From 70441e77981258adf8b45a660cf5ea71729381aa Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 21 Apr 2016 12:33:21 +0200 Subject: [PATCH 01/16] updated the texts. --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 4416727d..7d696143 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,11 @@ Among the stuff is --- Straight from the CHANGELOG --- + - 'hf mf chk' speedup + - 'hf 14a/mf sim x" attack mode, now uses also moebius version of mfkey32 to try finding the key. + - 'hf 14a sim' Added emulation of Mifare cards with 10byte UID length. + - 'hf mf sim' Added emulation of Mifare cards with 10byte UID length. + - Added bitsliced bruteforce solver in 'hf mf hardnested' (azcid) - Added `lf guard clone/sim` (iceman) - Added `lf pyramd clone/sim` (iceman) - trying to fix "hf 14b" command to be able to read CALYPSO card. (iceman) -- 2.39.5 From 4641b284045e62e4269303144455b8c7b82588e4 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 21 Apr 2016 12:56:39 +0200 Subject: [PATCH 02/16] CHG: Travis CI should be using Trusty beta environment, based on Ubuntu14.04 --- .travis.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index ad86e840..a259697e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,10 @@ # Travis-CI Build for Iceman Fork / Proxmark3 language: c +# Using trusty beta build environment, based on Ubuntu 14.04 +sudo: required +dist: trusty + #install: compiler: gcc @@ -13,5 +17,4 @@ before_script: - git fetch --all #make command -#script: "make all UBUNTU_1404_QT4=1" script: "make all" \ No newline at end of file -- 2.39.5 From 92243fcbee628ef56e585aeb4187b6245e3bcfd0 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 21 Apr 2016 13:52:19 +0200 Subject: [PATCH 03/16] Textual changes, updated the homebrew download link. Now points to latest release. --- CHANGELOG.md | 8 ++++---- README.md | 8 ++++---- README.txt | 33 ++++++++++++++++----------------- proxmark3.rb | 4 ++-- 4 files changed, 26 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d322acf3..8deb0ad2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,10 +3,10 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] - - 'hf mf chk' speedup - - 'hf 14a/mf sim x" attack mode, now uses also moebius version of mfkey32 to try finding the key. - - 'hf 14a sim' Added emulation of Mifare cards with 10byte UID length. - - 'hf mf sim' Added emulation of Mifare cards with 10byte UID length. + - 'hf mf chk' speedup (iceman) + - 'hf 14a/mf sim x" attack mode, now uses also moebius version of mfkey32 to try finding the key. (iceman) + - 'hf 14a sim' Added emulation of Mifare cards with 10byte UID length. (iceman) + - 'hf mf sim' Added emulation of Mifare cards with 10byte UID length. (iceman) - Added bitsliced bruteforce solver in 'hf mf hardnested' (azcid) - Added `lf guard clone/sim` (iceman) - Added `lf pyramd clone/sim` (iceman) diff --git a/README.md b/README.md index 7d696143..6e000860 100644 --- a/README.md +++ b/README.md @@ -67,10 +67,10 @@ Among the stuff is --- Straight from the CHANGELOG --- - - 'hf mf chk' speedup - - 'hf 14a/mf sim x" attack mode, now uses also moebius version of mfkey32 to try finding the key. - - 'hf 14a sim' Added emulation of Mifare cards with 10byte UID length. - - 'hf mf sim' Added emulation of Mifare cards with 10byte UID length. + - 'hf mf chk' speedup (iceman) + - 'hf 14a/mf sim x" attack mode, now uses also moebius version of mfkey32 to try finding the key. (iceman) + - 'hf 14a sim' Added emulation of Mifare cards with 10byte UID length. (iceman) + - 'hf mf sim' Added emulation of Mifare cards with 10byte UID length. (iceman) - Added bitsliced bruteforce solver in 'hf mf hardnested' (azcid) - Added `lf guard clone/sim` (iceman) - Added `lf pyramd clone/sim` (iceman) diff --git a/README.txt b/README.txt index 74566c0c..13f2556a 100644 --- a/README.txt +++ b/README.txt @@ -55,29 +55,28 @@ I do tend to rename and move stuff around, the official PM3-GUI from Gaucho will DEVELOPMENT: -This fork is adjusted to compile on windows/mingw environment with Qt5.3.1 & GCC 4.8 +This fork is adjusted to compile on windows/mingw environment with Qt5.3.1 & GCC 4.9 For people with linux you will need to patch some source code and some small change to one makefile. If you are lazy, you google the forum and find asper's or holimans makefile or you find your solution below. GC made updates to allow this to build easily on Ubuntu 14.04.2 LTS. - See https://github.com/Proxmark/proxmark3/wiki/Ubuntu%20Linux - Generally speaking, if you're running a "later" Proxmark, installation is very easy. - - Run "sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget"a + - Run "sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget - Follow these instructions -Get devkitARM release 41 from SourceForge (choose either the 64/32 ¿bit depending on your architecture, it is assumed you know how to check and recognize your architecture): - -(64-bit) http://sourceforge.net/projects/devkitpro/files/devkitARM/previous/devkitARM_r41-x86_64-linux.tar.bz2/download -(32-bit) http://sourceforge.net/projects/devkitpro/files/devkitARM/previous/devkitARM_r41-i686-linux.tar.bz2/download -Extract the contents of the .tar.bz2: - tar jxvf devkitARM_r41--linux.tar.bz2 -Create a directory for the arm dev kit: - sudo mkdir -p /opt/devkitpro/ -Move the ARM developer kit to the newly created directory: - sudo mv devkitARM /opt/devkitpro/ -Add the appropriate environment variable: - export PATH=${PATH}:/opt/devkitpro/devkitARM/bin/ -Add the environment variable to your profile: - echo 'PATH=${PATH}:/opt/devkitpro/devkitARM/bin/ ' >> ~/.bashrc - - Use the magic build command "make UBUNTU_1404_QT4=1" + Get devkitARM release 41 from SourceForge (choose either the 64/32 bit depending on your architecture, it is assumed you know how to check and recognize your architecture): + (64-bit) http://sourceforge.net/projects/devkitpro/files/devkitARM/previous/devkitARM_r41-x86_64-linux.tar.bz2/download + (32-bit) http://sourceforge.net/projects/devkitpro/files/devkitARM/previous/devkitARM_r41-i686-linux.tar.bz2/download + Extract the contents of the .tar.bz2: + tar jxvf devkitARM_r41--linux.tar.bz2 + Create a directory for the arm dev kit: + sudo mkdir -p /opt/devkitpro/ + Move the ARM developer kit to the newly created directory: + sudo mv devkitARM /opt/devkitpro/ + Add the appropriate environment variable: + export PATH=${PATH}:/opt/devkitpro/devkitARM/bin/ + Add the environment variable to your profile: + echo 'PATH=${PATH}:/opt/devkitpro/devkitARM/bin/ ' >> ~/.bashrc + - make all Common errors linux/macOS finds diff --git a/proxmark3.rb b/proxmark3.rb index b28014d6..90294953 100644 --- a/proxmark3.rb +++ b/proxmark3.rb @@ -1,8 +1,8 @@ class Proxmark3 < Formula desc "Proxmark3 client, flasher, HID flasher and firmware bundle" homepage "http://www.proxmark.org" - url "https://github.com/iceman1001/proxmark3/archive/v1.5.0.tar.gz" - sha256 "e1f9e3648978580bb8f7ee4e671ec41f5a4982bf07bd5525352af7a826073305" + url "https://github.com/iceman1001/proxmark3/archive/v1.6.0.tar.gz" + sha256 "254f6596cdeb42158abf4b7d5c19bdc7d97f7d41a83a34697fe9d380cc34b4fa" head "https://github.com/iceman1001/proxmark3.git" depends_on "automake" => :build -- 2.39.5 From 77dee16f6464eac50c72c6f28c4bcd10402cdba3 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Thu, 21 Apr 2016 14:34:58 +0200 Subject: [PATCH 04/16] FIX: fixed some compiler warnings about strlen call and sscanf. CHG: trying some optimised gcc settings in Makefile --- tools/mfkey/Makefile | 2 +- tools/mfkey/mfkey64.c | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/tools/mfkey/Makefile b/tools/mfkey/Makefile index e1bb4d07..8fb7aa30 100755 --- a/tools/mfkey/Makefile +++ b/tools/mfkey/Makefile @@ -1,6 +1,6 @@ CC = gcc LD = gcc -CFLAGS = -std=c99 -Wall -Winline -O3 +CFLAGS = -std=c99 -march=native -Wall -Winline -O3 LDFLAGS = OBJS = crapto1.o crypto1.o diff --git a/tools/mfkey/mfkey64.c b/tools/mfkey/mfkey64.c index b09eeaeb..616c6f3d 100755 --- a/tools/mfkey/mfkey64.c +++ b/tools/mfkey/mfkey64.c @@ -1,8 +1,9 @@ #define __STDC_FORMAT_MACROS -#include -#include "crapto1.h" #include +#include #include +#include +#include "crapto1.h" #define llx PRIx64 #define lli PRIi64 @@ -38,7 +39,7 @@ int main (int argc, char *argv[]) { for (int i = 0; i < encc; i++) { enclen[i] = strlen(argv[i + 6]) / 2; for (int i2 = 0; i2 < enclen[i]; i2++) { - sscanf(argv[i+6] + i2*2,"%2x", (uint8_t*)&enc[i][i2]); + sscanf(argv[i+6] + i2*2, "%2x", (unsigned int *)&enc[i][i2]); } } @@ -97,7 +98,7 @@ int main (int argc, char *argv[]) { lfsr_rollback_word(revstate, nr_enc, 1); lfsr_rollback_word(revstate, uid ^ nt, 0); crypto1_get_lfsr(revstate, &key); - printf("\nFound Key: [%012"llx"]\n\n",key); + printf("\nFound Key: [%012"llx"]\n\n", key); crypto1_destroy(revstate); t1 = clock() - t1; -- 2.39.5 From d948e0d14056999e1eba248058a46af0cd3356cb Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 11:32:37 +0200 Subject: [PATCH 05/16] CHG: 'hf mf chk' now correctly tests to read key B, when we specify target keytype B or ?. CHG: 'hf mf chk' now correctly init all sector keys to 0xFFFFFFFFFFFF, so it looks unified. --- client/cmdhfmf.c | 70 ++++++++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 32 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index ec5d4487..1c866dc9 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1168,6 +1168,15 @@ int CmdHF14AMfChk(const char *Cmd) { return 1; } + // empty e_sector + for(int i = 0; i < SectorsCnt; ++i){ + e_sector[i].Key[0] = 0xffffffffffff; + e_sector[i].Key[1] = 0xffffffffffff; + e_sector[i].foundKey[0] = FALSE; + e_sector[i].foundKey[1] = FALSE; + } + + uint8_t trgKeyType = 0; uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt; @@ -1182,22 +1191,16 @@ int CmdHF14AMfChk(const char *Cmd) { // skip already found keys. if (e_sector[i].foundKey[trgKeyType]) continue; - - + for (uint32_t c = 0; c < keycnt; c += max_keys) { uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c; res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64); if (!res) { - //PrintAndLog("Sector:%3d Block:%3d, key type: %C -- Found key [%012"llx"]", i, b, trgKeyType ? 'B':'A', key64); - e_sector[i].Key[trgKeyType] = key64; e_sector[i].foundKey[trgKeyType] = TRUE; break; - } else { - e_sector[i].Key[trgKeyType] = 0xffffffffffff; - e_sector[i].foundKey[trgKeyType] = FALSE; } printf("."); fflush(stdout); @@ -1210,32 +1213,35 @@ int CmdHF14AMfChk(const char *Cmd) { printf("\nTime in checkkeys: %.0f ticks\n", (float)t1); // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? - PrintAndLog("testing to read B..."); - for (i = 0; i < SectorsCnt; i++) { - // KEY A but not KEY B - if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) { - - uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); - - PrintAndLog("Reading block %d", sectrail); - - UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; - num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A - clearCommandBuffer(); - SendCommand(&c); - - UsbCommand resp; - if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue; + if ( keyType != 1 ) { + + PrintAndLog("testing to read key B..."); + for (i = 0; i < SectorsCnt; i++) { + // KEY A but not KEY B + if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) { + + uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); - uint8_t isOK = resp.arg[0] & 0xff; - if (!isOK) continue; - - uint8_t *data = resp.d.asBytes; - key64 = bytes_to_num(data+10, 6); - if (key64) { - PrintAndLog("Data:%s", sprint_hex(data+10, 6)); - e_sector[i].foundKey[1] = 1; - e_sector[i].Key[1] = key64; + PrintAndLog("Reading block %d", sectrail); + + UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; + num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A + clearCommandBuffer(); + SendCommand(&c); + + UsbCommand resp; + if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue; + + uint8_t isOK = resp.arg[0] & 0xff; + if (!isOK) continue; + + uint8_t *data = resp.d.asBytes; + key64 = bytes_to_num(data+10, 6); + if (key64) { + PrintAndLog("Data:%s", sprint_hex(data+10, 6)); + e_sector[i].foundKey[1] = 1; + e_sector[i].Key[1] = key64; + } } } } -- 2.39.5 From 5dc8b8fe276b9524a7099d6af0f85efbf59c713f Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 11:43:02 +0200 Subject: [PATCH 06/16] CHG: unified some text messaged. --- client/cmdhfmf.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 1c866dc9..9c32321f 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -120,9 +120,9 @@ start: switch (isOK) { case -1 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break; - case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break; - case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown"); + case -2 : PrintAndLog("Card isn't vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break; + case -3 : PrintAndLog("Card isn't vulnerable to Darkside attack (its random number generator is not predictable).\n"); break; + case -4 : PrintAndLog("Card isn't vulnerable to Darkside attack (its random number generator seems to be based on the wellknown"); PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break; default: ; } @@ -703,7 +703,7 @@ int CmdHF14AMfNested(const char *Cmd) { switch (isOK) { case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; + case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break; case -4 : PrintAndLog("No valid key found"); break; case -5 : key64 = bytes_to_num(keyBlock, 6); @@ -776,7 +776,7 @@ int CmdHF14AMfNested(const char *Cmd) { switch (isOK) { case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; + case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break; case -4 : //key not found calibrate = false; iterations++; -- 2.39.5 From fa0e0b109fd576eb6f720168058e67463b1aa321 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 12:18:34 +0200 Subject: [PATCH 07/16] CHG: moved out some usage_methods for help texts. CHG: added some time in the darkside, nested, hardnested, chk commands. --- client/cmdhfmf.c | 158 +++++++++++++++++++++++++++-------------------- 1 file changed, 90 insertions(+), 68 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 9c32321f..af96543d 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -18,7 +18,7 @@ int usage_hf14_mifare(void){ PrintAndLog("options:"); PrintAndLog(" h this help"); PrintAndLog(" (Optional) target other key A than block 0."); - PrintAndLog("sample:"); + PrintAndLog("samples:"); PrintAndLog(" hf mf mifare"); PrintAndLog(" hf mf mifare 16"); return 0; @@ -26,11 +26,11 @@ int usage_hf14_mifare(void){ int usage_hf14_mf1ksim(void){ PrintAndLog("Usage: hf mf sim [h] u n i x"); PrintAndLog("options:"); - PrintAndLog(" h this help"); - PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID 4b from emulator memory will be used"); - PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); - PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); - PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); + PrintAndLog(" h this help"); + PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID 4b from emulator memory will be used"); + PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); + PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); + PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); PrintAndLog("samples:"); PrintAndLog(" hf mf sim u 0a0a0a0a"); PrintAndLog(" hf mf sim u 11223344556677"); @@ -56,15 +56,70 @@ int usage_hf14_sniff(void){ PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file."); PrintAndLog("Usage: hf mf sniff [h] [l] [d] [f]"); PrintAndLog("options:"); - PrintAndLog(" h this help"); - PrintAndLog(" l save encrypted sequence to logfile `uid.log`"); - PrintAndLog(" d decrypt sequence and put it to log file `uid.log`"); -// PrintAndLog(" n/a e decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory"); - PrintAndLog(" f decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`"); + PrintAndLog(" h this help"); + PrintAndLog(" l save encrypted sequence to logfile `uid.log`"); + PrintAndLog(" d decrypt sequence and put it to log file `uid.log`"); +// PrintAndLog(" n/a e decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory"); + PrintAndLog(" f decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`"); PrintAndLog("sample:"); PrintAndLog(" hf mf sniff l d f"); return 0; } +int usage_hf14_nested(void){ + PrintAndLog("Usage:"); + PrintAndLog(" all sectors: hf mf nested [t,d]"); + PrintAndLog(" one sector: hf mf nested o "); + PrintAndLog(" [t]"); + PrintAndLog("options:"); + PrintAndLog(" h this help"); + PrintAndLog(" card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); + PrintAndLog(" t transfer keys into emulator memory"); + PrintAndLog(" d write keys to binary file"); + PrintAndLog(" "); + PrintAndLog("samples:"); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF t "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF d "); + PrintAndLog(" hf mf nested o 0 A FFFFFFFFFFFF 4 A"); + return 0; +} +int usage_hf14_hardnested(void){ + PrintAndLog("Usage:"); + PrintAndLog(" hf mf hardnested "); + PrintAndLog(" [known target key (12 hex symbols)] [w] [s]"); + PrintAndLog(" or hf mf hardnested r [known target key]"); + PrintAndLog(" "); + PrintAndLog("options:"); + PrintAndLog(" h this help"); + PrintAndLog(" w acquire nonces and write them to binary file nonces.bin"); + PrintAndLog(" s slower acquisition (required by some non standard cards)"); + PrintAndLog(" r read nonces.bin and start attack"); + PrintAndLog(" "); + PrintAndLog("samples:"); + PrintAndLog(" hf mf hardnested 0 A FFFFFFFFFFFF 4 A"); + PrintAndLog(" hf mf hardnested 0 A FFFFFFFFFFFF 4 A w"); + PrintAndLog(" hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s"); + PrintAndLog(" hf mf hardnested r"); + PrintAndLog(" "); + PrintAndLog("Add the known target key to check if it is present in the remaining key space:"); + PrintAndLog(" sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF"); + return 0; +} +int usage_hf14_chk(void){ + PrintAndLog("Usage: hf mf chk |<*card memory> [t|d] [] []"); + PrintAndLog("options:"); + PrintAndLog(" h this help"); + PrintAndLog(" * all sectors"); + PrintAndLog(" card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); + PrintAndLog(" d write keys to binary file"); + PrintAndLog(" t write keys to emulator memory\n"); + PrintAndLog(" "); + PrintAndLog("samples:"); + PrintAndLog(" hf mf chk 0 A 1234567890ab keys.dic"); + PrintAndLog(" hf mf chk *1 ? t"); + PrintAndLog(" hf mf chk *1 ? d"); + return 0; +} int CmdHF14AMifare(const char *Cmd) { uint32_t uid = 0; @@ -86,6 +141,8 @@ int CmdHF14AMifare(const char *Cmd) { printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n"); printf("-------------------------------------------------------------------------\n"); clock_t t1 = clock(); + time_t start, end; + time(&start); start: clearCommandBuffer(); @@ -154,8 +211,10 @@ start: } END: t1 = clock() - t1; + time(&end); + unsigned long elapsed_time = difftime(end, start); if ( t1 > 0 ) - PrintAndLog("Time in darkside: %.0f ticks\n", (float)t1); + PrintAndLog("Time in darkside: %.0f ticks %u seconds\n", (float)t1, elapsed_time); return 0; } @@ -632,30 +691,14 @@ int CmdHF14AMfNested(const char *Cmd) { FILE *fkeys; uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; - - char cmdp, ctmp; - if (strlen(Cmd)<3) { - PrintAndLog("Usage:"); - PrintAndLog(" all sectors: hf mf nested [t,d]"); - PrintAndLog(" one sector: hf mf nested o "); - PrintAndLog(" [t]"); - PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); - PrintAndLog("t - transfer keys into emulator memory"); - PrintAndLog("d - write keys to binary file"); - PrintAndLog(" "); - PrintAndLog(" samples:"); - PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF "); - PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF t "); - PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF d "); - PrintAndLog(" hf mf nested o 0 A FFFFFFFFFFFF 4 A"); - return 0; - } + if (strlen(Cmd)<3) return usage_hf14_nested(); + char cmdp, ctmp; cmdp = param_getchar(Cmd, 0); blockNo = param_get8(Cmd, 1); ctmp = param_getchar(Cmd, 2); - + if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') { PrintAndLog("Key type must be A or B"); return 1; @@ -731,7 +774,10 @@ int CmdHF14AMfNested(const char *Cmd) { } else { // ------------------------------------ multiple sectors working clock_t t1 = clock(); - + unsigned long elapsed_time; + time_t start, end; + time(&start); + e_sector = calloc(SectorsCnt, sizeof(sector)); if (e_sector == NULL) return 1; @@ -757,9 +803,11 @@ int CmdHF14AMfNested(const char *Cmd) { } } clock_t t2 = clock() - t1; + time(&end); + elapsed_time = difftime(end, start); if ( t2 > 0 ) - PrintAndLog("Time to check 6 known keys: %.0f ticks", (float)t2 ); - + PrintAndLog("Time to check 6 known keys: %.0f ticks %u seconds\n", (float)t2 , elapsed_time); + PrintAndLog("enter nested..."); // nested sectors @@ -797,8 +845,11 @@ int CmdHF14AMfNested(const char *Cmd) { } t1 = clock() - t1; + time(&end); + elapsed_time = difftime(end, start); if ( t1 > 0 ) - PrintAndLog("Time in nested: %.0f ticks \n", (float)t1); + PrintAndLog("Time in nested: %.0f ticks %u seconds\n", (float)t1, elapsed_time); + // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? PrintAndLog("trying to read key B..."); @@ -891,27 +942,8 @@ int CmdHF14AMfNestedHard(const char *Cmd) { char ctmp; ctmp = param_getchar(Cmd, 0); - - if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) { - PrintAndLog("Usage:"); - PrintAndLog(" hf mf hardnested "); - PrintAndLog(" [known target key (12 hex symbols)] [w] [s]"); - PrintAndLog(" or hf mf hardnested r [known target key]"); - PrintAndLog(" "); - PrintAndLog("Options: "); - PrintAndLog(" w: Acquire nonces and write them to binary file nonces.bin"); - PrintAndLog(" s: Slower acquisition (required by some non standard cards)"); - PrintAndLog(" r: Read nonces.bin and start attack"); - PrintAndLog(" "); - PrintAndLog(" sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A"); - PrintAndLog(" sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w"); - PrintAndLog(" sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s"); - PrintAndLog(" sample4: hf mf hardnested r"); - PrintAndLog(" "); - PrintAndLog("Add the known target key to check if it is present in the remaining key space:"); - PrintAndLog(" sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF"); - return 0; - } + if (ctmp != 'H' && ctmp != 'h' ) return usage_hf14_hardnested(); + if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) return usage_hf14_hardnested(); bool know_target_key = false; bool nonce_file_read = false; @@ -919,7 +951,6 @@ int CmdHF14AMfNestedHard(const char *Cmd) { bool slow = false; int tests = 0; - if (ctmp == 'R' || ctmp == 'r') { nonce_file_read = true; if (!param_gethex(Cmd, 1, trgkey, 12)) { @@ -997,17 +1028,8 @@ int CmdHF14AMfNestedHard(const char *Cmd) { } int CmdHF14AMfChk(const char *Cmd) { - if (strlen(Cmd)<3) { - PrintAndLog("Usage: hf mf chk |<*card memory> [t|d] [] []"); - PrintAndLog(" * - all sectors"); - PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); - PrintAndLog("d - write keys to binary file"); - PrintAndLog("t - write keys to emulator memory\n"); - PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic"); - PrintAndLog(" hf mf chk *1 ? t"); - PrintAndLog(" hf mf chk *1 ? d"); - return 0; - } + + if (strlen(Cmd)<3) return usage_hf14_chk(); FILE * f; char filename[FILE_PATH_SIZE]={0}; -- 2.39.5 From 9ea10847eaacca0b5e29dd69e88994a06e653686 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 12:26:29 +0200 Subject: [PATCH 08/16] CHG: timeing in chk keys, --- client/cmdhfmf.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index af96543d..2e1b2186 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -218,8 +218,7 @@ END: return 0; } -int CmdHF14AMfWrBl(const char *Cmd) -{ +int CmdHF14AMfWrBl(const char *Cmd) { uint8_t blockNo = 0; uint8_t keyType = 0; uint8_t key[6] = {0, 0, 0, 0, 0, 0}; @@ -268,8 +267,7 @@ int CmdHF14AMfWrBl(const char *Cmd) return 0; } -int CmdHF14AMfRdBl(const char *Cmd) -{ +int CmdHF14AMfRdBl(const char *Cmd) { uint8_t blockNo = 0; uint8_t keyType = 0; uint8_t key[6] = {0, 0, 0, 0, 0, 0}; @@ -317,8 +315,7 @@ int CmdHF14AMfRdBl(const char *Cmd) return 0; } -int CmdHF14AMfRdSc(const char *Cmd) -{ +int CmdHF14AMfRdSc(const char *Cmd) { int i; uint8_t sectorNo = 0; uint8_t keyType = 0; @@ -375,8 +372,7 @@ int CmdHF14AMfRdSc(const char *Cmd) return 0; } -uint8_t FirstBlockOfSector(uint8_t sectorNo) -{ +uint8_t FirstBlockOfSector(uint8_t sectorNo) { if (sectorNo < 32) { return sectorNo * 4; } else { @@ -384,8 +380,7 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo) } } -uint8_t NumBlocksPerSector(uint8_t sectorNo) -{ +uint8_t NumBlocksPerSector(uint8_t sectorNo) { if (sectorNo < 32) { return 4; } else { @@ -1204,6 +1199,8 @@ int CmdHF14AMfChk(const char *Cmd) { // time clock_t t1 = clock(); + time_t start, end; + time(&start); // check keys. for (trgKeyType = !keyType; trgKeyType < 2; (keyType==2) ? (++trgKeyType) : (trgKeyType=2) ) { @@ -1231,12 +1228,14 @@ int CmdHF14AMfChk(const char *Cmd) { } } t1 = clock() - t1; + time(&end); + unsigned long elapsed_time = difftime(end, start); + if ( t1 > 0 ) - printf("\nTime in checkkeys: %.0f ticks\n", (float)t1); + printf("\nTime in checkkeys: %.0f ticks %u seconds\n", (float)t1, elapsed_time); // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? if ( keyType != 1 ) { - PrintAndLog("testing to read key B..."); for (i = 0; i < SectorsCnt; i++) { // KEY A but not KEY B -- 2.39.5 From be6e909c5bda0ae2d1ff2ea057127e099356c232 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 13:02:20 +0200 Subject: [PATCH 09/16] FIX: time printing, like difftime in MINGW enviroments needs to use 32b time. --- client/cmdhfmf.c | 4 ++-- client/proxmark3.h | 4 ++++ client/uart.h | 1 - client/ui.h | 1 + client/util.h | 2 +- 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 2e1b2186..0e3024a0 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1230,10 +1230,10 @@ int CmdHF14AMfChk(const char *Cmd) { t1 = clock() - t1; time(&end); unsigned long elapsed_time = difftime(end, start); - if ( t1 > 0 ) - printf("\nTime in checkkeys: %.0f ticks %u seconds\n", (float)t1, elapsed_time); + PrintAndLog("\nTime in checkkeys: %.0f ticks %u seconds\n", (float)t1, elapsed_time); + // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? if ( keyType != 1 ) { PrintAndLog("testing to read key B..."); diff --git a/client/proxmark3.h b/client/proxmark3.h index 6665b75b..89cac878 100644 --- a/client/proxmark3.h +++ b/client/proxmark3.h @@ -12,6 +12,10 @@ #ifndef PROXMARK3_H__ #define PROXMARK3_H__ +#ifdef __WIN32 +// for MINGW32 environments + #define _USE_32BIT_TIME_T 1 +#endif #define __STDC_FORMAT_MACROS 1 #include #define lx PRIx32 diff --git a/client/uart.h b/client/uart.h index 747c0f26..d520e7f4 100644 --- a/client/uart.h +++ b/client/uart.h @@ -37,7 +37,6 @@ #include #include #include - #include #include diff --git a/client/ui.h b/client/ui.h index b5133ab4..3417f362 100644 --- a/client/ui.h +++ b/client/ui.h @@ -10,6 +10,7 @@ #ifndef UI_H__ #define UI_H__ + #define _USE_MATH_DEFINES #include #include diff --git a/client/util.h b/client/util.h index 22156db9..e492fd49 100644 --- a/client/util.h +++ b/client/util.h @@ -13,7 +13,7 @@ #include #include #include -#include +#include #include "data.h" //for FILE_PATH_SIZE #ifndef ROTR -- 2.39.5 From 2813c42f98c0b40251c4a6c0289720c9a60db485 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 13:02:51 +0200 Subject: [PATCH 10/16] CHG: moved some params. --- client/Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/client/Makefile b/client/Makefile index 5b947959..4f90463f 100644 --- a/client/Makefile +++ b/client/Makefile @@ -7,15 +7,14 @@ include ../common/Makefile.common CC = gcc CXX = g++ -#COMMON_FLAGS = -m32 -COMMON_FLAGS = -std=c99 -O3 -mpopcnt -march=native +COMMON_FLAGS = -std=c99 -O3 -mpopcnt -march=native -g #VPATH = ../common ../zlib OBJDIR = obj LDLIBS = -L/opt/local/lib -L/usr/local/lib -lreadline -lpthread -lm LUALIB = ../liblua/liblua.a #LDFLAGS = $(COMMON_FLAGS) -CFLAGS = $(COMMON_FLAGS) -I. -I../include -I../common -I../zlib -I/opt/local/include -I../liblua -Wall -g +CFLAGS = $(COMMON_FLAGS) -I. -I../include -I../common -I../zlib -I/opt/local/include -I../liblua -Wall LUAPLATFORM = generic ifneq (,$(findstring MINGW,$(platform))) -- 2.39.5 From b9fc3e8eb7d81cc25e9b1b34458c097f4d8bb744 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 13:03:27 +0200 Subject: [PATCH 11/16] RM: removed some old reference inside some old proggies... --- client/cli.c | 2 +- client/snooper.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/client/cli.c b/client/cli.c index c5c2acf4..fe1c6fde 100644 --- a/client/cli.c +++ b/client/cli.c @@ -9,7 +9,7 @@ #include #include "sleep.h" #include "ui.h" -#include "proxusb.h" +//#include "proxusb.h" #include "cmdmain.h" #define HANDLE_ERROR if (error_occured) { \ diff --git a/client/snooper.c b/client/snooper.c index 2fed3fd8..36c80ce6 100644 --- a/client/snooper.c +++ b/client/snooper.c @@ -10,7 +10,7 @@ #include "sleep.h" #include "ui.h" -#include "proxusb.h" +//#include "proxusb.h" #include "cmdmain.h" #define HANDLE_ERROR if (error_occured) { \ -- 2.39.5 From 5bb62283862a369e8643641ef9f0d69429c0bb6c Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 13:04:22 +0200 Subject: [PATCH 12/16] syntax suger --- armsrc/BigBuf.c | 2 +- armsrc/fpgaloader.c | 14 +++++--------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/armsrc/BigBuf.c b/armsrc/BigBuf.c index 267921f4..57eb8db1 100644 --- a/armsrc/BigBuf.c +++ b/armsrc/BigBuf.c @@ -64,7 +64,7 @@ void BigBuf_Clear_ext(bool verbose) { memset(BigBuf, 0, BIGBUF_SIZE); if (verbose) - Dbprintf("Buffer cleared (%i bytes)",BIGBUF_SIZE); + Dbprintf("Buffer cleared (%i bytes)", BIGBUF_SIZE); } void BigBuf_Clear_keep_EM(void) diff --git a/armsrc/fpgaloader.c b/armsrc/fpgaloader.c index 64ddc608..86f144cf 100644 --- a/armsrc/fpgaloader.c +++ b/armsrc/fpgaloader.c @@ -117,8 +117,7 @@ void SetupSpi(int mode) // Set up the synchronous serial port, with the one set of options that we // always use when we are talking to the FPGA. Both RX and TX are enabled. //----------------------------------------------------------------------------- -void FpgaSetupSsc(void) -{ +void FpgaSetupSsc(void) { // First configure the GPIOs, and get ourselves a clock. AT91C_BASE_PIOA->PIO_ASR = GPIO_SSC_FRAME | @@ -156,18 +155,15 @@ void FpgaSetupSsc(void) // ourselves, not to another buffer). The stuff to manipulate those buffers // is in apps.h, because it should be inlined, for speed. //----------------------------------------------------------------------------- -bool FpgaSetupSscDma(uint8_t *buf, int len) -{ - if (buf == NULL) - return false; - +bool FpgaSetupSscDma(uint8_t *buf, int len) { + if (buf == NULL) return false; + AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTDIS; // Disable DMA Transfer AT91C_BASE_PDC_SSC->PDC_RPR = (uint32_t) buf; // transfer to this memory address AT91C_BASE_PDC_SSC->PDC_RCR = len; // transfer this many bytes AT91C_BASE_PDC_SSC->PDC_RNPR = (uint32_t) buf; // next transfer to same memory address AT91C_BASE_PDC_SSC->PDC_RNCR = len; // ... with same number of bytes - AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; // go! - + AT91C_BASE_PDC_SSC->PDC_PTCR = AT91C_PDC_RXTEN; // go! return true; } -- 2.39.5 From cd777a0545066d87b1e0f838cdee0604941919d7 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 18:23:46 +0200 Subject: [PATCH 13/16] FIX: Some Coverity Scan warnings. fread, not initialised etc etc --- armsrc/hitagS.c | 2 - client/cmdhfmf.c | 4 +- client/cmdhfmfhard.c | 53 +++++++++--------- client/cmdlfhitag.c | 100 ++++++++++++++++------------------ client/nonce2key/crapto1.c | 4 +- client/nonce2key/crypto1_bs.c | 4 +- client/nonce2key/crypto1_bs.h | 2 +- 7 files changed, 81 insertions(+), 88 deletions(-) diff --git a/armsrc/hitagS.c b/armsrc/hitagS.c index a5bce4b9..d760a400 100644 --- a/armsrc/hitagS.c +++ b/armsrc/hitagS.c @@ -10,8 +10,6 @@ //----------------------------------------------------------------------------- // Some code was copied from Hitag2.c //----------------------------------------------------------------------------- - - #include #include #include "proxmark3.h" diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 0e3024a0..67d2ab67 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -94,12 +94,14 @@ int usage_hf14_hardnested(void){ PrintAndLog(" w acquire nonces and write them to binary file nonces.bin"); PrintAndLog(" s slower acquisition (required by some non standard cards)"); PrintAndLog(" r read nonces.bin and start attack"); + PrintAndLog(" t tests?"); PrintAndLog(" "); PrintAndLog("samples:"); PrintAndLog(" hf mf hardnested 0 A FFFFFFFFFFFF 4 A"); PrintAndLog(" hf mf hardnested 0 A FFFFFFFFFFFF 4 A w"); PrintAndLog(" hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s"); PrintAndLog(" hf mf hardnested r"); + PrintAndLog(" hf mf hardnested r a0a1a2a3a4a5"); PrintAndLog(" "); PrintAndLog("Add the known target key to check if it is present in the remaining key space:"); PrintAndLog(" sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF"); @@ -937,7 +939,7 @@ int CmdHF14AMfNestedHard(const char *Cmd) { char ctmp; ctmp = param_getchar(Cmd, 0); - if (ctmp != 'H' && ctmp != 'h' ) return usage_hf14_hardnested(); + if (ctmp == 'H' || ctmp == 'h' ) return usage_hf14_hardnested(); if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) return usage_hf14_hardnested(); bool know_target_key = false; diff --git a/client/cmdhfmfhard.c b/client/cmdhfmfhard.c index 0df1f157..1d642676 100644 --- a/client/cmdhfmfhard.c +++ b/client/cmdhfmfhard.c @@ -73,7 +73,6 @@ static const float p_K[257] = { // the probability that a random nonce has a Su 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0000, 0.0290 }; - typedef struct noncelistentry { uint32_t nonce_enc; @@ -92,7 +91,6 @@ typedef struct noncelist { float score1, score2; } noncelist_t; - static size_t nonces_to_bruteforce = 0; static noncelistentry_t *brute_force_nonces[256]; static uint32_t cuid = 0; @@ -130,10 +128,8 @@ typedef struct { static partial_indexed_statelist_t partial_statelist[17]; static partial_indexed_statelist_t statelist_bitflip; - static statelist_t *candidates = NULL; - static int add_nonce(uint32_t nonce_enc, uint8_t par_enc) { uint8_t first_byte = nonce_enc >> 24; @@ -448,32 +444,31 @@ static void Tests() // crypto1_destroy(pcs); - // printf("\nTests: number of states with BitFlipProperty: %d, (= %1.3f%% of total states)\n", statelist_bitflip.len[0], 100.0 * statelist_bitflip.len[0] / (1<<20)); - printf("\nTests: Actual BitFlipProperties odd/even:\n"); - for (uint16_t i = 0; i < 256; i++) { - printf("[%02x]:%c ", i, nonces[i].BitFlip[ODD_STATE]?'o':nonces[i].BitFlip[EVEN_STATE]?'e':' '); - if (i % 8 == 7) { - printf("\n"); - } - } + // printf("\nTests: Actual BitFlipProperties odd/even:\n"); + // for (uint16_t i = 0; i < 256; i++) { + // printf("[%02x]:%c ", i, nonces[i].BitFlip[ODD_STATE]?'o':nonces[i].BitFlip[EVEN_STATE]?'e':' '); + // if (i % 8 == 7) { + // printf("\n"); + // } + // } - printf("\nTests: Sorted First Bytes:\n"); - for (uint16_t i = 0; i < 256; i++) { - uint8_t best_byte = best_first_bytes[i]; - printf("#%03d Byte: %02x, n = %3d, k = %3d, Sum(a8): %3d, Confidence: %5.1f%%, Bitflip: %c\n", - //printf("#%03d Byte: %02x, n = %3d, k = %3d, Sum(a8): %3d, Confidence: %5.1f%%, Bitflip: %c, score1: %1.5f, score2: %1.0f\n", - i, best_byte, - nonces[best_byte].num, - nonces[best_byte].Sum, - nonces[best_byte].Sum8_guess, - nonces[best_byte].Sum8_prob * 100, - nonces[best_byte].BitFlip[ODD_STATE]?'o':nonces[best_byte].BitFlip[EVEN_STATE]?'e':' ' - //nonces[best_byte].score1, - //nonces[best_byte].score2 - ); - } + // printf("\nTests: Sorted First Bytes:\n"); + // for (uint16_t i = 0; i < 256; i++) { + // uint8_t best_byte = best_first_bytes[i]; + // printf("#%03d Byte: %02x, n = %3d, k = %3d, Sum(a8): %3d, Confidence: %5.1f%%, Bitflip: %c\n", + // //printf("#%03d Byte: %02x, n = %3d, k = %3d, Sum(a8): %3d, Confidence: %5.1f%%, Bitflip: %c, score1: %1.5f, score2: %1.0f\n", + // i, best_byte, + // nonces[best_byte].num, + // nonces[best_byte].Sum, + // nonces[best_byte].Sum8_guess, + // nonces[best_byte].Sum8_prob * 100, + // nonces[best_byte].BitFlip[ODD_STATE]?'o':nonces[best_byte].BitFlip[EVEN_STATE]?'e':' ' + // //nonces[best_byte].score1, + // //nonces[best_byte].score2 + // ); + // } // printf("\nTests: parity performance\n"); // time_t time1p = clock(); @@ -1628,7 +1623,7 @@ static void* crack_states_thread(void* x){ } return NULL; } -#define _USE_32BIT_TIME_T + static void brute_force(void) { if (known_target_key != -1) { @@ -1667,6 +1662,8 @@ static void brute_force(void) #ifndef __WIN32 thread_count = sysconf(_SC_NPROCESSORS_CONF); + if ( thread_count < 1) + thread_count = 1; #endif /* _WIN32 */ pthread_t threads[thread_count]; diff --git a/client/cmdlfhitag.c b/client/cmdlfhitag.c index 2411fe5f..a5c3b8eb 100644 --- a/client/cmdlfhitag.c +++ b/client/cmdlfhitag.c @@ -28,8 +28,7 @@ size_t nbytes(size_t nbits) { return (nbits/8)+((nbits%8)>0); } -int CmdLFHitagList(const char *Cmd) -{ +int CmdLFHitagList(const char *Cmd) { uint8_t *got = malloc(USB_CMD_DATA_SIZE); // Query for the actual size of the trace @@ -58,13 +57,14 @@ int CmdLFHitagList(const char *Cmd) int len = strlen(Cmd); char filename[FILE_PATH_SIZE] = { 0x00 }; - FILE* pf = NULL; + FILE* f = NULL; if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; memcpy(filename, Cmd, len); if (strlen(filename) > 0) { - if ((pf = fopen(filename,"wb")) == NULL) { + f = fopen(filename,"wb"); + if (!f) { PrintAndLog("Error: Could not open file [%s]",filename); return 1; } @@ -129,8 +129,8 @@ int CmdLFHitagList(const char *Cmd) (isResponse ? "TAG" : " "), line); - if (pf) { - fprintf(pf," +%7d: %3d: %s %s\n", + if (f) { + fprintf(f," +%7d: %3d: %s %s\n", (prev < 0 ? 0 : (timestamp - prev)), bits, (isResponse ? "TAG" : " "), @@ -141,8 +141,8 @@ int CmdLFHitagList(const char *Cmd) i += (len + 9); } - if (pf) { - fclose(pf); + if (f) { + fclose(f); PrintAndLog("Recorded activity succesfully written to file: %s", filename); } @@ -161,7 +161,7 @@ int CmdLFHitagSim(const char *Cmd) { UsbCommand c = {CMD_SIMULATE_HITAG}; char filename[FILE_PATH_SIZE] = { 0x00 }; - FILE* pf; + FILE* f; bool tag_mem_supplied; int len = strlen(Cmd); @@ -169,25 +169,25 @@ int CmdLFHitagSim(const char *Cmd) { memcpy(filename, Cmd, len); if (strlen(filename) > 0) { - if ((pf = fopen(filename,"rb+")) == NULL) { + f = fopen(filename,"rb+"); + if (!f) { PrintAndLog("Error: Could not open file [%s]",filename); return 1; } tag_mem_supplied = true; - size_t bytes_read = fread(c.d.asBytes, 48, 1, pf); + size_t bytes_read = fread(c.d.asBytes, 48, 1, f); if ( bytes_read == 0) { PrintAndLog("Error: File reading error"); - fclose(pf); + fclose(f); return 1; } - fclose(pf); + fclose(f); } else { tag_mem_supplied = false; } // Does the tag comes with memory c.arg[0] = (uint32_t)tag_mem_supplied; - clearCommandBuffer(); SendCommand(&c); return 0; @@ -195,7 +195,6 @@ int CmdLFHitagSim(const char *Cmd) { int CmdLFHitagReader(const char *Cmd) { - UsbCommand c = {CMD_READER_HITAG};//, {param_get32ex(Cmd,0,0,10),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),param_get32ex(Cmd,3,0,16)}}; hitag_data* htd = (hitag_data*)c.d.asBytes; hitag_function htf = param_get32ex(Cmd,0,0,10); @@ -241,11 +240,8 @@ int CmdLFHitagReader(const char *Cmd) { // Copy the hitag2 function into the first argument c.arg[0] = htf; - clearCommandBuffer(); - // Send the command to the proxmark SendCommand(&c); - UsbCommand resp; WaitForResponse(CMD_ACK,&resp); @@ -253,28 +249,27 @@ int CmdLFHitagReader(const char *Cmd) { if (resp.arg[0] == false) return 1; uint32_t id = bytes_to_num(resp.d.asBytes,4); - char filename[FILE_PATH_SIZE]; - FILE* pf = NULL; + char filename[FILE_PATH_SIZE]; + FILE* f = NULL; sprintf(filename,"%08x_%04x.ht2",id,(rand() & 0xffff)); - if ((pf = fopen(filename,"wb")) == NULL) { + f = fopen(filename,"wb"); + if (!f) { PrintAndLog("Error: Could not open file [%s]",filename); return 1; } // Write the 48 tag memory bytes to file and finalize - fwrite(resp.d.asBytes,1,48,pf); - fclose(pf); - + fwrite(resp.d.asBytes, 1, 48, f); + fclose(f); PrintAndLog("Succesfully saved tag memory to [%s]",filename); return 0; } - int CmdLFHitagSimS(const char *Cmd) { UsbCommand c = { CMD_SIMULATE_HITAG_S }; char filename[FILE_PATH_SIZE] = { 0x00 }; - FILE* pf; + FILE* f; bool tag_mem_supplied; int len = strlen(Cmd); if (len > FILE_PATH_SIZE) @@ -282,24 +277,26 @@ int CmdLFHitagSimS(const char *Cmd) { memcpy(filename, Cmd, len); if (strlen(filename) > 0) { - if ((pf = fopen(filename, "rb+")) == NULL) { + f = fopen(filename, "rb+"); + if (!f) { PrintAndLog("Error: Could not open file [%s]", filename); return 1; } tag_mem_supplied = true; - if (fread(c.d.asBytes, 4*64, 1, pf) == 0) { + size_t bytes_read = fread(c.d.asBytes, 4*64, 1, f); + if ( bytes_read == 0) { PrintAndLog("Error: File reading error"); - fclose(pf); + fclose(f); return 1; } - fclose(pf); + fclose(f); } else { tag_mem_supplied = false; } // Does the tag comes with memory c.arg[0] = (uint32_t) tag_mem_supplied; - + clearCommandBuffer(); SendCommand(&c); return 0; } @@ -307,36 +304,37 @@ int CmdLFHitagSimS(const char *Cmd) { int CmdLFHitagCheckChallenges(const char *Cmd) { UsbCommand c = { CMD_TEST_HITAGS_TRACES }; char filename[FILE_PATH_SIZE] = { 0x00 }; - FILE* pf; + FILE* f; bool file_given; int len = strlen(Cmd); if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; memcpy(filename, Cmd, len); if (strlen(filename) > 0) { - if ((pf = fopen(filename,"rb+")) == NULL) { - PrintAndLog("Error: Could not open file [%s]",filename); + f = fopen(filename,"rb+"); + if( !f ) { + PrintAndLog("Error: Could not open file [%s]", filename); return 1; } file_given = true; - if (fread(c.d.asBytes,8*60,1,pf) == 0) { - PrintAndLog("Error: File reading error"); - fclose(pf); + size_t bytes_read = fread(c.d.asBytes, 8*60, 1, f); + if ( bytes_read == 0) { + PrintAndLog("Error: File reading error"); + fclose(f); return 1; } - fclose(pf); + fclose(f); } else { file_given = false; } //file with all the challenges to try c.arg[0] = (uint32_t)file_given; - - SendCommand(&c); - return 0; + clearCommandBuffer(); + SendCommand(&c); + return 0; } - int CmdLFHitagWP(const char *Cmd) { UsbCommand c = { CMD_WR_HITAG_S }; hitag_data* htd = (hitag_data*)c.d.asBytes; @@ -367,17 +365,15 @@ int CmdLFHitagWP(const char *Cmd) { // Copy the hitag function into the first argument c.arg[0] = htf; - // Send the command to the proxmark - SendCommand(&c); - - UsbCommand resp; - WaitForResponse(CMD_ACK,&resp); - - // Check the return status, stored in the first argument - if (resp.arg[0] == false) return 1; - return 0; -} + clearCommandBuffer(); + SendCommand(&c); + UsbCommand resp; + WaitForResponse(CMD_ACK,&resp); + // Check the return status, stored in the first argument + if (resp.arg[0] == false) return 1; + return 0; +} static command_t CommandTable[] = { diff --git a/client/nonce2key/crapto1.c b/client/nonce2key/crapto1.c index 65e5d4b2..c17cea7a 100644 --- a/client/nonce2key/crapto1.c +++ b/client/nonce2key/crapto1.c @@ -383,7 +383,7 @@ uint32_t lfsr_rollback_word(struct Crypto1State *s, uint32_t in, int fb) /** nonce_distance * x,y valid tag nonces, then prng_successor(x, nonce_distance(x, y)) = y */ -static uint16_t *dist = 0; +static uint16_t *dist; int nonce_distance(uint32_t from, uint32_t to) { uint16_t x, i; @@ -391,7 +391,7 @@ int nonce_distance(uint32_t from, uint32_t to) dist = malloc(2 << 16); if(!dist) return -1; - for (x = i = 1; i; ++i) { + for (x = 1, i = 1; i; ++i) { dist[(x & 0xff) << 8 | x >> 8] = i; x = x >> 1 | (x ^ x >> 2 ^ x >> 3 ^ x >> 5) << 15; } diff --git a/client/nonce2key/crypto1_bs.c b/client/nonce2key/crypto1_bs.c index 2bb1194d..9a0272dd 100644 --- a/client/nonce2key/crypto1_bs.c +++ b/client/nonce2key/crypto1_bs.c @@ -80,7 +80,7 @@ inline const bitslice_value_t crypto1_bs_lfsr_rollback(const bitslice_value_t in // note that bytes are sliced and unsliced with reversed endianness inline void crypto1_bs_convert_states(bitslice_t bitsliced_states[], state_t regular_states[]){ size_t bit_idx = 0, slice_idx = 0; - state_t values[MAX_BITSLICES]; + state_t values[MAX_BITSLICES] = {{0x00}}; for(slice_idx = 0; slice_idx < MAX_BITSLICES; slice_idx++){ for(bit_idx = 0; bit_idx < STATE_SIZE; bit_idx++){ bool bit = get_vector_bit(slice_idx, bitsliced_states[bit_idx]); @@ -111,7 +111,7 @@ void crypto1_bs_bitslice_value32(uint32_t value, bitslice_t bitsliced_value[], s void crypto1_bs_print_states(bitslice_t bitsliced_states[]){ size_t slice_idx = 0; - state_t values[MAX_BITSLICES]; + state_t values[MAX_BITSLICES] = {{0x00}}; crypto1_bs_convert_states(bitsliced_states, values); for(slice_idx = 0; slice_idx < MAX_BITSLICES; slice_idx++){ printf("State %03zu: %012"llx"\n", slice_idx, values[slice_idx].value); diff --git a/client/nonce2key/crypto1_bs.h b/client/nonce2key/crypto1_bs.h index 8f332749..bef5c5e9 100644 --- a/client/nonce2key/crypto1_bs.h +++ b/client/nonce2key/crypto1_bs.h @@ -58,7 +58,7 @@ bitslice_t bs_zeroes; #define ROLLBACK_SIZE 8 // number of nonces required to test to cover entire 48-bit state // I would have said it's 12... but bla goes with 100, so I do too -#define NONCE_TESTS 100 +#define NONCE_TESTS 12 // state pointer management extern __thread bitslice_t states[KEYSTREAM_SIZE+STATE_SIZE]; -- 2.39.5 From 1c38049bcb76b08c0f6ee16f94fea7e767bfb1fd Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 18:33:27 +0200 Subject: [PATCH 14/16] CHG: commented away some of the debug printf statements in hardnested. --- client/cmdhfmfhard.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/cmdhfmfhard.c b/client/cmdhfmfhard.c index 1d642676..15bdd566 100644 --- a/client/cmdhfmfhard.c +++ b/client/cmdhfmfhard.c @@ -1315,8 +1315,8 @@ static void generate_candidates(uint16_t sum_a0, uint16_t sum_a8) *p = 0xffffffff; } } - printf("Odd state candidates: %6d (2^%0.1f)\n", current_candidates->len[ODD_STATE], log(current_candidates->len[ODD_STATE])/log(2)); - printf("Even state candidates: %6d (2^%0.1f)\n", current_candidates->len[EVEN_STATE], log(current_candidates->len[EVEN_STATE])/log(2)); + //printf("Odd state candidates: %6d (2^%0.1f)\n", current_candidates->len[ODD_STATE], log(current_candidates->len[ODD_STATE])/log(2)); + //printf("Even state candidates: %6d (2^%0.1f)\n", current_candidates->len[EVEN_STATE], log(current_candidates->len[EVEN_STATE])/log(2)); } } } -- 2.39.5 From 21d359f68fcaae74f383aaef49c15357389d4a9d Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 23 Apr 2016 19:09:07 +0200 Subject: [PATCH 15/16] CHG: we don't want to assert inside the pm3 client. CHG: better message when failed to find the key. CHG: revert nonces check, 12 -> 100 --- client/cmdhfmfhard.c | 12 +++++------- client/nonce2key/crypto1_bs.h | 2 +- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/client/cmdhfmfhard.c b/client/cmdhfmfhard.c index 15bdd566..015da045 100644 --- a/client/cmdhfmfhard.c +++ b/client/cmdhfmfhard.c @@ -33,9 +33,6 @@ #include #include -// uint32_t test_state_odd = 0; -// uint32_t test_state_even = 0; - #define CONFIDENCE_THRESHOLD 0.95 // Collect nonces until we are certain enough that the following brute force is successfull #define GOOD_BYTES_REQUIRED 28 @@ -1679,10 +1676,11 @@ static void brute_force(void) time(&end); unsigned long elapsed_time = difftime(end, start); - PrintAndLog("Tested %"PRIu32" states, found %u keys after %u seconds", total_states_tested, keys_found, elapsed_time); - if(!keys_found){ - assert(total_states_tested == maximum_states); - } + if(keys_found){ + PrintAndLog("Success! Tested %"PRIu32" states, found %u keys after %u seconds", total_states_tested, keys_found, elapsed_time); + } else { + PrintAndLog("Fail! Tested %"PRIu32" states, in %u seconds", total_states_tested, elapsed_time); + } // reset this counter for the next call nonces_to_bruteforce = 0; } diff --git a/client/nonce2key/crypto1_bs.h b/client/nonce2key/crypto1_bs.h index bef5c5e9..8f332749 100644 --- a/client/nonce2key/crypto1_bs.h +++ b/client/nonce2key/crypto1_bs.h @@ -58,7 +58,7 @@ bitslice_t bs_zeroes; #define ROLLBACK_SIZE 8 // number of nonces required to test to cover entire 48-bit state // I would have said it's 12... but bla goes with 100, so I do too -#define NONCE_TESTS 12 +#define NONCE_TESTS 100 // state pointer management extern __thread bitslice_t states[KEYSTREAM_SIZE+STATE_SIZE]; -- 2.39.5 From c0afa86f7539fbf40f053cfc13041f5e1f245378 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 24 Apr 2016 21:41:45 +0200 Subject: [PATCH 16/16] FIX: this commit solves a sneaky bug in 'LF VIKING' commands. The getVikingBits dropped the highest byte in the uid while creating the datablocks for the clone. ADD: added some extra message in debugmode when looking at viking tags. --- client/cmddata.c | 2 +- client/cmdlfviking.c | 4 ++-- common/lfdemod.c | 13 +++++++++---- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/client/cmddata.c b/client/cmddata.c index 55c2d195..2e363054 100644 --- a/client/cmddata.c +++ b/client/cmddata.c @@ -660,7 +660,7 @@ int CmdVikingDemod(const char *Cmd) //call lfdemod.c demod for Viking int ans = VikingDemod_AM(DemodBuffer, &size); if (ans < 0) { - if (g_debugMode) PrintAndLog("Error Viking_Demod %d", ans); + if (g_debugMode) PrintAndLog("Error Viking_Demod %d %s", ans, (ans == -5)?"[chksum error]":""); return 0; } //got a good demod diff --git a/client/cmdlfviking.c b/client/cmdlfviking.c index b91aced8..039e4ae6 100644 --- a/client/cmdlfviking.c +++ b/client/cmdlfviking.c @@ -47,9 +47,9 @@ int usage_lf_viking_sim(void) { // calc checksum uint64_t getVikingBits(uint32_t id) { - uint8_t checksum = (id>>24) ^ ((id>>16) & 0xFF) ^ ((id>>8) & 0xFF) ^ (id & 0xFF) ^ 0xF2 ^ 0xA8; + uint8_t checksum = ((id>>24) & 0xFF) ^ ((id>>16) & 0xFF) ^ ((id>>8) & 0xFF) ^ (id & 0xFF) ^ 0xF2 ^ 0xA8; uint64_t ret = (uint64_t)0xF2 << 56; - ret |= (id << 8); + ret |= (uint64_t)id << 8; ret |= checksum; return ret; } diff --git a/common/lfdemod.c b/common/lfdemod.c index cb3e9f0b..f27ffff3 100644 --- a/common/lfdemod.c +++ b/common/lfdemod.c @@ -679,10 +679,15 @@ int VikingDemod_AM(uint8_t *dest, size_t *size) { uint8_t preamble[] = {1,1,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}; uint8_t errChk = preambleSearch(dest, preamble, sizeof(preamble), size, &startIdx); if (errChk == 0) return -4; //preamble not found - uint32_t checkCalc = bytebits_to_byte(dest+startIdx,8) ^ bytebits_to_byte(dest+startIdx+8,8) ^ bytebits_to_byte(dest+startIdx+16,8) - ^ bytebits_to_byte(dest+startIdx+24,8) ^ bytebits_to_byte(dest+startIdx+32,8) ^ bytebits_to_byte(dest+startIdx+40,8) - ^ bytebits_to_byte(dest+startIdx+48,8) ^ bytebits_to_byte(dest+startIdx+56,8); - if ( checkCalc != 0xA8 ) return -5; + uint32_t checkCalc = bytebits_to_byte(dest+startIdx,8) ^ + bytebits_to_byte(dest+startIdx+8,8) ^ + bytebits_to_byte(dest+startIdx+16,8) ^ + bytebits_to_byte(dest+startIdx+24,8) ^ + bytebits_to_byte(dest+startIdx+32,8) ^ + bytebits_to_byte(dest+startIdx+40,8) ^ + bytebits_to_byte(dest+startIdx+48,8) ^ + bytebits_to_byte(dest+startIdx+56,8); + if ( checkCalc != 0xA8 ) return -5; if (*size != 64) return -6; //return start position return (int) startIdx; -- 2.39.5