From 96076c19453f3aa7ac7a8dff0682b81ccf4d30ab Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 2 Jun 2020 11:46:59 +0200 Subject: [PATCH] chg: remove unused code from "hf mf sim" --- client/src/cmdhfmf.c | 160 ------------------ client/src/mifare/mifarehost.c | 290 --------------------------------- client/src/mifare/mifarehost.h | 9 - 3 files changed, 459 deletions(-) diff --git a/client/src/cmdhfmf.c b/client/src/cmdhfmf.c index 5c0ae6cb5..7fe84f55e 100644 --- a/client/src/cmdhfmf.c +++ b/client/src/cmdhfmf.c @@ -3351,166 +3351,6 @@ static int CmdHF14AMfSim(const char *Cmd) { k_sectorsCount = MIFARE_4K_MAXSECTOR; return PM3_SUCCESS; } -/* -static int CmdHF14AMfSniff(const char *Cmd) { - bool wantLogToFile = false; - bool wantDecrypt = false; - //bool wantSaveToEml = false; TODO - bool wantSaveToEmlFile = false; - - //var - int res = 0, len = 0, blockLen = 0; - int pckNum = 0, num = 0; - uint8_t sak = 0; - uint8_t uid[10]; - uint8_t uid_len = 0; - uint8_t atqa[2] = {0x00, 0x00}; - bool isTag = false; - uint8_t *buf = NULL; - uint16_t bufsize = 0; - uint8_t *bufPtr = NULL; - uint16_t traceLen = 0; - - memset(uid, 0x00, sizeof(uid)); - - char ctmp = tolower(param_getchar(Cmd, 0)); - if (ctmp == 'h') return usage_hf14_sniff(); - - for (int i = 0; i < 4; i++) { - ctmp = tolower(param_getchar(Cmd, i)); - if (ctmp == 'l') wantLogToFile = true; - if (ctmp == 'd') wantDecrypt = true; - //if (ctmp == 'e') wantSaveToEml = true; TODO - if (ctmp == 'f') wantSaveToEmlFile = true; - } - - PrintAndLogEx(NORMAL, "-------------------------------------------------------------------------\n"); - PrintAndLogEx(NORMAL, "Executing mifare sniffing command. \n"); - PrintAndLogEx(NORMAL, "Press the button on the Proxmark3 device to abort both Proxmark3 and client.\n"); - PrintAndLogEx(NORMAL, "Press Enter to abort the client.\n"); - PrintAndLogEx(NORMAL, "-------------------------------------------------------------------------\n"); - - clearCommandBuffer(); - SendCommandNG(CMD_HF_MIFARE_SNIFF, NULL, 0); - - PacketResponseNG resp; - struct Crypto1State *traceCrypto1 = NULL; - - // wait cycle - while (true) { - printf("."); - fflush(stdout); - if (kbd_enter_pressed()) { - PrintAndLogEx(INFO, "\naborted via keyboard!\n"); - break; - } - - if (!WaitForResponseTimeout(CMD_ACK, &resp, 2000)) { - continue; - } - - res = resp.oldarg[0] & 0xff; - traceLen = resp.oldarg[1]; - len = resp.oldarg[2]; - - if (res == 0) { - PrintAndLogEx(SUCCESS, "hf mifare sniff finished"); - free(buf); - return 0; - } - - if (res == 1) { // there is (more) data to be transferred - if (pckNum == 0) { // first packet, (re)allocate necessary buffer - if (traceLen > bufsize || buf == NULL) { - uint8_t *p; - if (buf == NULL) // not yet allocated - p = calloc(traceLen, sizeof(uint8_t)); - else // need more memory - p = realloc(buf, traceLen); - - if (p == NULL) { - PrintAndLogEx(FAILED, "Cannot allocate memory for trace"); - free(buf); - return 2; - } - buf = p; - } - bufPtr = buf; - bufsize = traceLen; - memset(buf, 0x00, traceLen); - } - - // what happens if LEN is bigger then TRACELEN --iceman - memcpy(bufPtr, resp.data.asBytes, len); - bufPtr += len; - pckNum++; - } - - if (res == 2) { // received all data, start displaying - blockLen = bufPtr - buf; - bufPtr = buf; - PrintAndLogEx(NORMAL, ">\n"); - PrintAndLogEx(SUCCESS, "received trace len: %d packages: %d", blockLen, pckNum); - while (bufPtr - buf < blockLen) { - bufPtr += 6; // skip (void) timing information - len = *((uint16_t *)bufPtr); - if (len & 0x8000) { - isTag = true; - len &= 0x7fff; - } else { - isTag = false; - } - bufPtr += 2; - - // the uid identification package - // 0xFF 0xFF xx xx xx xx xx xx xx xx xx xx aa aa cc 0xFF 0xFF - // x = uid, a = atqa, c = sak - if ((len == 17) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[15] == 0xff) && (bufPtr[16] == 0xff)) { - memcpy(uid, bufPtr + 2, 10); - memcpy(atqa, bufPtr + 2 + 10, 2); - switch (atqa[0] & 0xC0) { - case 0x80: - uid_len = 10; - break; - case 0x40: - uid_len = 7; - break; - default: - uid_len = 4; - break; - } - sak = bufPtr[14]; - PrintAndLogEx(SUCCESS, "UID %s | ATQA %02x %02x | SAK 0x%02x", - sprint_hex(uid, uid_len), - atqa[1], - atqa[0], - sak); - if (wantLogToFile || wantDecrypt) { - FillFileNameByUID(logHexFileName, uid, ".log", uid_len); - AddLogCurrentDT(logHexFileName); - PrintAndLogEx(SUCCESS, "Trace saved to %s", logHexFileName); - } - if (wantDecrypt) - mfTraceInit(&traceCrypto1, uid, uid_len, atqa, sak, wantSaveToEmlFile); - } else { - PrintAndLogEx(NORMAL, "%03d| %s |%s", num, isTag ? "TAG" : "RDR", sprint_hex(bufPtr, len)); - if (wantLogToFile) - AddLogHex(logHexFileName, isTag ? "TAG| " : "RDR| ", bufPtr, len); - if (wantDecrypt) - mfTraceDecode(traceCrypto1, bufPtr, len, wantSaveToEmlFile); - num++; - } - bufPtr += len; - bufPtr += ((len - 1) / 8 + 1); // ignore parity - } - pckNum = 0; - } - } // while (true) - - free(buf); - return PM3_SUCCESS; -} -*/ /* static int CmdHF14AMfKeyBrute(const char *Cmd) { diff --git a/client/src/mifare/mifarehost.c b/client/src/mifare/mifarehost.c index dcd8698df..8e476a424 100644 --- a/client/src/mifare/mifarehost.c +++ b/client/src/mifare/mifarehost.c @@ -944,124 +944,9 @@ int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params) { // SNIFFER // [iceman] so many global variables.... -// constants -static uint8_t trailerAccessBytes[4] = {0x08, 0x77, 0x8F, 0x00}; - // variables -char logHexFileName[FILE_PATH_SIZE] = {0x00}; -static uint8_t traceCard[4096] = {0x00}; -static char traceFileName[FILE_PATH_SIZE] = {0x00}; -static int traceState = TRACE_IDLE; -static uint8_t traceCurBlock = 0; -static uint8_t traceCurKey = 0; - uint32_t cuid = 0; // uid part used for crypto1. -int isTraceCardEmpty(void) { - return ((traceCard[0] == 0) && (traceCard[1] == 0) && (traceCard[2] == 0) && (traceCard[3] == 0)); -} - -int isBlockEmpty(int blockN) { - for (int i = 0; i < 16; i++) - if (traceCard[blockN * 16 + i] != 0) return 0; - - return 1; -} - -int isBlockTrailer(int blockN) { - return ((blockN & 0x03) == 0x03); -} - -int loadTraceCard(uint8_t *tuid, uint8_t uidlen) { - FILE *f; - char buf[64] = {0x00}; - uint8_t buf8[64] = {0x00}; - int i, blockNum; - uint32_t tmp; - - if (!isTraceCardEmpty()) - saveTraceCard(); - - memset(traceCard, 0x00, 4096); - memcpy(traceCard, tuid, uidlen); - - FillFileNameByUID(traceFileName, tuid, ".eml", uidlen); - - f = fopen(traceFileName, "r"); - if (!f) return PM3_EFILE; - - blockNum = 0; - - while (!feof(f)) { - - memset(buf, 0, sizeof(buf)); - if (fgets(buf, sizeof(buf), f) == NULL) { - PrintAndLogEx(FAILED, "No trace file found or reading error."); - fclose(f); - return PM3_EFILE; - } - - if (strlen(buf) < 32) { - if (feof(f)) break; - PrintAndLogEx(FAILED, "File content error. Block data must include 32 HEX symbols"); - fclose(f); - return PM3_EFILE; - } - for (i = 0; i < 32; i += 2) { - sscanf(&buf[i], "%02X", &tmp); - buf8[i / 2] = tmp & 0xFF; - } - - memcpy(traceCard + blockNum * 16, buf8, 16); - - blockNum++; - } - fclose(f); - return PM3_SUCCESS; -} - -int saveTraceCard(void) { - - if ((!strlen(traceFileName)) || (isTraceCardEmpty())) return PM3_ESOFT; - - FILE *f; - f = fopen(traceFileName, "w+"); - if (!f) return PM3_EFILE; - - // given 4096 tracecard size, these loop will only match a 1024, 1kb card memory - // 4086/16 == 256blocks. - for (uint16_t i = 0; i < 256; i++) { // blocks - for (uint8_t j = 0; j < 16; j++) // bytes - fprintf(f, "%02X", *(traceCard + i * 16 + j)); - - // no extra line in the end - if (i < 255) - fprintf(f, "\n"); - } - fflush(f); - fclose(f); - return PM3_SUCCESS; -} -// -int mfTraceInit(struct Crypto1State **traceCrypto1, uint8_t *tuid, uint8_t uidlen, uint8_t *atqa, uint8_t sak, bool wantSaveToEmlFile) { - - if (*traceCrypto1) - crypto1_destroy(*traceCrypto1); - - *traceCrypto1 = NULL; - - if (wantSaveToEmlFile) - loadTraceCard(tuid, uidlen); - - traceCard[4] = traceCard[0] ^ traceCard[1] ^ traceCard[2] ^ traceCard[3]; - traceCard[5] = sak; - memcpy(&traceCard[6], atqa, 2); - traceCurBlock = 0; - cuid = bytes_to_num(tuid + (uidlen - 4), 4); - traceState = TRACE_IDLE; - return PM3_SUCCESS; -} - void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *data, int len, bool isEncrypted) { if (len != 1) { for (int i = 0; i < len; i++) @@ -1076,181 +961,6 @@ void mf_crypto1_decrypt(struct Crypto1State *pcs, uint8_t *data, int len, bool i } } -int mfTraceDecode(struct Crypto1State *traceCrypto1, uint8_t *data_src, int len, bool wantSaveToEmlFile) { - if (traceState == TRACE_ERROR) - return PM3_ESOFT; - - if (len > 255) { - traceState = TRACE_ERROR; - return PM3_ESOFT; - } - - uint8_t data[255]; - memset(data, 0x00, sizeof(data)); - - memcpy(data, data_src, len); - - if ((traceCrypto1) && ((traceState == TRACE_IDLE) || (traceState > TRACE_AUTH_OK))) { - mf_crypto1_decrypt(traceCrypto1, data, len, 0); - PrintAndLogEx(NORMAL, "DEC| %s", sprint_hex(data, len)); - AddLogHex(logHexFileName, "DEC| ", data, len); - } - - switch (traceState) { - case TRACE_IDLE: - // check packet crc16! - if ((len >= 4) && (!check_crc(CRC_14443_A, data, len))) { - PrintAndLogEx(NORMAL, "DEC| CRC ERROR!!!"); - AddLogLine(logHexFileName, "DEC| ", "CRC ERROR!!!"); - traceState = TRACE_ERROR; // do not decrypt the next commands - return PM3_ESOFT; - } - - // AUTHENTICATION - if ((len == 4) && ((data[0] == MIFARE_AUTH_KEYA) || (data[0] == MIFARE_AUTH_KEYB))) { - traceState = TRACE_AUTH1; - traceCurBlock = data[1]; - traceCurKey = data[0] == 60 ? 1 : 0; - return PM3_SUCCESS; - } - - // READ - if ((len == 4) && ((data[0] == ISO14443A_CMD_READBLOCK))) { - traceState = TRACE_READ_DATA; - traceCurBlock = data[1]; - return PM3_SUCCESS; - } - - // WRITE - if ((len == 4) && ((data[0] == ISO14443A_CMD_WRITEBLOCK))) { - traceState = TRACE_WRITE_OK; - traceCurBlock = data[1]; - return PM3_SUCCESS; - } - - // HALT - if ((len == 4) && ((data[0] == ISO14443A_CMD_HALT) && (data[1] == 0x00))) { - traceState = TRACE_ERROR; // do not decrypt the next commands - return PM3_SUCCESS; - } - return PM3_SUCCESS; - - case TRACE_READ_DATA: - if (len == 18) { - traceState = TRACE_IDLE; - - if (isBlockTrailer(traceCurBlock)) { - memcpy(traceCard + traceCurBlock * 16 + 6, data + 6, 4); - } else { - memcpy(traceCard + traceCurBlock * 16, data, 16); - } - if (wantSaveToEmlFile) saveTraceCard(); - return PM3_SUCCESS; - } else { - traceState = TRACE_ERROR; - return PM3_ESOFT; - } - break; - case TRACE_WRITE_OK: - if ((len == 1) && (data[0] == 0x0a)) { - traceState = TRACE_WRITE_DATA; - return PM3_SUCCESS; - } else { - traceState = TRACE_ERROR; - return PM3_ESOFT; - } - break; - case TRACE_WRITE_DATA: - if (len == 18) { - traceState = TRACE_IDLE; - memcpy(traceCard + traceCurBlock * 16, data, 16); - if (wantSaveToEmlFile) saveTraceCard(); - return PM3_SUCCESS; - } else { - traceState = TRACE_ERROR; - return PM3_ESOFT; - } - break; - case TRACE_AUTH1: - if (len == 4) { - traceState = TRACE_AUTH2; - //nt = bytes_to_num(data, 4); - return PM3_SUCCESS; - } else { - traceState = TRACE_ERROR; - return PM3_ESOFT; - } - break; - case TRACE_AUTH2: - if (len == 8) { - traceState = TRACE_AUTH_OK; - //nr_enc = bytes_to_num(data, 4); - //ar_enc = bytes_to_num(data + 4, 4); - return PM3_SUCCESS; - } else { - traceState = TRACE_ERROR; - return PM3_ESOFT; - } - break; - case TRACE_AUTH_OK: - if (len == 4) { - uint32_t nt = 0; // tag challenge - uint32_t nr_enc = 0; // encrypted reader challenge - uint32_t ar_enc = 0; // encrypted reader response - uint32_t at_enc = 0; // encrypted tag response - traceState = TRACE_IDLE; - // encrypted tag response - at_enc = bytes_to_num(data, 4); - - // mfkey64 recover key. - uint64_t key = 0; - uint32_t ks2 = ar_enc ^ prng_successor(nt, 64); - uint32_t ks3 = at_enc ^ prng_successor(nt, 96); - struct Crypto1State *revstate = lfsr_recovery64(ks2, ks3); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, nr_enc, 1); - lfsr_rollback_word(revstate, cuid ^ nt, 0); - crypto1_get_lfsr(revstate, &key); - free(revstate); - PrintAndLogEx(SUCCESS, "found Key: [%012" PRIx64 "]", key); - - //if ( tryMfk64(cuid, nt, nr_enc, ar_enc, at_enc, &key) ) - AddLogUint64(logHexFileName, "Found Key: ", key); - - int blockShift = ((traceCurBlock & 0xFC) + 3) * 16; - if (isBlockEmpty((traceCurBlock & 0xFC) + 3)) - memcpy(traceCard + blockShift + 6, trailerAccessBytes, 4); - - // keytype A/B - if (traceCurKey) - num_to_bytes(key, 6, traceCard + blockShift + 10); - else - num_to_bytes(key, 6, traceCard + blockShift); - - if (wantSaveToEmlFile) - saveTraceCard(); - - if (traceCrypto1) - crypto1_destroy(traceCrypto1); - - // set cryptosystem state - traceCrypto1 = lfsr_recovery64(ks2, ks3); - - } else { - PrintAndLogEx(WARNING, "nested key recovery not implemented!\n"); - //at_enc = bytes_to_num(data, 4); - crypto1_destroy(traceCrypto1); - traceState = TRACE_ERROR; - } - break; - default: - traceState = TRACE_ERROR; - return PM3_ESOFT; - } - return PM3_SUCCESS; -} - int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len) { PrintAndLogEx(SUCCESS, "\nencrypted data: [%s]", sprint_hex(data, len)); struct Crypto1State *s; diff --git a/client/src/mifare/mifarehost.h b/client/src/mifare/mifarehost.h index 0595b2f8b..fc3a571be 100644 --- a/client/src/mifare/mifarehost.h +++ b/client/src/mifare/mifarehost.h @@ -54,7 +54,6 @@ typedef struct { //uint8_t foundKey[2]; } icesector_t; -extern char logHexFileName[FILE_PATH_SIZE]; #define KEYS_IN_BLOCK ((PM3_CMD_DATA_SIZE - 4) / 6) #define KEYBLOCK_SIZE (KEYS_IN_BLOCK * 6) #define CANDIDATE_SIZE (0xFFFF * 6) @@ -81,14 +80,6 @@ int mfCWipe(uint8_t *uid, uint8_t *atqa, uint8_t *sak); int mfCSetBlock(uint8_t blockNo, uint8_t *data, uint8_t *uid, uint8_t params); int mfCGetBlock(uint8_t blockNo, uint8_t *data, uint8_t params); -int mfTraceInit(struct Crypto1State **traceCrypto1, uint8_t *tuid, uint8_t uidlen, uint8_t *atqa, uint8_t sak, bool wantSaveToEmlFile); -int mfTraceDecode(struct Crypto1State *traceCrypto1, uint8_t *data_src, int len, bool wantSaveToEmlFile); - -int isTraceCardEmpty(void); -int isBlockEmpty(int blockN); -int isBlockTrailer(int blockN); -int loadTraceCard(uint8_t *tuid, uint8_t uidlen); -int saveTraceCard(void); int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len); int detect_classic_prng(void);