr_enc, 1);
+ lfsr_rollback_word(revstate, uid ^ nt, 0);
+ crypto1_get_lfsr(revstate, &key);
+ PrintAndLog("Found Key: [%012"llx"]",key);
+ crypto1_destroy(revstate);
+ crypto1_destroy(pcs);
+ return 0;
+}
// Merlok - June 2011
// Roel - Dec 2009
// Unknown author
-//
+// icemane - may 2015
// This code is licensed to you under the terms of the GNU GPL, version 2 or,
// at your option, any later version. See the LICENSE.txt file for the text of
// the license.
#include "common.h"
int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key);
-
+int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey );
+int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey );
#endif
for i = 1, string.len(hexdata),32 do
ascii = ascii ..string.sub(hexdata,i,i+31).."\n"
end
- return ascii
+
+ return string.sub(ascii,1,-1)
end
local function main(args)