From 3ca3d401c0e8577cc1b4bc51278061088285bb51 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 4 Jul 2017 20:11:25 +0200 Subject: [PATCH] FIX: some adjustments to prng detection --- armsrc/mifareutil.c | 1 - client/cmdhf14a.c | 8 ++++---- client/cmdhfmf.c | 6 +++--- client/mifarehost.c | 14 +++++--------- 4 files changed, 12 insertions(+), 17 deletions(-) diff --git a/armsrc/mifareutil.c b/armsrc/mifareutil.c index 1dd629518..8a4c1c26e 100644 --- a/armsrc/mifareutil.c +++ b/armsrc/mifareutil.c @@ -134,7 +134,6 @@ int mifare_classic_authex(struct Crypto1State *pcs, uint32_t uid, uint8_t blockN // Transmit MIFARE_CLASSIC_AUTH len = mifare_sendcmd_short(pcs, isNested, 0x60 + (keyType & 0x01), blockNo, receivedAnswer, receivedAnswerPar, timing); - if (MF_DBGLEVEL >= 4) Dbprintf("rand tag nonce len: %x", len); if (len != 4) return 1; // Save the tag nonce (nt) diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index 99f1426db..1d7c1f4ce 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -247,14 +247,14 @@ int CmdHF14AReader(const char *Cmd) { } break; case 0x01: PrintAndLog("TYPE : NXP TNP3xxx Activision Game Appliance"); break; - case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); break; + case 0x04: PrintAndLog("TYPE : NXP MIFARE (various !DESFire !DESFire EV1)"); isMifareClassic = false; break; case 0x08: PrintAndLog("TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1"); break; case 0x09: PrintAndLog("TYPE : NXP MIFARE Mini 0.3k"); break; case 0x10: PrintAndLog("TYPE : NXP MIFARE Plus 2k SL2"); break; case 0x11: PrintAndLog("TYPE : NXP MIFARE Plus 4k SL2"); break; case 0x18: PrintAndLog("TYPE : NXP MIFARE Classic 4k | Plus 4k SL1"); break; - case 0x20: PrintAndLog("TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41"); break; - case 0x24: PrintAndLog("TYPE : NXP MIFARE DESFire | DESFire EV1"); break; + case 0x20: PrintAndLog("TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41"); isMifareClassic = false; break; + case 0x24: PrintAndLog("TYPE : NXP MIFARE DESFire | DESFire EV1"); isMifareClassic = false; break; case 0x28: PrintAndLog("TYPE : JCOP31 or JCOP41 v2.3.1"); break; case 0x38: PrintAndLog("TYPE : Nokia 6212 or 6131 MIFARE CLASSIC 4K"); break; case 0x88: PrintAndLog("TYPE : Infineon MIFARE CLASSIC 1K"); break; @@ -414,7 +414,7 @@ int CmdHF14AReader(const char *Cmd) { if (isMifareClassic) { if ( detect_classic_prng() ) - PrintAndLog("Prng detection: WEAK (darkside)"); + PrintAndLog("Prng detection: WEAK"); else PrintAndLog("Prng detection: HARDEND (hardnested)"); } diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 820fb93bc..529adcb2f 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -182,6 +182,8 @@ start: (void)tmpchar; } + UsbCommand resp; + // wait cycle while (true) { printf("."); @@ -193,7 +195,6 @@ start: break; } - UsbCommand resp; if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { isOK = resp.arg[0]; printf("\n"); @@ -238,8 +239,7 @@ start: PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce..."); c.arg[0] = false; goto start; - } else { - + } else { // nonce2key found a candidate key. Lets verify it. uint8_t keyblock[] = {0,0,0,0,0,0}; num_to_bytes(r_key, 6, keyblock); diff --git a/client/mifarehost.c b/client/mifarehost.c index 59a2e0d7c..cde91ae7f 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -212,7 +212,7 @@ int mfKeyBrute(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint64_t *resultk #define KEYS_IN_BLOCK 85 #define KEYBLOCK_SIZE 510 #define CANDIDATE_SIZE 0xFFFF * 6 - uint8_t found = FALSE; + uint8_t found = false; uint64_t key64 = 0; uint8_t candidates[CANDIDATE_SIZE] = {0x00}; uint8_t keyBlock[KEYBLOCK_SIZE] = {0x00}; @@ -239,9 +239,9 @@ int mfKeyBrute(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint64_t *resultk memcpy(keyBlock, candidates + i, KEYBLOCK_SIZE); // check a block of generated candidate keys. - if (!mfCheckKeys(blockNo, keyType, TRUE, KEYS_IN_BLOCK, keyBlock, &key64)) { + if (!mfCheckKeys(blockNo, keyType, true, KEYS_IN_BLOCK, keyBlock, &key64)) { *resultkey = key64; - found = TRUE; + found = true; break; } @@ -414,7 +414,6 @@ int loadTraceCard(uint8_t *tuid, uint8_t uidlen) { PrintAndLog("No trace file found or reading error."); if (f) { fclose(f); - f = NULL; } return 2; } @@ -424,7 +423,6 @@ int loadTraceCard(uint8_t *tuid, uint8_t uidlen) { PrintAndLog("File content error. Block data must include 32 HEX symbols"); if (f) { fclose(f); - f = NULL; } return 2; } @@ -437,7 +435,6 @@ int loadTraceCard(uint8_t *tuid, uint8_t uidlen) { } if (f) { fclose(f); - f = NULL; } return 0; } @@ -458,7 +455,6 @@ int saveTraceCard(void) { fflush(f); if (f) { fclose(f); - f = NULL; } return 0; } @@ -670,7 +666,7 @@ int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, ks2 = ar_enc ^ prng_successor(nt, 64); ks3 = at_enc ^ prng_successor(nt, 96); s = lfsr_recovery64(ks2, ks3); - mf_crypto1_decrypt(s, data, len, FALSE); + mf_crypto1_decrypt(s, data, len, false); PrintAndLog("Decrypted data: [%s]", sprint_hex(data, len) ); crypto1_destroy(s); return 0; @@ -680,7 +676,7 @@ int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, * function performs a partial AUTH, where it tries to authenticate against block0, key A, but only collects tag nonce. * the tag nonce is check to see if it has a predictable PRNG. * @returns -* TRUE if tag uses WEAK prng (ie Darkside attack possible) +* TRUE if tag uses WEAK prng (ie Now the NACK bug also needs to be present for Darkside attack) * FALSE is tag uses HARDEND prng (ie hardnested attack possible, with known key) */ bool detect_classic_prng(){