RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-02-13 10:43:01 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #287 from cjbrigato/master

Browse source 
HF_COLIN : Makes Known Schemes in Struct form
This commit is contained in:
Philippe Teuwen 2019-07-24 13:41:10 +02:00 committed by GitHub
commit 7093fdaa5d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 116 additions and 267 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

383
armsrc/Standalone/hf_colin.c
View file

@ -27,39 +27,78 @@ int curlline;
// Colin's VIGIKPWN sniff/simulate/clone repeat routine for HF Mifare // Colin's VIGIKPWN sniff/simulate/clone repeat routine for HF Mifare
/* typedef struct MFC1KSchema {
void cjPrintBigArray(const char *bigar, int len, uint8_t newlines, uint8_t debug) uint8_t name[32];
{ uint64_t trigger;
uint32_t chunksize = (PM3_CMD_DATA_SIZE / 4); uint64_t keysA[16];
uint8_t totalchunks = len / chunksize; uint64_t keysB[16];
uint8_t last_chunksize = len - (totalchunks * chunksize); } MFC1KSchema;
char chunk[chunksize + 1];
memset(chunk, 0x00, sizeof(chunk)); #define MAX_SCHEMAS 4
if (debug > 0)
{ MFC1KSchema Schemas[MAX_SCHEMAS];
Dbprintf("len : %d", len);
Dbprintf("chunksize : %d bytes", chunksize); MFC1KSchema Noralsy = {
Dbprintf("totalchunks : %d", totalchunks); .name = "Noralsy",
Dbprintf("last_chunksize: %d", last_chunksize); .trigger = 0x414c41524f4e,
.keysA = {
0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e,
0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e,
0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e, 0x414c41524f4e
},
.keysB = {
0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e,
0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e,
0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e, 0x424c41524f4e
} }
for (uint8_t i = 0; i < totalchunks; i++) };
{
memset(chunk, 0x00, sizeof(chunk)); MFC1KSchema InfiHexact = {.name = "Infineon/Hexact",
memcpy(chunk, &bigar[i * chunksize], chunksize); .trigger = 0x484558414354,
DbprintfEx(FLAG_RAWPRINT, "%s", chunk); .keysA = {0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354,
0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354,
0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354, 0x484558414354,
0x484558414354
},
.keysB = {0xa22ae129c013, 0x49fae4e3849f, 0x38fcf33072e0, 0x8ad5517b4b18, 0x509359f131b1,
0x6c78928e1317, 0xaa0720018738, 0xa6cac2886412, 0x62d0c424ed8e, 0xe64a986a5d94,
0x8fa1d601d0a2, 0x89347350bd36, 0x66d2b7dc39ef, 0x6bc1e1ae547d, 0x22729a9bd40f
}
};
MFC1KSchema UrmetCaptive = {
.name = "Urmet Captive",
.trigger = 0x8829da9daf76,
.keysA = {
0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76,
0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76,
0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76
},
.keysB = {
0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76,
0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76,
0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76, 0x8829da9daf76
} }
if (last_chunksize > 0) };
{
memset(chunk, 0x00, sizeof(chunk)); int total_schemas = 0;
memcpy(chunk, &bigar[totalchunks * chunksize], last_chunksize);
DbprintfEx(FLAG_RAWPRINT, "%s", chunk); void add_schema(MFC1KSchema *p, MFC1KSchema a, int *schemas_counter) {
} if (*schemas_counter < MAX_SCHEMAS) {
if (newlines > 0) p[*schemas_counter] = a;
{ *schemas_counter += 1;
DbprintfEx(FLAG_NEWLINE, " "); }
}
void delete_schema(MFC1KSchema *p, int *schemas_counter, int index) {
if (*schemas_counter > 0 && index < *schemas_counter && index > -1) {
int last_index = *schemas_counter - 1;
for (int i = index; i < last_index; i++) {
p[i] = p[i + 1];
}
*schemas_counter -= 1;
} }
} }
*/
void cjSetCursFRight() { void cjSetCursFRight() {
vtsend_cursor_position(NULL, 98, (currfline)); vtsend_cursor_position(NULL, 98, (currfline));
@ -81,9 +120,8 @@ void cjTabulize() { DbprintfEx(FLAG_RAWPRINT, "\t\t\t"); }
/* /*
void cjPrintKey(uint64_t key, uint8_t *foundKey, uint16_t sectorNo, uint8_t type) { void cjPrintKey(uint64_t key, uint8_t *foundKey, uint16_t sectorNo, uint8_t type) {
char tosendkey[13]; char tosendkey[13];
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[0], foundKey[1], foundKey[2], foundKey[3], foundKey[4], foundKey[5]); sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[0], foundKey[1], foundKey[2], foundKey[3], foundKey[4],
cjSetCursRight(); foundKey[5]); cjSetCursRight(); DbprintfEx(FLAG_NEWLINE, "SEC: %02x | KEY : %s | TYP: %d", sectorNo, tosendkey, type);
DbprintfEx(FLAG_NEWLINE, "SEC: %02x | KEY : %s | TYP: %d", sectorNo, tosendkey, type);
} }
*/ */
@ -101,7 +139,7 @@ void ReadLastTagFromFlash() {
uint8_t *mem = BigBuf_malloc(size); uint8_t *mem = BigBuf_malloc(size);
//this one will handle filetype (symlink or not) and resolving by itself // this one will handle filetype (symlink or not) and resolving by itself
rdv40_spiffs_read_as_filetype((char *)HFCOLIN_LASTTAG_SYMLINK, (uint8_t *)mem, len, RDV40_SPIFFS_SAFETY_SAFE); rdv40_spiffs_read_as_filetype((char *)HFCOLIN_LASTTAG_SYMLINK, (uint8_t *)mem, len, RDV40_SPIFFS_SAFETY_SAFE);
emlSetMem(mem, 0, 64); emlSetMem(mem, 0, 64);
@ -129,8 +167,9 @@ void WriteTagToFlash(uint32_t uid, size_t size) {
num_to_bytes(uid, 4, buid); num_to_bytes(uid, 4, buid);
sprintf(dest, "hf_colin/mf_%02x%02x%02x%02x.bin", buid[0], buid[1], buid[2], buid[3]); sprintf(dest, "hf_colin/mf_%02x%02x%02x%02x.bin", buid[0], buid[1], buid[2], buid[3]);
// TODO : by using safe function for multiple writes we are both breaking cache mecanisms and making useless and unoptimized mount operations // TODO : by using safe function for multiple writes we are both breaking cache mecanisms and making useless and
// we should manage at out level the mount status before and after the whole standalone mode // unoptimized mount operations we should manage at out level the mount status before and after the whole standalone
// mode
rdv40_spiffs_write((char *)dest, (uint8_t *)data, len, RDV40_SPIFFS_SAFETY_SAFE); rdv40_spiffs_write((char *)dest, (uint8_t *)data, len, RDV40_SPIFFS_SAFETY_SAFE);
// lastag will only contain filename/path to last written tag file so we don't loose time or space. // lastag will only contain filename/path to last written tag file so we don't loose time or space.
rdv40_spiffs_make_symlink((char *)dest, (char *)HFCOLIN_LASTTAG_SYMLINK, RDV40_SPIFFS_SAFETY_SAFE); rdv40_spiffs_make_symlink((char *)dest, (char *)HFCOLIN_LASTTAG_SYMLINK, RDV40_SPIFFS_SAFETY_SAFE);
@ -141,12 +180,15 @@ void WriteTagToFlash(uint32_t uid, size_t size) {
return; return;
} }
void ModInfo(void) { void ModInfo(void) { DbpString(" HF Mifare ultra fast sniff/sim/clone - aka VIGIKPWN (Colin Brigato)"); }
DbpString(" HF Mifare ultra fast sniff/sim/clone - aka VIGIKPWN (Colin Brigato)");
}
void RunMod() { void RunMod() {
StandAloneMode(); StandAloneMode();
add_schema(Schemas, Noralsy, &total_schemas);
add_schema(Schemas, InfiHexact, &total_schemas);
add_schema(Schemas, UrmetCaptive, &total_schemas);
FpgaDownloadAndGo(FPGA_BITSTREAM_HF); FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
currline = 20; currline = 20;
@ -155,7 +197,7 @@ void RunMod() {
memset(cjuid, 0, sizeof(cjuid)); memset(cjuid, 0, sizeof(cjuid));
cjcuid = 0; cjcuid = 0;
uint8_t sectorsCnt = (MF1KSZ / MF1KSZSIZE); uint8_t sectorsCnt = (MF1KSZ / MF1KSZSIZE);
uint64_t key64; // Defines current key uint64_t key64; // Defines current key
uint8_t *keyBlock; // Where the keys will be held in memory. uint8_t *keyBlock; // Where the keys will be held in memory.
/* VIGIK EXPIRED DUMP FOR STUDY /* VIGIK EXPIRED DUMP FOR STUDY
@ -194,11 +236,11 @@ void RunMod() {
ACCBITS : 796788[00]+VALUE ACCBITS : 796788[00]+VALUE
*/ */
//---------------------------- //----------------------------
// Set of keys to be used. // Set of keys to be used.
// This should cover ~98% of // This should cover ~98% of
// French VIGIK system @2017 // French VIGIK system @2017
//---------------------------- //----------------------------
#define STKEYS 37 #define STKEYS 37
@ -295,7 +337,7 @@ failtag:
SpinOff(50); SpinOff(50);
LED_A_ON(); LED_A_ON();
uint8_t ticker = 0; uint8_t ticker = 0;
//while (!BUTTON_PRESS() && !iso14443a_select_card(cjuid, NULL, &cjcuid, true, 0, true)) // while (!BUTTON_PRESS() && !iso14443a_select_card(cjuid, NULL, &cjcuid, true, 0, true))
while (!iso14443a_select_card(cjuid, &p_card, &cjcuid, true, 0, true)) { while (!iso14443a_select_card(cjuid, &p_card, &cjcuid, true, 0, true)) {
WDT_HIT(); WDT_HIT();
@ -377,8 +419,8 @@ failtag:
if (key == -1) { if (key == -1) {
err = 1; err = 1;
allKeysFound = false; allKeysFound = false;
// used in portable imlementation on microcontroller: it reports back the fail and open the standalone lock // used in portable imlementation on microcontroller: it reports back the fail and open the standalone
// reply_old(CMD_CJB_FSMSTATE_MENU, 0, 0, 0, 0, 0); // lock reply_old(CMD_CJB_FSMSTATE_MENU, 0, 0, 0, 0, 0);
break; break;
} else if (key == -2) { } else if (key == -2) {
err = 1; // Can't select card. err = 1; // Can't select card.
@ -393,10 +435,10 @@ failtag:
cjSetCursRight(); cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %012" PRIx64 " ; TYP: %i", sec, key64, type); DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %012" PRIx64 " ; TYP: %i", sec, key64, type);
/*reply_old(CMD_CJB_INFORM_CLIENT_KEY, 12, sec, type, tosendkey, 12);*/ /*reply_old(CMD_CJB_INFORM_CLIENT_KEY, 12, sec, type, tosendkey, 12);*/
switch (key64) {
///////////////////////////////////////////////////////// for (int i = 0; i < total_schemas; i++) {
// COMMON SCHEME 1 : INFINITRON/HEXACT if (key64 == Schemas[i].trigger) {
case 0x484558414354:
cjSetCursLeft(); cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*STOP*!<<<<<<<<<<<<<<%s", _XRED_, _XWHITE_); DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*STOP*!<<<<<<<<<<<<<<%s", _XRED_, _XWHITE_);
cjSetCursLeft(); cjSetCursLeft();
@ -404,232 +446,36 @@ failtag:
DbprintfEx(FLAG_NEWLINE, " .TAG SEEMS %sDETERMINISTIC%s. ", _XGREEN_, _XWHITE_); DbprintfEx(FLAG_NEWLINE, " .TAG SEEMS %sDETERMINISTIC%s. ", _XGREEN_, _XWHITE_);
cjSetCursLeft(); cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%sDetected: %s INFI_HEXACT_VIGIK_TAG%s", _XORANGE_, _XCYAN_, _XWHITE_); DbprintfEx(FLAG_NEWLINE, "%sDetected: %s %s%s", _XORANGE_, _XCYAN_, Schemas[i].name, _XWHITE_);
cjSetCursLeft(); cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "...%s[%sKey_derivation_schemeTest%s]%s...", _XYELLOW_, _XGREEN_, _XYELLOW_, _XGREEN_); DbprintfEx(FLAG_NEWLINE, "...%s[%sKey_derivation_schemeTest%s]%s...", _XYELLOW_, _XGREEN_,
_XYELLOW_, _XGREEN_);
cjSetCursLeft(); cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*DONE*!<<<<<<<<<<<<<<%s", _XGREEN_, _XWHITE_); DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*DONE*!<<<<<<<<<<<<<<%s", _XGREEN_, _XWHITE_);
;
// Type 0 / A first
uint16_t t = 0; uint16_t t = 0;
for (uint16_t s = 0; s < sectorsCnt; s++) { for (uint16_t s = 0; s < sectorsCnt; s++) {
num_to_bytes(0x484558414354, 6, foundKey[t][s]); num_to_bytes(Schemas[i].keysA[s], 6, foundKey[t][s]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][s][0], foundKey[t][s][1], foundKey[t][s][2], sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][s][0], foundKey[t][s][1],
foundKey[t][s][3], foundKey[t][s][4], foundKey[t][s][5]); foundKey[t][s][2], foundKey[t][s][3], foundKey[t][s][4], foundKey[t][s][5]);
cjSetCursRight(); cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", s, tosendkey, t); DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", s, tosendkey, t);
} }
t = 1; t = 1;
uint16_t sectorNo = 0;
num_to_bytes(0xa22ae129c013, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 1;
num_to_bytes(0x49fae4e3849f, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 2;
num_to_bytes(0x38fcf33072e0, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 3;
num_to_bytes(0x8ad5517b4b18, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 4;
num_to_bytes(0x509359f131b1, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 5;
num_to_bytes(0x6c78928e1317, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 6;
num_to_bytes(0xaa0720018738, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 7;
num_to_bytes(0xa6cac2886412, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 8;
num_to_bytes(0x62d0c424ed8e, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 9;
num_to_bytes(0xe64a986a5d94, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 10;
num_to_bytes(0x8fa1d601d0a2, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 11;
num_to_bytes(0x89347350bd36, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 12;
num_to_bytes(0x66d2b7dc39ef, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 13;
num_to_bytes(0x6bc1e1ae547d, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 14;
num_to_bytes(0x22729a9bd40f, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
sectorNo = 15;
num_to_bytes(0x484558414354, 6, foundKey[t][sectorNo]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][sectorNo][0], foundKey[t][sectorNo][1], foundKey[t][sectorNo][2],
foundKey[t][sectorNo][3], foundKey[t][sectorNo][4], foundKey[t][sectorNo][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", sectorNo, tosendkey, t);
trapped = 1;
break;
////////////////END OF SCHEME 1//////////////////////////////
///////////////////////////////////////
// COMMON SCHEME 2 : URMET CAPTIVE / COGELEC!/?
case 0x8829da9daf76:
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*STOP*!<<<<<<<<<<<<<<%s", _XRED_, _XWHITE_);
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, " .TAG SEEMS %sDETERMINISTIC%s. ", _XGREEN_, _XWHITE_);
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%sDetected :%sURMET_CAPTIVE_VIGIK_TAG%s", _XORANGE_, _XCYAN_, _XWHITE_);
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "...%s[%sKey_derivation_schemeTest%s]%s...", _XYELLOW_, _XGREEN_, _XYELLOW_, _XGREEN_);
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*DONE*!<<<<<<<<<<<<<<%s", _XGREEN_, _XWHITE_);
cjSetCursLeft();
// emlClearMem();
// A very weak one...
for (uint16_t i = 0; i < 2; i++) {
for (uint16_t s = 0; s < sectorsCnt; s++) {
num_to_bytes(key64, 6, foundKey[i][s]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x",
foundKey[i][s][0],
foundKey[i][s][1],
foundKey[i][s][2],
foundKey[i][s][3],
foundKey[i][s][4],
foundKey[i][s][5]
);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", s, tosendkey, i);
}
}
trapped = 1;
break;
////////////////END OF SCHEME 2//////////////////////////////
///////////////////////////////////////
// COMMON SCHEME 3 : NORALSY "A-LARON & B-LARON . . . NORAL-B & NORAL-A"
case 0x414c41524f4e: // Thumbs up to the guy who had the idea of such a "mnemotechnical" key pair
case 0x424c41524f4e:
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*STOP*!<<<<<<<<<<<<<<%s", _XRED_, _XWHITE_);
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, " .TAG SEEMS %sDETERMINISTIC%s. ", _XGREEN_, _XWHITE_);
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%s Detected :%sNORALSY_VIGIK_TAG %s", _XORANGE_, _XCYAN_, _XWHITE_);
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "...%s[%sKey_derivation_schemeTest%s]%s...", _XYELLOW_, _XGREEN_, _XYELLOW_, _XGREEN_);
cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%s>>>>>>>>>>>>!*DONE*!<<<<<<<<<<<<<<%s", _XGREEN_, _XWHITE_);
t = 0;
for (uint16_t s = 0; s < sectorsCnt; s++) { for (uint16_t s = 0; s < sectorsCnt; s++) {
num_to_bytes(0x414c41524f4e, 6, foundKey[t][s]); num_to_bytes(Schemas[i].keysB[s], 6, foundKey[t][s]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x", foundKey[t][s][0], foundKey[t][s][1],
foundKey[t][s][0], foundKey[t][s][2], foundKey[t][s][3], foundKey[t][s][4], foundKey[t][s][5]);
foundKey[t][s][1],
foundKey[t][s][2],
foundKey[t][s][3],
foundKey[t][s][4],
foundKey[t][s][5]);
cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", s, tosendkey, t);
}
t = 1;
for (uint16_t s = 0; s < sectorsCnt; s++) {
num_to_bytes(0x424c41524f4e, 6, foundKey[t][s]);
sprintf(tosendkey, "%02x%02x%02x%02x%02x%02x",
foundKey[t][s][0],
foundKey[t][s][1],
foundKey[t][s][2],
foundKey[t][s][3],
foundKey[t][s][4],
foundKey[t][s][5]);
cjSetCursRight(); cjSetCursRight();
DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", s, tosendkey, t); DbprintfEx(FLAG_NEWLINE, "SEC: %02x ; KEY : %s ; TYP: %d", s, tosendkey, t);
} }
trapped = 1; trapped = 1;
break; break;
////////////////END OF SCHEME 3////////////////////////////// }
} }
/* etc etc for testing schemes quick schemes */ /* etc etc for testing schemes quick schemes */
} }
} }
@ -685,7 +531,8 @@ failtag:
delta_time = GetTickCountDelta(start_time); delta_time = GetTickCountDelta(start_time);
cjSetCursLeft(); cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "%s>>%s Time for VIGIK break :%s%dms%s", _XGREEN_, _XWHITE_, _XYELLOW_, delta_time, _XWHITE_); DbprintfEx(FLAG_NEWLINE, "%s>>%s Time for VIGIK break :%s%dms%s", _XGREEN_, _XWHITE_, _XYELLOW_, delta_time,
_XWHITE_);
vtsend_cursor_position_save(NULL); vtsend_cursor_position_save(NULL);
vtsend_set_attribute(NULL, 1); vtsend_set_attribute(NULL, 1);
@ -706,8 +553,9 @@ readysim:
DbprintfEx(FLAG_NEWLINE, "%s!> HOLD ON : %s When you'll click, simm will stop", _XRED_, _XWHITE_); DbprintfEx(FLAG_NEWLINE, "%s!> HOLD ON : %s When you'll click, simm will stop", _XRED_, _XWHITE_);
cjSetCursLeft(); cjSetCursLeft();
DbprintfEx(FLAG_NEWLINE, "Then %s immediately %s we'll try to %s dump our emulator state%s \r\nin a %s chinese tag%s", _XRED_, _XWHITE_, _XYELLOW_, _XWHITE_, DbprintfEx(FLAG_NEWLINE,
_XCYAN_, _XWHITE_); "Then %s immediately %s we'll try to %s dump our emulator state%s \r\nin a %s chinese tag%s", _XRED_,
_XWHITE_, _XYELLOW_, _XWHITE_, _XCYAN_, _XWHITE_);
cjSetCursLeft(); cjSetCursLeft();
cjSetCursLeft(); cjSetCursLeft();
@ -736,7 +584,7 @@ readysim:
} }
// Use UID, SAK, ATQA from EMUL, if uid not defined // Use UID, SAK, ATQA from EMUL, if uid not defined
//if ((flags & (FLAG_4B_UID_IN_DATA | FLAG_7B_UID_IN_DATA | FLAG_10B_UID_IN_DATA)) == 0) { // if ((flags & (FLAG_4B_UID_IN_DATA | FLAG_7B_UID_IN_DATA | FLAG_10B_UID_IN_DATA)) == 0) {
flags |= FLAG_UID_IN_EMUL; flags |= FLAG_UID_IN_EMUL;
//} //}
Mifare1ksim(flags | FLAG_MF_1K, 0, cjuid); Mifare1ksim(flags | FLAG_MF_1K, 0, cjuid);
@ -856,7 +704,8 @@ int e_MifareECardLoad(uint32_t numofsectors, uint8_t keytype) {
/* the chk function is a piwi'ed(tm) check that will try all keys for /* the chk function is a piwi'ed(tm) check that will try all keys for
a particular sector. also no tracing no dbg */ a particular sector. also no tracing no dbg */
int cjat91_saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace, uint8_t keyCount, uint8_t *datain, uint64_t *key) { int cjat91_saMifareChkKeys(uint8_t blockNo, uint8_t keyType, bool clearTrace, uint8_t keyCount, uint8_t *datain,
uint64_t *key) {
DBGLEVEL = DBG_NONE; DBGLEVEL = DBG_NONE;
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN); iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);
set_tracing(false); set_tracing(false);
@ -961,8 +810,7 @@ void saMifareMakeTag(void) {
} }
} }
// TODO : make this work either for a Gen1a or for a block 0 direct write all transparently
//TODO : make this work either for a Gen1a or for a block 0 direct write all transparently
//----------------------------------------------------------------------------- //-----------------------------------------------------------------------------
// Matt's StandAlone mod. // Matt's StandAlone mod.
// Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn) // Work with "magic Chinese" card (email him: ouyangweidaxian@live.cn)
@ -1049,7 +897,8 @@ int saMifareCSetBlock(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *data
}; };
} }
if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) || (receivedAnswer[0] != 0x0a)) { if ((mifare_sendcmd_short(NULL, 0, 0xA0, blockNo, receivedAnswer, receivedAnswerPar, NULL) != 1) ||
(receivedAnswer[0] != 0x0a)) {
DbprintfEx(FLAG_NEWLINE, "write block send command error"); DbprintfEx(FLAG_NEWLINE, "write block send command error");
break; break;
}; };