This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log...
## [unreleased][unreleased]
+ - 'lf t55xx recoverpw' - adds a new password recovery using bitflips and partial flips if password write went bad. (alexgrin)
+ - 'hf legic' - added improved legic data mapping. (jason)
+ - 'hf mf mifare' - added possibility to target key A|B (douniwan5788)
- 'analyse lcr' - added a new main command group, to help analysing bytes & bits & nibbles. (iceman)
- 'lf nedap' - added identification of a NEDAP tag. (iceman)
- 'lf viking clone' - fixed a bug. (iceman)
EPA_PACE_Replay(c);
break;
case CMD_READER_MIFARE:
- ReaderMifare(c->arg[0], c->arg[1]);
+ ReaderMifare(c->arg[0], c->arg[1], c->arg[2]);
break;
case CMD_MIFARE_READBL:
MifareReadBlock(c->arg[0], c->arg[1], c->arg[2], c->d.asBytes);
void EM4xReadWord(uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
void EM4xWriteWord(uint32_t Data, uint8_t Address, uint32_t Pwd, uint8_t PwdMode);
-/// iso14443.h
+/// iso14443b.h
void SimulateIso14443bTag(uint32_t pupi);
void AcquireRawAdcSamplesIso14443b(uint32_t parameter);
void ReadSTMemoryIso14443b(uint8_t numofblocks);
void RAMFUNC SnoopIso14443b(void);
void SendRawCommand14443B(uint32_t, uint32_t, uint8_t, uint8_t[]);
-/// iso14443a.h
+// iso14443a.h
void RAMFUNC SniffIso14443a(uint8_t param);
void SimulateIso14443aTag(int tagType, int flags, byte_t* data);
void ReaderIso14443a(UsbCommand * c);
void GetParity(const uint8_t *pbtCmd, uint16_t len, uint8_t *parity);
void iso14a_set_trigger(bool enable);
-void RAMFUNC SniffMifare(uint8_t param);
-
-/// epa.h
+// epa.h
void EPA_PACE_Collect_Nonce(UsbCommand * c);
void EPA_PACE_Replay(UsbCommand *c);
// mifarecmd.h
-//void ReaderMifare(bool first_try);
-void ReaderMifare(bool first_try, uint8_t block );
-int32_t dist_nt(uint32_t nt1, uint32_t nt2);
void MifareReadBlock(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *data);
void MifareUReadBlock(uint8_t arg0, uint8_t arg1, uint8_t *datain);
void MifareUC_Auth(uint8_t arg0, uint8_t *datain);
void OnSuccessMagic();
void OnErrorMagic(uint8_t reason);
+int32_t dist_nt(uint32_t nt1, uint32_t nt2);
+void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype );
+void RAMFUNC SniffMifare(uint8_t param);
+
//desfire
void Mifare_DES_Auth1(uint8_t arg0,uint8_t *datain);
void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain);
// mifaredesfire.h
-bool InitDesfireCard();
-void MifareSendCommand(uint8_t arg0,uint8_t arg1, uint8_t *datain);
-void MifareDesfireGetInformation();
-void MifareDES_Auth1(uint8_t arg0,uint8_t arg1,uint8_t arg2, uint8_t *datain);
-void ReaderMifareDES(uint32_t param, uint32_t param2, uint8_t * datain);
-int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout);
-size_t CreateAPDU( uint8_t *datain, size_t len, uint8_t *dataout);
-void OnSuccess();
-void OnError(uint8_t reason);
+bool InitDesfireCard();
+void MifareSendCommand(uint8_t arg0,uint8_t arg1, uint8_t *datain);
+void MifareDesfireGetInformation();
+void MifareDES_Auth1(uint8_t arg0,uint8_t arg1,uint8_t arg2, uint8_t *datain);
+void ReaderMifareDES(uint32_t param, uint32_t param2, uint8_t * datain);
+int DesfireAPDU(uint8_t *cmd, size_t cmd_len, uint8_t *dataout);
+size_t CreateAPDU( uint8_t *datain, size_t len, uint8_t *dataout);
+void OnSuccess();
+void OnError(uint8_t reason);
// desfire_crypto.h
-void *mifare_cryto_preprocess_data (desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings);
-void *mifare_cryto_postprocess_data (desfiretag_t tag, void *data, size_t *nbytes, int communication_settings);
-void mifare_cypher_single_block (desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size);
-void mifare_cypher_blocks_chained (desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation);
-size_t key_block_size (const desfirekey_t key);
-size_t padded_data_length (const size_t nbytes, const size_t block_size);
-size_t maced_data_length (const desfirekey_t key, const size_t nbytes);
-size_t enciphered_data_length (const desfiretag_t tag, const size_t nbytes, int communication_settings);
-void cmac_generate_subkeys (desfirekey_t key);
-void cmac (const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac);
+void *mifare_cryto_preprocess_data (desfiretag_t tag, void *data, size_t *nbytes, size_t offset, int communication_settings);
+void *mifare_cryto_postprocess_data (desfiretag_t tag, void *data, size_t *nbytes, int communication_settings);
+void mifare_cypher_single_block (desfirekey_t key, uint8_t *data, uint8_t *ivect, MifareCryptoDirection direction, MifareCryptoOperation operation, size_t block_size);
+void mifare_cypher_blocks_chained (desfiretag_t tag, desfirekey_t key, uint8_t *ivect, uint8_t *data, size_t data_size, MifareCryptoDirection direction, MifareCryptoOperation operation);
+size_t key_block_size (const desfirekey_t key);
+size_t padded_data_length (const size_t nbytes, const size_t block_size);
+size_t maced_data_length (const desfirekey_t key, const size_t nbytes);
+size_t enciphered_data_length (const desfiretag_t tag, const size_t nbytes, int communication_settings);
+void cmac_generate_subkeys (desfirekey_t key);
+void cmac (const desfirekey_t key, uint8_t *ivect, const uint8_t *data, size_t len, uint8_t *cmac);
/// iso15693.h
void RecordRawAdcSamplesIso15693(void);
void iClass_Clone(uint8_t startblock, uint8_t endblock, uint8_t *data);
void iClass_ReadCheck(uint8_t blockNo, uint8_t keyType);
-
// hitag2.h
void SnoopHitag(uint32_t type);
void SimulateHitagTag(bool tag_mem_supplied, byte_t* data);
void WritePageHitagS(hitag_function htf, hitag_data* htd,int page);
void check_challenges(bool file_given, byte_t* data);
-
// cmd.h
bool cmd_receive(UsbCommand* cmd);
bool cmd_send(uint32_t cmd, uint32_t arg0, uint32_t arg1, uint32_t arg2, void* data, size_t len);
-/// util.h
+// util.h
void HfSnoop(int , int);
+
//EMV functions emvcmd.h
void EMVTransaction(void);
void EMVgetUDOL(void);
// Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime"
// (article by Nicolas T. Courtois, 2009)
//-----------------------------------------------------------------------------
-void ReaderMifare(bool first_try, uint8_t block ) {
- uint8_t mf_auth[] = { MIFARE_AUTH_KEYA, block, 0x00, 0x00 };
+void ReaderMifare(bool first_try, uint8_t block, uint8_t keytype ) {
+
+ uint8_t mf_auth[] = { keytype, block, 0x00, 0x00 };
uint8_t mf_nr_ar[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
uint8_t uid[10] = {0,0,0,0,0,0,0,0,0,0};
uint8_t par_list[8] = {0,0,0,0,0,0,0,0};
#define PRNG_SEQUENCE_LENGTH (1 << 16)
#define MAX_UNEXPECTED_RANDOM 4 // maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
#define MAX_SYNC_TRIES 32
-
+
+ AppendCrc14443a(mf_auth, 2);
+
BigBuf_free(); BigBuf_Clear_ext(false);
clear_trace();
set_tracing(TRUE);
iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
- AppendCrc14443a(mf_auth, 2);
if (first_try) {
sync_time = GetCountSspClk() & 0xfffffff8;
#ifndef BITMASK
# define BITMASK(X) (1 << (X))
#endif
+#ifndef ARRAYLEN
+# define ARRAYLEN(x) (sizeof(x)/sizeof((x)[0]))
+#endif
void print_result(char *name, uint8_t *buf, size_t len);
size_t nbytes(size_t nbits);
PrintAndLog("LEGIC: CRC8 : %X (0xC6 expected)", legic8);
PrintAndLog("MAXIM: CRC8 : %X (0xA1 expected)", CRC8Maxim(dataStr, sizeof(dataStr)));
PrintAndLog("DNP : CRC16: %X (0x82EA expected)", CRC16_DNP(dataStr, sizeof(dataStr)));
- PrintAndLog("CCITT: CRC16: %X (0xE5CC expected)", CRC16_CCITT(dataStr, sizeof(dataStr)));
+ PrintAndLog("CCITT: CRC16: %X (0xE5CC expected)", CRC16_CCITT(dataStr, sizeof(dataStr)));
+
+ PrintAndLog("ICLASS org: CRC16: %X (0x expected)",iclass_crc16( (char*)dataStr, sizeof(dataStr)));
+ PrintAndLog("ICLASS ice: CRC16: %X (0x expected)",CRC16_ICLASS(dataStr, sizeof(dataStr)));
+
+
+
+ uint8_t dataStr1234[] = { 0x1,0x2,0x3,0x4};
+ PrintAndLog("ISO15693 org: : CRC16: %X (0xF0B8 expected)", Iso15693Crc(dataStr1234, sizeof(dataStr1234)));
+ PrintAndLog("ISO15693 ice: : CRC16: %X (0xF0B8 expected)", CRC16_Iso15693(dataStr1234, sizeof(dataStr1234)));
free(data);
return 0;
#include "ui.h" // PrintAndLog
#include "util.h"
#include "crc.h"
+#include "../common/iso15693tools.h"
int usage_analyse_lcr(void);
int usage_analyse_checksum(void);
//-----------------------------------------------------------------------------\r
\r
#include "cmdhfmf.h"\r
-#include "cmdhfmfhard.h"\r
-#include "nonce2key/nonce2key.h"\r
\r
static int CmdHelp(const char *Cmd);\r
int usage_hf14_mifare(void){\r
- PrintAndLog("Usage: hf mf mifare [h] <block number>");\r
+ PrintAndLog("Usage: hf mf mifare [h] <block number> <A|B>");\r
PrintAndLog("options:");\r
- PrintAndLog(" h this help");\r
- PrintAndLog(" <block number> (Optional) target other key A than block 0.");\r
+ PrintAndLog(" h this help");\r
+ PrintAndLog(" <block number> (Optional) target other block");\r
+ PrintAndLog(" <A|B> (optional) target key type");\r
PrintAndLog("samples:");\r
PrintAndLog(" hf mf mifare");\r
PrintAndLog(" hf mf mifare 16");\r
+ PrintAndLog(" hf mf mifare 16 B");\r
return 0;\r
}\r
int usage_hf14_mf1ksim(void){\r
uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
int16_t isOK = 0;\r
int tmpchar; \r
- uint8_t blockNo = 0;\r
+ uint8_t blockNo = 0, keytype = MIFARE_AUTH_KEYA;\r
\r
char cmdp = param_getchar(Cmd, 0); \r
if ( cmdp == 'H' || cmdp == 'h') return usage_hf14_mifare();\r
\r
- blockNo = param_get8(Cmd, 0);\r
- UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, 0}};\r
+ blockNo = param_get8(Cmd, 0); \r
+ \r
+ cmdp = param_getchar(Cmd, 1);\r
+ if (cmdp == 'B' || cmdp == 'b')\r
+ keytype = MIFARE_AUTH_KEYB;\r
+ \r
+ UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, keytype}};\r
\r
// message\r
printf("-------------------------------------------------------------------------\n");\r
PrintAndLog("");\r
return 0;\r
}\r
+#define ATTACK_KEY_COUNT 8\r
+sector *k_sector = NULL;\r
+uint8_t k_sectorsCount = 16;\r
+void readerAttack(nonces_t data[], bool setEmulatorMem) {\r
\r
-int CmdHF14AMf1kSim(const char *Cmd) {\r
- uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
- uint8_t exitAfterNReads = 0;\r
- uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);\r
- int uidlen = 0;\r
- uint8_t pnr = 0;\r
- uint8_t cmdp = param_getchar(Cmd, 0);\r
-\r
- if (cmdp == 'h' || cmdp == 'H') return usage_hf14_mf1ksim();\r
-\r
- cmdp = param_getchar(Cmd, pnr);\r
- if (cmdp == 'u' || cmdp == 'U') {\r
- param_gethex_ex(Cmd, pnr+1, uid, &uidlen);\r
- switch(uidlen){\r
- case 20: flags = FLAG_10B_UID_IN_DATA; break;\r
- case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
- case 8: flags = FLAG_4B_UID_IN_DATA; break;\r
- default: return usage_hf14_mf1ksim();\r
- }\r
- pnr +=2;\r
- }\r
+ // initialize storage for found keys\r
+ if (k_sector == NULL);\r
+ k_sector = calloc(k_sectorsCount, sizeof(sector));\r
+ if (k_sector == NULL) \r
+ return;\r
\r
- cmdp = param_getchar(Cmd, pnr); \r
- if (cmdp == 'n' || cmdp == 'N') {\r
- exitAfterNReads = param_get8(Cmd, pnr+1);\r
- pnr += 2;\r
+ uint64_t key = 0;\r
+ \r
+ // empty e_sector\r
+ for(int i = 0; i < k_sectorsCount; ++i){\r
+ k_sector[i].Key[0] = 0xffffffffffff;\r
+ k_sector[i].Key[1] = 0xffffffffffff;\r
+ k_sector[i].foundKey[0] = FALSE;\r
+ k_sector[i].foundKey[1] = FALSE;\r
}\r
\r
- cmdp = param_getchar(Cmd, pnr); \r
- if (cmdp == 'i' || cmdp == 'I' ) {\r
- flags |= FLAG_INTERACTIVE;\r
- pnr++;\r
+ printf("enter reader attack\n");\r
+ for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) {\r
+ if (data[i].ar2 > 0) {\r
+ \r
+ if (tryMfk32(data[i], &key)) {\r
+ PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"\r
+ , (data[i].keytype) ? "B" : "A"\r
+ , data[i].sector\r
+ , key\r
+ );\r
+\r
+ k_sector[i].Key[data[i].keytype] = key;\r
+ k_sector[i].foundKey[data[i].keytype] = TRUE;\r
+ \r
+ //set emulator memory for keys\r
+ if (setEmulatorMem) {\r
+ uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};\r
+ num_to_bytes( k_sector[i].Key[0], 6, memBlock);\r
+ num_to_bytes( k_sector[i].Key[1], 6, memBlock+10);\r
+ mfEmlSetMem( memBlock, i*4 + 3, 1);\r
+ PrintAndLog("Setting Emulator Memory Block %02d: [%s]"\r
+ , i*4 + 3\r
+ , sprint_hex( memBlock, sizeof(memBlock))\r
+ );\r
+ }\r
+ break;\r
+ }\r
+ //moebius attack \r
+ // if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key)) {\r
+ // PrintAndLog("M-Found Key%s for sector %02d: [%012"llx"]"\r
+ // ,(data[i+ATTACK_KEY_COUNT].keytype) ? "B" : "A"\r
+ // , data[i+ATTACK_KEY_COUNT].sector\r
+ // , key\r
+ // );\r
+ // }\r
+ }\r
}\r
+}\r
+\r
+int CmdHF14AMf1kSim(const char *Cmd) {\r
\r
- cmdp = param_getchar(Cmd, pnr); \r
- if (cmdp == 'x' || cmdp == 'X') {\r
- flags |= FLAG_NR_AR_ATTACK;\r
+ uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
+ uint8_t exitAfterNReads = 0;\r
+ uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);\r
+ int uidlen = 0; \r
+ bool setEmulatorMem = false;\r
+ uint8_t cmdp = 0;\r
+ bool errors = false;\r
+\r
+ while(param_getchar(Cmd, cmdp) != 0x00) {\r
+ switch(param_getchar(Cmd, cmdp)) {\r
+ case 'e':\r
+ case 'E':\r
+ setEmulatorMem = true;\r
+ cmdp++;\r
+ break;\r
+ case 'h':\r
+ case 'H':\r
+ return usage_hf14_mf1ksim();\r
+ case 'i':\r
+ case 'I':\r
+ flags |= FLAG_INTERACTIVE;\r
+ cmdp++;\r
+ break;\r
+ case 'n':\r
+ case 'N':\r
+ exitAfterNReads = param_get8(Cmd, cmdp+1);\r
+ cmdp += 2;\r
+ break;\r
+ case 'u':\r
+ case 'U':\r
+ param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);\r
+ switch(uidlen) {\r
+ case 20: flags = FLAG_10B_UID_IN_DATA; break;\r
+ case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
+ case 8: flags = FLAG_4B_UID_IN_DATA; break;\r
+ default: return usage_hf14_mf1ksim();\r
+ }\r
+ cmdp +=2;\r
+ break;\r
+ case 'x':\r
+ case 'X':\r
+ flags |= FLAG_NR_AR_ATTACK;\r
+ cmdp++;\r
+ break;\r
+ default:\r
+ PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+ errors = true;\r
+ break;\r
+ }\r
+ if(errors) break;\r
}\r
+ //Validations\r
+ if(errors) return usage_hf14_mf1ksim();\r
\r
PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) "\r
, (uidlen == 0 ) ? "N/A" : sprint_hex(uid, uidlen>>1)\r
SendCommand(&c);\r
\r
if(flags & FLAG_INTERACTIVE) { \r
- uint8_t data[32];\r
- uint64_t key;\r
- UsbCommand resp; \r
PrintAndLog("Press pm3-button or send another cmd to abort simulation");\r
+\r
+ nonces_t data[ATTACK_KEY_COUNT*2];\r
+ UsbCommand resp; \r
+\r
while( !ukbhit() ){\r
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;\r
\r
if ( !(flags & FLAG_NR_AR_ATTACK) ) break;\r
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;\r
\r
- memset(data, 0x00, sizeof(data)); \r
- int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];\r
-\r
- memcpy(data, resp.d.asBytes, len); \r
- key = 0;\r
- bool found = tryMfk32(data, &key);\r
- found ^= tryMfk32_moebius(data, &key);\r
- if ( found ) break;\r
+ memcpy( data, resp.d.asBytes, sizeof(data) ); \r
+ readerAttack(data, setEmulatorMem);\r
+ }\r
+ \r
+ if (k_sector != NULL) {\r
+ printKeyTable(k_sectorsCount, k_sector );\r
+ free(k_sector);\r
}\r
}\r
return 0;\r
int CmdHF14AMfDbg(const char *Cmd) {\r
\r
char ctmp = param_getchar(Cmd, 0);\r
- if (strlen(Cmd) < 1 || ctmp == 'h'|| ctmp == 'H') return usage_hf14_dbg();\r
+ if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_hf14_dbg();\r
\r
uint8_t dbgMode = param_get8ex(Cmd, 0, 0, 10);\r
if (dbgMode > 4) return usage_hf14_dbg();\r
}\r
\r
// EMULATOR COMMANDS\r
-\r
int CmdHF14AMfEGet(const char *Cmd)\r
{\r
uint8_t blockNo = 0;\r
\r
blockNo = param_get8(Cmd, 0);\r
\r
- PrintAndLog(" ");\r
+ PrintAndLog("");\r
if (!mfEmlGetMem(data, blockNo, 1)) {\r
PrintAndLog("data[%3d]:%s", blockNo, sprint_hex(data, 16));\r
} else {\r
#include "cmdparser.h"\r
#include "common.h"\r
#include "util.h"\r
-#include "mifarehost.h"\r
+//#include "mifarehost.h"\r
+#include "mifare.h" // nonces_t struct\r
+#include "cmdhfmfhard.h"\r
+#include "nonce2key/nonce2key.h"\r
\r
int CmdHFMF(const char *Cmd);\r
int CmdHF14AMfCSave(const char* cmd);\r
int CmdHf14MfDecryptBytes(const char *Cmd);\r
\r
+void readerAttack(nonces_t data[], bool setEmulatorMem);\r
void printKeyTable( uint8_t sectorscnt, sector *e_sector );\r
#endif\r
#ifndef ROTR
# define ROTR(x,n) (((uintmax_t)(x) >> (n)) | ((uintmax_t)(x) << ((sizeof(x) * 8) - (n))))
#endif
+
#ifndef MIN
# define MIN(a, b) (((a) < (b)) ? (a) : (b))
#endif
#ifndef MAX
# define MAX(a, b) (((a) > (b)) ? (a) : (b))
#endif
+
+// Byte swapping
#ifndef BSWAP_32
# define BSWAP_32(x) \
((((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >> 8) | \
# define BSWAP_16(x) ((( ((x) & 0xFF00 ) >> 8))| ( (((x) & 0x00FF) << 8)))
#endif
+// Boolean
#define TRUE 1
#define FALSE 0
#define EVEN 0
#define ODD 1
+// Nibble logic
#ifndef NIBBLE_HIGH
# define NIBBLE_HIGH(b) ( (b & 0xF0) >> 4 )
#endif
# define SWAP_NIBBLE(b) ( (NIBBLE_LOW(b)<< 4) | NIBBLE_HIGH(b))
#endif
+// Binary Encoded Digit
#ifndef BCD2DEC
# define BCD2DEC(bcd) HornerScheme(bcd, 0x10, 10)
#endif
# define DEC2BCD(dec) HornerScheme(dec, 10, 0x10)
#endif
+// used for save/load files
+#ifndef FILE_PATH_SIZE
+# define FILE_PATH_SIZE 1000
+#endif
+
+#ifndef ARRAYLEN
+# define ARRAYLEN(x) (sizeof(x)/sizeof((x)[0]))
+#endif
+
int ukbhit(void);
void AddLogLine(char *fileName, char *extData, char *c);
projects / proxmark3-svn / commitdiff