RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2024-12-26 18:12:34 +08:00
Code Issues Projects Releases Packages Wiki Activity

FIX: 'hf 14a sim x' - adjusted and shows messages when verbose.

Browse source 
FIX: 'hf mf sim x i' - same as above.

In general we only use Moebius attack for "sim x",  that means a clean up on device side code. simpler to understand. It still tries to gather 8 different collections of nonces combo. When one is complete, it get sent to client which runs moebius direct.
This commit is contained in:
iceman1001 2017-01-29 23:09:23 +01:00
parent 2ce218042d
commit 84bdbc1917
5 changed files with 193 additions and 314 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

350
armsrc/iso14443a.c
View file

@ -871,17 +871,9 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
uint8_t cardAUTHKEY = 0xff; // no authentication
// allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys
nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (std, moebius)
memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius)
memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
uint8_t nonce1_count = 0;
uint8_t nonce2_count = 0;
uint8_t moebius_n_count = 0;
bool gettingMoebius = false;
uint8_t mM = 0; // moebius_modifier for collection storage
nonces_t ar_nr_nonces[ATTACK_KEY_COUNT]; // for attack types moebius
memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces));
uint8_t moebius_count = 0;
switch (tagType) {
case 1: { // MIFARE Classic 1k
@ -1056,7 +1048,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
// Clean receive command buffer
if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
DbpString("Button press");
Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
break;
}
p_response = NULL;
@ -1153,15 +1145,21 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
EmSendCmdEx(emdata, sizeof(emdata), false);
p_response = NULL;
} else {
// incease nonce at every command recieved. this is time consuming.
nonce = prand();
num_to_bytes(nonce, 4, response5);
prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE);
cardAUTHSC = receivedCmd[1] / 4; // received block num
cardAUTHKEY = receivedCmd[0] - 0x60;
p_response = &responses[5]; order = 7;
cardAUTHSC = receivedCmd[1] / 4; // received block num
// incease nonce at AUTH requests. this is time consuming.
nonce = prand();
//num_to_bytes(nonce, 4, response5);
num_to_bytes(nonce, 4, dynamic_response_info.response);
dynamic_response_info.response_n = 4;
//prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE);
prepare_tag_modulation(&dynamic_response_info, DYNAMIC_MODULATION_BUFFER_SIZE);
p_response = &dynamic_response_info;
//p_response = &responses[5];
order = 7;
}
} else if(receivedCmd[0] == ISO14443A_CMD_RATS) { // Received a RATS request
if (tagType == 1 || tagType == 2) { // RATS not supported
@ -1178,69 +1176,60 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
// Collect AR/NR per keytype & sector
if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
if ( ar_nr_collected[i+mM] == 0 || (
(cardAUTHSC == ar_nr_resp[i+mM].sector) &&
(cardAUTHKEY == ar_nr_resp[i+mM].keytype) &&
(ar_nr_collected[i+mM] > 0)
)
) {
// if first auth for sector, or matches sector and keytype of previous auth
if (ar_nr_collected[i+mM] > 1) continue;
// if we haven't already collected 2 nonces for this sector
if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
// Avoid duplicates... probably not necessary, ar should vary.
if (ar_nr_collected[i+mM]==0) {
// first nonce collect
nonce1_count++;
// add this nonce to first moebius nonce
ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
ar_nr_collected[i+ATTACK_KEY_COUNT]++;
} else {
// second nonce collect (std and moebius)
ar_nr_resp[i+mM].nonce2 = nonce;
ar_nr_resp[i+mM].nr2 = nr;
ar_nr_resp[i+mM].ar2 = ar;
if (!gettingMoebius) {
nonce2_count++;
// check if this was the last second nonce we need for std attack
if ( nonce2_count == nonce1_count ) {
// done collecting std test switch to moebius
// first finish incrementing last sample
ar_nr_collected[i+mM]++;
// switch to moebius collection
gettingMoebius = true;
mM = ATTACK_KEY_COUNT;
break;
}
} else {
moebius_n_count++;
// if we've collected all the nonces we need - finish.
if (nonce1_count == moebius_n_count) {
cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp));
nonce1_count = 0;
nonce2_count = 0;
moebius_n_count = 0;
gettingMoebius = false;
}
}
}
ar_nr_collected[i+mM]++;
}
// we found right spot for this nonce stop looking
break;
}
int8_t index = -1;
int8_t empty = -1;
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
// find which index to use
if ( (cardAUTHSC == ar_nr_nonces[i].sector) && (cardAUTHKEY == ar_nr_nonces[i].keytype))
index = i;
// keep track of empty slots.
if ( ar_nr_nonces[i].state == EMPTY)
empty = i;
}
// if no empty slots. Choose first and overwrite.
if ( index == -1 ) {
if ( empty == -1 ) {
index = 0;
ar_nr_nonces[index].state = EMPTY;
} else {
index = empty;
}
}
switch(ar_nr_nonces[index].state) {
case EMPTY: {
// first nonce collect
ar_nr_nonces[index].cuid = cuid;
ar_nr_nonces[index].sector = cardAUTHSC;
ar_nr_nonces[index].keytype = cardAUTHKEY;
ar_nr_nonces[index].nonce = nonce;
ar_nr_nonces[index].nr = nr;
ar_nr_nonces[index].ar = ar;
ar_nr_nonces[index].state = FIRST;
break;
}
case FIRST : {
// second nonce collect
ar_nr_nonces[index].nonce2 = nonce;
ar_nr_nonces[index].nr2 = nr;
ar_nr_nonces[index].ar2 = ar;
ar_nr_nonces[index].state = SECOND;
// send to client
cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t));
ar_nr_nonces[index].state = EMPTY;
ar_nr_nonces[index].sector = 0;
ar_nr_nonces[index].keytype = 0;
moebius_count++;
break;
}
default: break;
}
}
p_response = NULL;
} else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication
} else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication
@ -1318,7 +1307,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
dynamic_response_info.response_n += 2;
if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
Dbprintf("Error preparing tag response");
DbpString("Error preparing tag response");
LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
@ -1403,9 +1392,10 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
*/
if (MF_DBGLEVEL >= 4){
Dbprintf("-[ Wake ups after halt [%d]", happened);
Dbprintf("-[ Messages after halt [%d]", happened2);
Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd);
Dbprintf("-[ Wake ups after halt [%d]", happened);
Dbprintf("-[ Messages after halt [%d]", happened2);
Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd);
Dbprintf("-[ Num of moebius tries [%d]", moebius_count);
}
cmd_send(CMD_ACK,1,0,0,0,0);
@ -2500,17 +2490,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
// Here, we collect CUID, NT, NR, AR, CUID2, NT2, NR2, AR2
// This can be used in a reader-only attack.
nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius)
memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius)
memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
uint8_t nonce1_count = 0;
uint8_t nonce2_count = 0;
uint8_t moebius_n_count = 0;
bool gettingMoebius = false;
uint8_t mM = 0; // moebius_modifier for collection storage
bool doBufResetNext = false;
nonces_t ar_nr_nonces[ATTACK_KEY_COUNT];
memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces));
// -- Determine the UID
// Can be set from emulator memory or incoming data
@ -2752,101 +2733,63 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
uint32_t nr = bytes_to_num(receivedCmd, 4);
uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
if (doBufResetNext) {
// Reset, lets try again!
if (MF_DBGLEVEL >= 4) Dbprintf("Re-read after previous NR_AR_ATTACK, resetting buffer");
memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
mM = 0;
doBufResetNext = false;
}
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
// Collect AR/NR per keytype & sector
if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
if ( ar_nr_collected[i+mM] == 0 || (
(cardAUTHSC == ar_nr_resp[i+mM].sector) &&
(cardAUTHKEY == ar_nr_resp[i+mM].keytype) &&
(ar_nr_collected[i+mM] > 0)
)
) {
int8_t index = -1;
int8_t empty = -1;
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
// find which index to use
if ( (cardAUTHSC == ar_nr_nonces[i].sector) && (cardAUTHKEY == ar_nr_nonces[i].keytype))
index = i;
// if first auth for sector, or matches sector and keytype of previous auth
if (ar_nr_collected[i+mM] < 2) {
// if we haven't already collected 2 nonces for this sector
if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
// Avoid duplicates... probably not necessary, ar should vary.
if (ar_nr_collected[i+mM]==0) {
// first nonce collect
ar_nr_resp[i+mM].cuid = cuid;
ar_nr_resp[i+mM].sector = cardAUTHSC;
ar_nr_resp[i+mM].keytype = cardAUTHKEY;
ar_nr_resp[i+mM].nonce = nonce;
ar_nr_resp[i+mM].nr = nr;
ar_nr_resp[i+mM].ar = ar;
nonce1_count++;
// add this nonce to first moebius nonce
ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
ar_nr_collected[i+ATTACK_KEY_COUNT]++;
} else { // second nonce collect (std and moebius)
ar_nr_resp[i+mM].nonce2 = nonce;
ar_nr_resp[i+mM].nr2 = nr;
ar_nr_resp[i+mM].ar2 = ar;
if (!gettingMoebius) {
nonce2_count++;
// check if this was the last second nonce we need for std attack
if ( nonce2_count == nonce1_count ) {
// done collecting std test switch to moebius
// first finish incrementing last sample
ar_nr_collected[i+mM]++;
// switch to moebius collection
gettingMoebius = true;
mM = ATTACK_KEY_COUNT;
break;
}
} else {
moebius_n_count++;
// if we've collected all the nonces we need - finish.
if (nonce1_count == moebius_n_count) {
cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_resp, sizeof(ar_nr_resp));
nonce1_count = 0;
nonce2_count = 0;
moebius_n_count = 0;
gettingMoebius = false;
doBufResetNext = true;
finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE));
}
}
}
ar_nr_collected[i+mM]++;
}
// keep track of empty slots.
if ( ar_nr_nonces[i].state == EMPTY)
empty = i;
}
// if no empty slots. Choose first and overwrite.
if ( index == -1 ) {
if ( empty == -1 ) {
index = 0;
ar_nr_nonces[index].state = EMPTY;
} else {
index = empty;
}
// we found right spot for this nonce stop looking
break;
}
switch(ar_nr_nonces[index].state) {
case EMPTY: {
// first nonce collect
ar_nr_nonces[index].cuid = cuid;
ar_nr_nonces[index].sector = cardAUTHSC;
ar_nr_nonces[index].keytype = cardAUTHKEY;
ar_nr_nonces[index].nonce = nonce;
ar_nr_nonces[index].nr = nr;
ar_nr_nonces[index].ar = ar;
ar_nr_nonces[index].state = FIRST;
break;
}
case FIRST : {
// second nonce collect
ar_nr_nonces[index].nonce2 = nonce;
ar_nr_nonces[index].nr2 = nr;
ar_nr_nonces[index].ar2 = ar;
ar_nr_nonces[index].state = SECOND;
// send to client
cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t));
ar_nr_nonces[index].state = EMPTY;
ar_nr_nonces[index].sector = 0;
ar_nr_nonces[index].keytype = 0;
break;
}
default: break;
}
}
/*
// Collect AR/NR
// if(ar_nr_collected < 2 && cardAUTHSC == 2){
if(ar_nr_collected < 2) {
// if(ar_nr_responses[2] != nr) {
ar_nr_responses[ar_nr_collected*4] = cuid;
ar_nr_responses[ar_nr_collected*4+1] = nonce;
ar_nr_responses[ar_nr_collected*4+2] = nr;
ar_nr_responses[ar_nr_collected*4+3] = ar;
ar_nr_collected++;
// }
// Interactive mode flag, means we need to send ACK
finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE)&& ar_nr_collected == 2);
}
// Interactive mode flag, means we need to send ACK
crypto1_word(pcs, ar , 1);
cardRr = nr ^ crypto1_word(pcs, 0, 0);
@ -3081,45 +3024,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
}
}
// Interactive mode flag, means we need to send ACK
/*
if((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE && flags & FLAG_NR_AR_ATTACK == FLAG_NR_AR_ATTACK) {
// May just aswell send the collected ar_nr in the response aswell
uint8_t len = ar_nr_collected * 4 * 4;
cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
}
*/
if( ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) && MF_DBGLEVEL >= 1 ) {
for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
if (ar_nr_collected[i] == 2) {
Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
ar_nr_resp[i].cuid, //UID
ar_nr_resp[i].nonce, //NT
ar_nr_resp[i].nr, //NR1
ar_nr_resp[i].ar, //AR1
ar_nr_resp[i].nr2, //NR2
ar_nr_resp[i].ar2 //AR2
);
}
}
for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
if (ar_nr_collected[i] == 2) {
Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
ar_nr_resp[i].cuid, //UID
ar_nr_resp[i].nonce, //NT
ar_nr_resp[i].nr, //NR1
ar_nr_resp[i].ar, //AR1
ar_nr_resp[i].nonce2,//NT2
ar_nr_resp[i].nr2, //NR2
ar_nr_resp[i].ar2 //AR2
);
}
}
}
if (MF_DBGLEVEL >= 1)
Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());

16
client/cmdhf14a.c
View file

@ -441,7 +441,6 @@ int CmdHF14ACUIDs(const char *Cmd) {
// ## simulate iso14443a tag
// ## greg - added ability to specify tag UID
int CmdHF14ASim(const char *Cmd) {
#define ATTACK_KEY_COUNT 8
bool errors = FALSE;
uint8_t flags = 0;
uint8_t tagtype = 1;
@ -451,7 +450,8 @@ int CmdHF14ASim(const char *Cmd) {
bool useUIDfromEML = TRUE;
bool setEmulatorMem = FALSE;
bool verbose = FALSE;
nonces_t data[1];
while(param_getchar(Cmd, cmdp) != 0x00) {
switch(param_getchar(Cmd, cmdp)) {
case 'h':
@ -483,7 +483,7 @@ int CmdHF14ASim(const char *Cmd) {
break;
case 'v':
case 'V':
verbose = true;
verbose = TRUE;
cmdp++;
break;
case 'x':
@ -498,7 +498,7 @@ int CmdHF14ASim(const char *Cmd) {
break;
default:
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
errors = true;
errors = TRUE;
break;
}
if(errors) break;
@ -514,19 +514,19 @@ int CmdHF14ASim(const char *Cmd) {
memcpy(c.d.asBytes, uid, uidlen>>1);
clearCommandBuffer();
SendCommand(&c);
nonces_t data[ATTACK_KEY_COUNT*2];
UsbCommand resp;
PrintAndLog("Press pm3-button to abort simulation");
while( !ukbhit() ){
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
memcpy( data, resp.d.asBytes, sizeof(data) );
readerAttack(data, setEmulatorMem, verbose);
memcpy(data, resp.d.asBytes, sizeof(data) );
readerAttack(data[0], setEmulatorMem, verbose);
}
showSectorTable();
return 0;
}

133
client/cmdhfmf.c
View file

@ -1361,18 +1361,16 @@ int CmdHF14AMfChk(const char *Cmd) {
PrintAndLog("");
return 0;
}
#define ATTACK_KEY_COUNT 8
sector *k_sector = NULL;
uint8_t k_sectorsCount = 16;
void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
static void emptySectorTable(){
// initialize storage for found keys
if (k_sector == NULL)
k_sector = calloc(k_sectorsCount, sizeof(sector));
if (k_sector == NULL)
return;
uint64_t key = 0;
// empty e_sector
for(int i = 0; i < k_sectorsCount; ++i){
@ -1381,68 +1379,47 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
k_sector[i].foundKey[0] = FALSE;
k_sector[i].foundKey[1] = FALSE;
}
}
void showSectorTable(){
if (k_sector != NULL) {
printKeyTable(k_sectorsCount, k_sector);
free(k_sector);
k_sector = NULL;
}
}
void readerAttack(nonces_t data, bool setEmulatorMem, bool verbose) {
if (verbose) printf("enter Moebius attack (mfkey32v2) \n");
uint64_t key = 0;
bool success = FALSE;
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) {
// if no-collected data
if (data[i].ar2 == 0) continue;
if (k_sector == NULL)
emptySectorTable();
// We can probably skip this, mfkey32v2 is more reliable.
#ifdef HFMF_TRYMFK32
if (tryMfk32(data[i], &key, verbose)) {
PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"
, (data[i].keytype) ? "B" : "A"
, data[i].sector
, key
);
success = tryMfk32_moebius(data, &key, verbose);
if (success) {
uint8_t sector = data.sector;
uint8_t keytype = data.keytype;
k_sector[i].Key[data[i].keytype] = key;
k_sector[i].foundKey[data[i].keytype] = TRUE;
//set emulator memory for keys
if (setEmulatorMem) {
uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};
num_to_bytes( k_sector[i].Key[0], 6, memBlock);
num_to_bytes( k_sector[i].Key[1], 6, memBlock+10);
PrintAndLog("Setting Emulator Memory Block %02d: [%s]"
, ((data[i].sector)*4) + 3
, sprint_hex( memBlock, sizeof(memBlock))
);
mfEmlSetMem( memBlock, ((data[i].sector)*4) + 3, 1);
}
continue;
}
#endif
//moebius attack
if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) {
uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector;
uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype;
PrintAndLog("Reader is trying authenticate with: Key %s, sector %02d: [%012"llx"]"
, keytype ? "B" : "A"
, sector
, key
);
PrintAndLog("Reader is trying authenticate with: Key %s, sector %02d: [%012"llx"]"
, keyType ? "B" : "A"
, sectorNum
, key
);
k_sector[sector].Key[keytype] = key;
k_sector[sector].foundKey[keytype] = TRUE;
k_sector[sectorNum].Key[keyType] = key;
k_sector[sectorNum].foundKey[keyType] = TRUE;
//set emulator memory for keys
if (setEmulatorMem) {
uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};
num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock);
num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10);
//iceman, guessing this will not work so well for 4K tags.
PrintAndLog("Setting Emulator Memory Block %02d: [%s]"
, (sectorNum*4) + 3
, sprint_hex( memBlock, sizeof(memBlock))
);
mfEmlSetMem( memBlock, (sectorNum*4) + 3, 1);
}
continue;
//set emulator memory for keys
if (setEmulatorMem) {
uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};
num_to_bytes( k_sector[sector].Key[0], 6, memBlock);
num_to_bytes( k_sector[sector].Key[1], 6, memBlock+10);
//iceman, guessing this will not work so well for 4K tags.
PrintAndLog("Setting Emulator Memory Block %02d: [%s]"
, (sector*4) + 3
, sprint_hex( memBlock, sizeof(memBlock))
);
mfEmlSetMem( memBlock, (sector*4) + 3, 1);
}
}
}
@ -1453,18 +1430,17 @@ int CmdHF14AMf1kSim(const char *Cmd) {
uint8_t exitAfterNReads = 0;
uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);
int uidlen = 0;
bool setEmulatorMem = false;
uint8_t cmdp = 0;
bool errors = false;
// If set to true, we should show our workings when doing NR_AR_ATTACK.
bool verbose = false;
bool errors = FALSE;
bool verbose = FALSE;
bool setEmulatorMem = FALSE;
nonces_t data[1];
while(param_getchar(Cmd, cmdp) != 0x00) {
switch(param_getchar(Cmd, cmdp)) {
case 'e':
case 'E':
setEmulatorMem = true;
setEmulatorMem = TRUE;
cmdp++;
break;
case 'h':
@ -1489,11 +1465,11 @@ int CmdHF14AMf1kSim(const char *Cmd) {
case 8: flags = FLAG_4B_UID_IN_DATA; break;
default: return usage_hf14_mf1ksim();
}
cmdp +=2;
cmdp += 2;
break;
case 'v':
case 'V':
verbose = true;
verbose = TRUE;
cmdp++;
break;
case 'x':
@ -1503,7 +1479,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
break;
default:
PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
errors = true;
errors = TRUE;
break;
}
if(errors) break;
@ -1521,27 +1497,20 @@ int CmdHF14AMf1kSim(const char *Cmd) {
memcpy(c.d.asBytes, uid, sizeof(uid));
clearCommandBuffer();
SendCommand(&c);
UsbCommand resp;
if(flags & FLAG_INTERACTIVE) {
if(flags & FLAG_INTERACTIVE) {
PrintAndLog("Press pm3-button or send another cmd to abort simulation");
nonces_t data[ATTACK_KEY_COUNT*2];
UsbCommand resp;
while( !ukbhit() ){
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
memcpy( data, resp.d.asBytes, sizeof(data) );
readerAttack(data, setEmulatorMem, verbose);
}
if (k_sector != NULL) {
printKeyTable(k_sectorsCount, k_sector);
free(k_sector);
k_sector = NULL;
memcpy(data, resp.d.asBytes, sizeof(data));
readerAttack(data[0], setEmulatorMem, verbose);
}
showSectorTable();
}
return 0;
}

3
client/cmdhfmf.h
View file

@ -61,6 +61,7 @@ int CmdHF14AMfCLoad(const char* cmd);
int CmdHF14AMfCSave(const char* cmd);
int CmdHf14MfDecryptBytes(const char *Cmd);
void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose);
void showSectorTable(void);
void readerAttack(nonces_t data, bool setEmulatorMem, bool verbose);
void printKeyTable( uint8_t sectorscnt, sector *e_sector );
#endif

5
include/mifare.h
View file

@ -74,6 +74,11 @@ typedef struct {
uint32_t nr2;
uint8_t sector;
uint8_t keytype;
enum {
EMPTY,
FIRST,
SECOND,
} state;
} nonces_t;
#endif // _MIFARE_H_