From a61b4976bd2085bf0495855b48fcad0d9ed4572e Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 30 Oct 2014 00:09:01 +0100 Subject: [PATCH] FIXED: Merged all Holimans code-review issues which should fix a lot of memoryleaks. --- armsrc/appmain.c | 2 +- armsrc/epa.c | 2 +- armsrc/iso14443a.c | 11 +++++- armsrc/lfops.c | 80 +++++++++++++++++++------------------- armsrc/util.c | 2 +- client/cmddata.c | 22 +++++------ client/cmdhf15.c | 5 ++- client/cmdhficlass.c | 7 ++-- client/cmdhfmf.c | 18 +++++---- client/cmdlf.c | 2 +- client/cmdlfem4x.c | 22 +++++------ client/cmdlft55xx.c | 4 +- client/cmdmain.c | 6 ++- client/graph.c | 29 +++++++++++--- client/loclass/ikeys.c | 6 +-- client/mifarehost.c | 31 ++++++--------- client/nonce2key/crapto1.c | 7 +++- client/ui.c | 25 ++---------- 18 files changed, 143 insertions(+), 138 deletions(-) diff --git a/armsrc/appmain.c b/armsrc/appmain.c index 6d18561a..581335de 100644 --- a/armsrc/appmain.c +++ b/armsrc/appmain.c @@ -674,7 +674,7 @@ void UsbPacketReceived(uint8_t *packet, int len) break; case CMD_SIMULATE_TAG_125K: LED_A_ON(); - SimulateTagLowFrequency(c->arg[0], c->arg[1], 1); + SimulateTagLowFrequency(c->arg[0], c->arg[1], 0); LED_A_OFF(); break; case CMD_LF_SIMULATE_BIDIR: diff --git a/armsrc/epa.c b/armsrc/epa.c index 565019ce..69599dc9 100644 --- a/armsrc/epa.c +++ b/armsrc/epa.c @@ -419,7 +419,7 @@ int EPA_Setup() // return code int return_code = 0; // card UID - uint8_t uid[8]; + uint8_t uid[10]; // card select information iso14a_card_select_t card_select_info; // power up the field diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 3b17bd4b..6fe83c6e 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1717,7 +1717,13 @@ int iso14443a_select_card(byte_t* uid_ptr, iso14a_card_select_t* p_hi14a_card, u if ((sak & 0x04) /* && uid_resp[0] == 0x88 */) { // Remove first byte, 0x88 is not an UID byte, it CT, see page 3 of: // http://www.nxp.com/documents/application_note/AN10927.pdf - memcpy(uid_resp, uid_resp + 1, 3); + // This was earlier: + //memcpy(uid_resp, uid_resp + 1, 3); + // But memcpy should not be used for overlapping arrays, + // and memmove appears to not be available in the arm build. + // So this has been replaced with a for-loop: + for(int xx = 0; xx < 3; xx++) + uid_resp[xx] = uid_resp[xx+1]; uid_resp_len = 3; } @@ -1928,7 +1934,8 @@ void ReaderMifare(bool first_try) uint8_t uid[10]; uint32_t cuid; - uint32_t nt, previous_nt; + uint32_t nt = 0; + uint32_t previous_nt = 0; static uint32_t nt_attacked = 0; byte_t par_list[8] = {0,0,0,0,0,0,0,0}; byte_t ks_list[8] = {0,0,0,0,0,0,0,0}; diff --git a/armsrc/lfops.c b/armsrc/lfops.c index 025314a0..c80caf77 100644 --- a/armsrc/lfops.c +++ b/armsrc/lfops.c @@ -17,6 +17,9 @@ #include "crapto1.h" #include "mifareutil.h" +#define SHORT_COIL() LOW(GPIO_SSC_DOUT) +#define OPEN_COIL() HIGH(GPIO_SSC_DOUT) + void LFSetupFPGAForADC(int divisor, bool lf_field) { FpgaDownloadAndGo(FPGA_BITSTREAM_LF); @@ -56,10 +59,9 @@ void DoAcquisition125k_internal(int trigger_threshold, bool silent) { uint8_t *dest = mifare_get_bigbufptr(); int n = 24000; - int i; - + int i = 0; memset(dest, 0x00, n); - i = 0; + for(;;) { if (AT91C_BASE_SSC->SSC_SR & AT91C_SSC_TXRDY) { AT91C_BASE_SSC->SSC_THR = 0x43; @@ -289,17 +291,17 @@ void WriteTIbyte(uint8_t b) { if (b&(1<PIO_PER = GPIO_SSC_DOUT | GPIO_SSC_CLK; AT91C_BASE_PIOA->PIO_OER = GPIO_SSC_DOUT; + AT91C_BASE_PIOA->PIO_ODR = GPIO_SSC_CLK; - -#define SHORT_COIL() LOW(GPIO_SSC_DOUT) -#define OPEN_COIL() HIGH(GPIO_SSC_DOUT) - - i = 0; - for(;;) { + + // Give it a bit of time for the resonant antenna to settle. + SpinDelay(30); + + for(;;) { + while(!(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK)) { - if(BUTTON_PRESS()) { - DbpString("Stopped"); - return; - } - WDT_HIT(); + if(BUTTON_PRESS()) { + DbpString("Stopped at 0"); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off + return; + } + WDT_HIT(); } - if (ledcontrol) - LED_D_ON(); - - if(buff[i]) + if ( buff[i] ) OPEN_COIL(); else SHORT_COIL(); - - if (ledcontrol) - LED_D_OFF(); - - while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) { - if(BUTTON_PRESS()) { - DbpString("Stopped"); + + while(AT91C_BASE_PIOA->PIO_PDSR & GPIO_SSC_CLK) { + if(BUTTON_PRESS()) { + DbpString("Stopped at 1"); + FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); // field off return; } WDT_HIT(); - } + } - i++; + ++i; if(i == period) { i = 0; if (gap) { + // turn of modulation SHORT_COIL(); - SpinDelayUs(gap); - } + // wait + SpinDelay(gap); + } } } } @@ -609,6 +608,7 @@ void CmdHIDsimTAG(int hi, int lo, int ledcontrol) if (ledcontrol) LED_A_ON(); + SimulateTagLowFrequency(n, 0, ledcontrol); if (ledcontrol) @@ -793,8 +793,6 @@ void CmdIOdemodFSK(int findone, int *high, int *low, int ledcontrol) LFSetupFPGAForADC(0, true); while(!BUTTON_PRESS()) { - - WDT_HIT(); if (ledcontrol) LED_A_ON(); diff --git a/armsrc/util.c b/armsrc/util.c index 8ff5b68d..0558fb94 100644 --- a/armsrc/util.c +++ b/armsrc/util.c @@ -265,7 +265,7 @@ void FormatVersionInformation(char *dst, int len, const char *prefix, void *vers { struct version_information *v = (struct version_information*)version_information; dst[0] = 0; - strncat(dst, prefix, len); + strncat(dst, prefix, len-1); if(v->magic != VERSION_INFORMATION_MAGIC) { strncat(dst, "Missing/Invalid version information", len - strlen(dst) - 1); return; diff --git a/client/cmddata.c b/client/cmddata.c index c58f6f62..b01b45ba 100644 --- a/client/cmddata.c +++ b/client/cmddata.c @@ -552,7 +552,7 @@ int CmdManchesterDemod(const char *Cmd) /* But it does not work if compiling on WIndows: therefore we just allocate a */ /* large array */ - uint8_t BitStream[MAX_GRAPH_TRACE_LEN]; + uint8_t BitStream[MAX_GRAPH_TRACE_LEN] = {0x00}; /* Detect high and lows */ for (i = 0; i < GraphTraceLen; i++) @@ -564,8 +564,7 @@ int CmdManchesterDemod(const char *Cmd) } /* Get our clock */ - clock = GetClock(Cmd, high, 1); - + clock = GetClock(Cmd, high, 1); int tolerance = clock/4; /* Detect first transition */ @@ -583,8 +582,6 @@ int CmdManchesterDemod(const char *Cmd) break; } } - - PrintAndLog("Clock: %d", clock); /* If we're not working with 1/0s, demod based off clock */ if (high != 1) @@ -723,21 +720,22 @@ int CmdManchesterDemod(const char *Cmd) int CmdManchesterMod(const char *Cmd) { int i, j; - int clock; int bit, lastbit, wave; - - /* Get our clock */ - clock = GetClock(Cmd, 0, 1); - + int clock = GetClock(Cmd, 0, 1); + int clock1 = GetT55x7Clock( GraphBuffer, GraphTraceLen, 0 ); + PrintAndLog("MAN MOD CLOCKS: %d ice %d", clock,clock1); + + int half = (int)(clock/2); + wave = 0; lastbit = 1; for (i = 0; i < (int)(GraphTraceLen / clock); i++) { bit = GraphBuffer[i * clock] ^ 1; - for (j = 0; j < (int)(clock/2); j++) + for (j = 0; j < half; ++j) GraphBuffer[(i * clock) + j] = bit ^ lastbit ^ wave; - for (j = (int)(clock/2); j < clock; j++) + for (j = half; j < clock; ++j) GraphBuffer[(i * clock) + j] = bit ^ lastbit ^ wave ^ 1; /* Keep track of how we start our wave and if we changed or not this time */ diff --git a/client/cmdhf15.c b/client/cmdhf15.c index bdc08521..556d3f56 100644 --- a/client/cmdhf15.c +++ b/client/cmdhf15.c @@ -561,8 +561,9 @@ int CmdHF15CmdRaw (const char *cmd) { */ int prepareHF15Cmd(char **cmd, UsbCommand *c, uint8_t iso15cmd[], int iso15cmdlen) { int temp; - uint8_t *req=c->d.asBytes, uid[8]; - uint32_t reqlen=0; + uint8_t *req = c->d.asBytes; + uint8_t uid[8] = {0x00}; + uint32_t reqlen = 0; // strip while (**cmd==' ' || **cmd=='\t') (*cmd)++; diff --git a/client/cmdhficlass.c b/client/cmdhficlass.c index bd215a61..47ff2db0 100644 --- a/client/cmdhficlass.c +++ b/client/cmdhficlass.c @@ -501,7 +501,9 @@ int CmdHFiClassReader_Dump(const char *Cmd) SendCommand(&c); UsbCommand resp; - + uint8_t key_sel[8] = {0x00}; + uint8_t key_sel_p[8] = {0x00}; + if (WaitForResponseTimeout(CMD_ACK,&resp,4500)) { uint8_t isOK = resp.arg[0] & 0xff; uint8_t * data = resp.d.asBytes; @@ -519,8 +521,7 @@ int CmdHFiClassReader_Dump(const char *Cmd) { if(elite) { - uint8_t key_sel[8] = {0}; - uint8_t key_sel_p[8] = { 0 }; + //Get the key index (hash1) uint8_t key_index[8] = {0}; diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 0e212b2d..1d2de683 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -521,8 +521,6 @@ int CmdHF14AMfDump(const char *Cmd) int size = GetCardSize(); char cmdp = param_getchar(Cmd, 0); - - if ( size > -1) cmdp = (char)(48+size); @@ -548,7 +546,7 @@ int CmdHF14AMfDump(const char *Cmd) } if ((fin = fopen("dumpkeys.bin","rb")) == NULL) { - PrintAndLog("Could not find file dumpkeys.bin"); + PrintAndLog("Could not find file dumpkeys.bin"); return 1; } @@ -556,6 +554,7 @@ int CmdHF14AMfDump(const char *Cmd) for (sectorNo=0; sectorNo low) && (i(MAX_GRAPH_TRACE_LEN/64)) { + if (j>=(MAX_GRAPH_TRACE_LEN/64)) { break; } tmpbuff[j++]= i - start; @@ -616,7 +616,7 @@ int CmdWriteWord(const char *Cmd) return 1; } - PrintAndLog("Writting word %d with data %08X", Word, Data); + PrintAndLog("Writing word %d with data %08X", Word, Data); c.cmd = CMD_EM4X_WRITE_WORD; c.d.asBytes[0] = 0x0; //Normal mode @@ -629,7 +629,7 @@ int CmdWriteWord(const char *Cmd) int CmdWriteWordPWD(const char *Cmd) { - int Word = 8; //default to invalid word + int Word = 16; //default to invalid word int Data = 0xFFFFFFFF; //default to blank data int Password = 0xFFFFFFFF; //default to blank password UsbCommand c; @@ -641,7 +641,7 @@ int CmdWriteWordPWD(const char *Cmd) return 1; } - PrintAndLog("Writting word %d with data %08X and password %08X", Word, Data, Password); + PrintAndLog("Writing word %d with data %08X and password %08X", Word, Data, Password); c.cmd = CMD_EM4X_WRITE_WORD; c.d.asBytes[0] = 0x1; //Password mode diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 9eaa6463..513eb0ef 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -482,8 +482,8 @@ static command_t CommandTable[] = {"rdpwd", CmdReadBlkPWD, 0, " -- Read T55xx block data with password mode"}, {"wr", CmdWriteBlk, 0, " -- Write T55xx block data (page 0)"}, {"wrpwd", CmdWriteBlkPWD, 0, " -- Write T55xx block data with password"}, - {"trace", CmdReadTrace, 0, "[1] Read T55xx traceability data (page 1 / blk 0-1) "}, - {"info", CmdInfo, 0, "[1] Read T55xx configuration data (page0 /blk 0)"}, + {"trace", CmdReadTrace, 0, "[1] Read T55xx traceability data (page 1/ blk 0-1)"}, + {"info", CmdInfo, 0, "[1] Read T55xx configuration data (page 0/ blk 0)"}, {"dump", CmdDump, 0, "[password] Dump T55xx card block 0-7. optional with password"}, {"fsk", CmdIceFsk, 0, "FSK demod"}, {"man", CmdIceManchester, 0, "Manchester demod (with SST)"}, diff --git a/client/cmdmain.c b/client/cmdmain.c index b35ba63c..d84d96ef 100644 --- a/client/cmdmain.c +++ b/client/cmdmain.c @@ -137,9 +137,11 @@ int getCommand(UsbCommand* response) * @return true if command was returned, otherwise false */ bool WaitForResponseTimeout(uint32_t cmd, UsbCommand* response, size_t ms_timeout) { - + + UsbCommand resp; + if (response == NULL) { - UsbCommand resp; + response = &resp; } diff --git a/client/graph.c b/client/graph.c index 98dc8043..4e8cb89c 100644 --- a/client/graph.c +++ b/client/graph.c @@ -21,11 +21,13 @@ int GraphTraceLen; void AppendGraph(int redraw, int clock, int bit) { int i; - - for (i = 0; i < (int)(clock / 2); ++i) - GraphBuffer[GraphTraceLen++] = bit ^ 1; + int half = (int)(clock/2); + int firstbit = bit ^ 1; + + for (i = 0; i < half; ++i) + GraphBuffer[GraphTraceLen++] = firstbit; - for (i = (int)(clock / 2); i < clock; ++i) + for (i = 0; i <= half; ++i) GraphBuffer[GraphTraceLen++] = bit; if (redraw) @@ -72,8 +74,23 @@ int DetectClock(int peak) lastpeak = i; } } - - return clock; + + int clockmod = clock%8; + if ( clockmod == 0) + return clock; + + // When detected clock is 31 or 33 then return 32 + + printf("Found clock at %d ", clock); + switch( clockmod ) + { + case 7: clock++; break; + case 6: clock += 2 ; break; + case 1: clock--; break; + case 2: clock -= 2; break; + } + printf("- adjusted it to %d \n", clock); + return clock; } /* Get or auto-detect clock rate */ diff --git a/client/loclass/ikeys.c b/client/loclass/ikeys.c index b0528b5c..a55227ef 100644 --- a/client/loclass/ikeys.c +++ b/client/loclass/ikeys.c @@ -737,16 +737,14 @@ int doTestsWithKnownInputs() int readKeyFile(uint8_t key[8]) { - FILE *f; - + int retval = 1; f = fopen("iclass_key.bin", "rb"); if (f) { if(fread(key, sizeof(key), 1, f) == 1) return 0; } - return 1; - + return retval; } diff --git a/client/mifarehost.c b/client/mifarehost.c index fe8b8b26..ed62bcee 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -296,7 +296,7 @@ static uint8_t trailerAccessBytes[4] = {0x08, 0x77, 0x8F, 0x00}; // variables char logHexFileName[200] = {0x00}; static uint8_t traceCard[4096] = {0x00}; -static char traceFileName[20]; +static char traceFileName[200] = {0x00}; static int traceState = TRACE_IDLE; static uint8_t traceCurBlock = 0; static uint8_t traceCurKey = 0; @@ -449,7 +449,7 @@ int mfTraceDecode(uint8_t *data_src, int len, uint32_t parity, bool wantSaveToEm } // AUTHENTICATION - if ((len ==4) && ((data[0] == 0x60) || (data[0] == 0x61))) { + if ((len == 4) && ((data[0] == 0x60) || (data[0] == 0x61))) { traceState = TRACE_AUTH1; traceCurBlock = data[1]; traceCurKey = data[0] == 60 ? 1:0; @@ -497,7 +497,7 @@ int mfTraceDecode(uint8_t *data_src, int len, uint32_t parity, bool wantSaveToEm break; case TRACE_WRITE_OK: - if ((len == 1) && (data[0] = 0x0a)) { + if ((len == 1) && (data[0] == 0x0a)) { traceState = TRACE_WRITE_DATA; return 0; @@ -555,23 +555,14 @@ int mfTraceDecode(uint8_t *data_src, int len, uint32_t parity, bool wantSaveToEm at_par = parity; // decode key here) - if (!traceCrypto1) { - ks2 = ar_enc ^ prng_successor(nt, 64); - ks3 = at_enc ^ prng_successor(nt, 96); - revstate = lfsr_recovery64(ks2, ks3); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, nr_enc, 1); - lfsr_rollback_word(revstate, uid ^ nt, 0); - }else{ - ks2 = ar_enc ^ prng_successor(nt, 64); - ks3 = at_enc ^ prng_successor(nt, 96); - revstate = lfsr_recovery64(ks2, ks3); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, nr_enc, 1); - lfsr_rollback_word(revstate, uid ^ nt, 0); - } + ks2 = ar_enc ^ prng_successor(nt, 64); + ks3 = at_enc ^ prng_successor(nt, 96); + revstate = lfsr_recovery64(ks2, ks3); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, nr_enc, 1); + lfsr_rollback_word(revstate, uid ^ nt, 0); + crypto1_get_lfsr(revstate, &lfsr); printf("key> %x%x\n", (unsigned int)((lfsr & 0xFFFFFFFF00000000) >> 32), (unsigned int)(lfsr & 0xFFFFFFFF)); AddLogUint64(logHexFileName, "key> ", lfsr); diff --git a/client/nonce2key/crapto1.c b/client/nonce2key/crapto1.c index 90f55ab4..c2dd7a54 100644 --- a/client/nonce2key/crapto1.c +++ b/client/nonce2key/crapto1.c @@ -544,7 +544,12 @@ lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8], statelist = malloc((sizeof *statelist) << 21); //how large should be? if(!statelist || !odd || !even) - return 0; + { + free(statelist); + free(odd); + free(even); + return 0; + } s = statelist; for(o = odd; *o != -1; ++o) diff --git a/client/ui.c b/client/ui.c index 816bff44..5111e295 100644 --- a/client/ui.c +++ b/client/ui.c @@ -152,30 +152,13 @@ int manchester_decode( int * data, const size_t len, uint8_t * dataout, size_t lastpeak = i; } } - //return clock; - //defaults clock to precise values. - switch(clock){ - case 8: - case 16: - case 32: - case 40: - case 50: - case 64: - case 100: - case 128: - return clock; - break; - default: break; - } - - //PrintAndLog(" Found Clock : %d - trying to adjust", clock); // When detected clock is 31 or 33 then then return int clockmod = clock%8; - if ( clockmod == 7 ) - clock += 1; - else if ( clockmod == 1 ) - clock -= 1; + if ( clockmod == 0) return clock; + + if ( clockmod == 7 ) clock += 1; + else if ( clockmod == 1 ) clock -= 1; return clock; } -- 2.39.5