PrintAndLog("t - transfer keys into emulator memory");\r
PrintAndLog("d - write keys to binary file");\r
PrintAndLog(" ");\r
- PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");\r
- PrintAndLog(" sample2: hf mf nested 1 0 A FFFFFFFFFFFF t ");\r
- PrintAndLog(" sample3: hf mf nested 1 0 A FFFFFFFFFFFF d ");\r
- PrintAndLog(" sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A");\r
+ PrintAndLog(" samples:");\r
+ PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF ");\r
+ PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF t ");\r
+ PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF d ");\r
+ PrintAndLog(" hf mf nested o 0 A FFFFFFFFFFFF 4 A");\r
return 0;\r
} \r
\r
clock_t t1 = clock();\r
\r
// check keys.\r
- for (trgKeyType = 0; trgKeyType < 2; ++trgKeyType) {\r
+ for (trgKeyType = !keyType; trgKeyType < 2; (keyType==2) ? (++trgKeyType) : (trgKeyType=2) ) {\r
\r
int b = blockNo;\r
for (int i = 0; i < SectorsCnt; ++i) {\r
//return (*(uint64_t*)b - *(uint64_t*)a);\r
\r
// better:\r
- if (*(uint64_t*)b < *(uint64_t*)a) return -1;\r
+ /*if (*(uint64_t*)b < *(uint64_t*)a) return -1;\r
if (*(uint64_t*)b > *(uint64_t*)a) return 1;\r
return 0;\r
-\r
- //return (*(uint64_t*)b > *(uint64_t*)a) - (*(uint64_t*)b < *(uint64_t*)a);\r
+*/\r
+ return (*(uint64_t*)b > *(uint64_t*)a) - (*(uint64_t*)b < *(uint64_t*)a);\r
}\r
\r
// Compare 16 Bits out of cryptostate\r
int Compare16Bits(const void * a, const void * b) {\r
\r
+/*\r
if ((*(uint64_t*)b & 0x00ff000000ff0000) < (*(uint64_t*)a & 0x00ff000000ff0000)) return -1;\r
if ((*(uint64_t*)b & 0x00ff000000ff0000) > (*(uint64_t*)a & 0x00ff000000ff0000)) return 1; \r
return 0;\r
-\r
- /*return \r
+*/\r
+ return \r
((*(uint64_t*)b & 0x00ff000000ff0000) > (*(uint64_t*)a & 0x00ff000000ff0000))\r
-\r
((*(uint64_t*)b & 0x00ff000000ff0000) < (*(uint64_t*)a & 0x00ff000000ff0000))\r
;\r
-*/\r
}\r
\r
typedef \r
struct Crypto1State *p1;\r
StateList_t *statelist = arg;\r
\r
- statelist->head.slhead = lfsr_recovery32(statelist->ks1, statelist->nt ^ statelist->uid);\r
+ statelist->head.slhead = lfsr_recovery32(statelist->ks1, statelist->nt ^ statelist->uid); \r
\r
for (p1 = statelist->head.slhead; *(uint64_t *)p1 != 0; p1++);\r
\r
// error during nested\r
if (resp.arg[0]) return resp.arg[0];\r
\r
-// memcpy(&uid, resp.d.asBytes, 4);\r
- uid = bytes_to_num(resp.d.asBytes, 4);\r
+ memcpy(&uid, resp.d.asBytes, 4);\r
\r
for (i = 0; i < 2; i++) {\r
statelists[i].blockNo = resp.arg[2] & 0xff;\r
// uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt;\r
\r
uint32_t numOfCandidates = statelists[0].len;\r
- if ( numOfCandidates == 0 ) goto out;\r
-\r
- uint8_t *keyBlock = malloc(numOfCandidates*6);\r
- if (keyBlock == NULL) return -6;\r
+ if ( numOfCandidates > 0 ) {\r
\r
- for (i = 0; i < numOfCandidates; ++i){\r
- crypto1_get_lfsr(statelists[0].head.slhead + i, &key64);\r
- num_to_bytes(key64, 6, keyBlock + i * 6);\r
- }\r
+ uint8_t keyBlock[USB_CMD_DATA_SIZE] = {0x00};\r
\r
- if (!mfCheckKeys(statelists[0].blockNo, statelists[0].keyType, false, numOfCandidates, keyBlock, &key64)) { \r
- free(statelists[0].head.slhead);\r
- free(statelists[1].head.slhead);\r
- free(keyBlock);\r
- num_to_bytes(key64, 6, resultKey);\r
+ for (i = 0; i < numOfCandidates; ++i){\r
+ crypto1_get_lfsr(statelists[0].head.slhead + i, &key64);\r
+ num_to_bytes(key64, 6, keyBlock + i * 6);\r
+ }\r
\r
- PrintAndLog("UID: %08x target block:%3u key type: %c -- Found key [%012"llx"]",\r
- uid,\r
- (uint16_t)resp.arg[2] & 0xff,\r
- (resp.arg[2] >> 8) ? 'B' : 'A',\r
- key64\r
- );\r
- return -5;\r
+ if (!mfCheckKeys(statelists[0].blockNo, statelists[0].keyType, false, numOfCandidates, keyBlock, &key64)) { \r
+ free(statelists[0].head.slhead);\r
+ free(statelists[1].head.slhead);\r
+ num_to_bytes(key64, 6, resultKey);\r
+\r
+ PrintAndLog("UID: %08x target block:%3u key type: %c -- Found key [%012"llx"]",\r
+ uid,\r
+ (uint16_t)resp.arg[2] & 0xff,\r
+ (resp.arg[2] >> 8) ? 'B' : 'A',\r
+ key64\r
+ );\r
+ return -5;\r
+ }\r
+ \r
}\r
-\r
-out:\r
PrintAndLog("UID: %08x target block:%3u key type: %c",\r
- uid,\r
+ uid,\r
(uint16_t)resp.arg[2] & 0xff,\r
(resp.arg[2] >> 8) ? 'B' : 'A'\r
); \r