Improve hf mf chk and hf mf nested
* hf mf chk. added interrupt of procedure by usb
* extract mifare default keys into separate module
* arm side multisector `hf mf chk`
* hf mf nested. change key search procedure
* hf mf nested. added key check after we have found a key.
* small fix hf list f
* hf mf chk. add timeout (arm side) and some tweaks.
* adjust LFSim to download lf fpga prior to setting emulation buffer to prevent buffer overwrite condition if you are coming from HF fpga.
* fix lf sim big buff overwrite with fpga download. Move fix to the buffer download cmd.
.. data for both format types (64 bit and 224 bit)
also adjust 224 bit demod and clone to output and input in PSK2 instead
of PSK1 as this appears to be most common for this format.
- Check button press when there is NOFIELD, so we can exit also without FIELD
- struct nonces_t is moved to include/mifare.h so client and arm has the same definition
... to speed up the loops waiting for carrier signal to go high or low
by only checking for a halt (button press or usbpol) every 1000th loop
iteration.
some users were experiencing modulating reactions to be too slow.
* Improve 'Magic' Mifare tags detection
* Magic Mifare tags detection and version printing
* Magic s50/1k tag halt error correction for cload and csave
* hf mf c* commands for gen1b
* Use |= for bitwise operation
* gen1b: don't issue wipe command and don't expect response from WUPC1 magic command after a SELECT_UID: old UID display works in hf mf csetuid
* hf mf cgetsc compatibility for 4k
* hf mf csave compatibility for 4k
* hf mf cload compatibility for 4k, suppress halt errors messages for debug level 2
* Revert to MF_DBG_ERROR level in mifare_classic_halt() and don't issue the halt command for gen1b
* Improve 'Magic' Mifare tags generation detection & hf mf c* commands magic 4k compatibility
endless loop in reader if no tag was found
button press on pm3 did not cancel.
led_b was left on in some cases
also moved 14b detection to last in hf search to help speed up the
command for the other tags. 14b is slow (does multiple tests)
Thanks to @Fl0-0 and @pwpiwi for their idenfication of some of the
issues.
memory locations in code are now accurate and the CC output is not
corrupted by the config's crc.
also the looping and flags for what to read are now correctly
implemented in the code.
This implements the attack described in
Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened
Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on
Computer and Communications Security, 2015
It uses precomputed tables for many bitflip properties (not only two as in the paper)
and is therefore quite efficient. To prevent failing it doesn't do
differential analysis with several nonce bytes' Sum(a8) properties (each of them
may be wrongly guessed) - instead it concentrates on one nonce byte and tries all
Sum(a8) property guesses sequentially (ordered by probability). The brute force phase
makes use of aczid's bit sliced brute forcer (https://github.com/aczid/crypto1_bs).
Includes runtime CPU-detection to leverage modern (and old) SIMD instructions
with a single executable.
add parameter for # bits to read
auto get samples after lf read/snoop (don't need to do a `data samples`
anymore)
add safe function to get DemodBuffer
add some lf demod comments and apply new lf_read function instead of
read then get samples.
fixed output bug in lf t55xx config print
fixed small bug in lf t55xx detect during ST check
fix noralsy demod bug (st should be true)
fix sprint_bin_break bug (didn't print last bit)
add a function to save/restore demodbuffer
remove redundant countFC call in PSKDemod
clean up pskclockdetect functions
fix indala26decode bug (end of data sometimes not correct)
improve PSK detection / demodulation
improve NRZ detection
improve t55xx commands & fix a few bugs
add t55xx page1 detection - added it to lf search
added experimental t55xx testmode write
helps get the data dumped even if positioning isn't 100% perfect.
also switched em4x05 commands to WaitUS instead of SpinDelayUs, per
@pwpiwi 's suggestion.
- correctly using stdtypes.h printf and scanf format string macros (PRIx64 et al)
- coverity fixes to client/cmdhfmf.c
- fix linker warning re missing entry point when linking fullimage.elf
plus some minor adjustments
and added a quick em4x05 test:
bool EM4x05Block0Test(uint32_t *wordData)
if successful very likely the tag is an em4x05 or compatible...
