- Don't increment the nonce when random mode is disabled (this breaks the
standard attack).
- Don't attempt the standard attack when random mode is enabled (there's no
point as it won't work, per comments from @pwpiwi).
- Attempt the moebius attack if the standard attack fails.
This makes the PM3 generate pseudo-random nonces rather than sequential
nonces, to make it act a bit more like a "real" MFC card. A reader would
otherwise be able to detect the PM3 probing based on the predictable nonces
and throw different authentication challenges (or refuse to authenticate at
all).
The code includes an implementation of a rand-like function (prand), similar
to the one from libc, which is seeded automatically based on the time it
takes between the PM3 starting up and the first call to the RNG.
This isn't cryptographically random, but should be "good enough" to be able
to evade basic detection.
Moebius attack didn't yield any better results in my testing so
disabling it, but allowing it to be re-enabled at will.
also disabled the auto logging of all keys with uid delimited file
stats.txt - can be uncommented when needed
also cleaned up some comments
note previous update added the creation of a stats.txt file to generate
statistics of the differences between std mfkey32 and the moebius
version.
- provided a BigBuf_malloc() function to dynamically allocate parts of BigBuf
e.g. for DMA-Buffers, Frame-Buffers, Emulator-Memory
- the whole rest of BigBuf is now available for traces (instead of a small fixed amount)
- send actual traceLen together with trace data
- changed client side to cope with varying traceLen
- changed small buffers to automatic variables instead of parts of BigBuf
FIX: a solution for the issue "hf eload, esave, cload, save - filepath variable too short"
CHG: minor code clean up.
ADD: AES / CRC16 for lua. (and tnp3xx scripts.)
ADD: tnp3dump.lua script to dump tnp3xx tags.
ADD: tnp3sim.lua script to let PM3 imitate an tnp3xx tag. Needs to be tested live
ADD: added a manufacturer list in "hf 14a reader", only viable when UID is double or triple size. Thanks to Asper for the list.
ADD: detect chinese magic backdoor commands in "hf 14a reader"
CHG: minor code clean up.
CHG: USB_CMD_DATA_SIZE is now used as maxsize for transfer of data between client and pm3device
CHG: suggested a fix for the underscore problem in ioclass\fileutils.c
ADD: tnp3xx support
ADD: nxp tag idents.
ADD: identifiction of chinese backdoor commands to hf 14a reader.
- buffers were too small to handle 256 byte frames
- parity bits were only handled for up to 32 byte frames
- trace format was inefficient
- removed parity calculation from decoders in iclass.c (parity not used on air anyway)
- hf mf dump: abort on unrecoverable errors. Don't create file dumpdata.bin in this case.
- hf mf chk: re-enabled and fixed option d (dump keys to dumpkeys.bin).
if there are unknown keys, write 0xffffffffffff instead to the file.
- provide a default key dictionary file for hf mf chk (default_keys.dic). Contents taken from
mf_default_keys.lua
- hf mf rdsc (fix): didn't account for 16 block sectors, allowed max sector 63 instead of 39
- hf mf ecfill (add): added (optional) card size parameter and support for non 1K cards
- hf mf dump (add): added (optional) card size parameter and support for non 1K cards
- hf mf dump (fix): Access Condition 011 not handled correctly (tried to access with key A)
- hf mf restore (add): added (optional) card size parameter and support for non 1K cards
- hf mf nested (fix): didn't account for 16 block sectors, allowed max sector 63 instead of 39
- hf mf nested (fix): always dumped 16 keys to dumpkeys.bin instead of correct number
- hf mf chk (fix): always dumped 16 keys to dumpkeys.bin instead of correct number
- hf mf eget (fix): displayed three instead of one block
- hf mf eload (add): load 4K .eml files (but accepts 1K .eml files for backwards compatibility)
- hf mf esave (add): always save the whole emulator memory (4K) instead of 1K only
- hf mf ecfill (add): added (optional) card size parameter and support for non 1K cards
- output of debug messages caused communication failures due to timing issues.
hf mf dbg 4 now required to see these debug messages.
- changed help text for hf mf dbg
- fixed minor bugs in help texts for hf mf sim and hf mf ecset
- display "key A" or "key B" instead of "key=0" or "key=1 in hf mf sim
- tracing was not always enabled when starting hf mf sniff or hf 14a snoop
- ATQA was displayed in wrong byte order in hf mf sniff
- 4 Byte UIDs were displayed as 7 Byte UIDs (padded with 0x000000) in hf mf sniff
- same for logfile names.
- assignment (=) had been used instead of == in comparisons (shouldn't have been relevant though)
- fixed a circular buffer rollover bug in iso14443a.c
- fixed 7 Byte UID handling in hf mf sniff
- fixed "cannot append" error in hf mf sniff d
- fixed hint on mfkey32 in hf mf sim x
- fixed hf mf sniff sometimes showing rogue data from previous calloc
- improve snooping/sniffing by syncing modulation detector window with reader signal (hi_iso14443a.v)
- code cleanup of hi_iso14443a.v
- enhanced tracing: hf 14a list now shows meaningful timing information. With new option f it also shows the frame delay times (fdt)
- small fix for hf 14b list - it used to run into the trace trailer
- hf 14a sim now obeys iso14443 timing (fdt of 1172 or 1234 resp.)
Note: you need to flash FPGA as well.
More details in http://www.proxmark.org/forum/viewtopic.php?pid=9721#p9721
