CHG: removing some time-debug statements.

CHG: increased the time-out message 2sec, in proxmark, to make "hf mf chk" work better. CHG: still trying to solve the "hf mf mifare" WDT_HIT bug. With these changes, the "hf mf chk" / "Hf mf nested" looks similar and should be a bit faster.
2025-03-21 12:37:21 +08:00 · 2016-02-19 22:34:39 +01:00 · 2016-02-19 22:34:39 +01:00 · b03006794f
commit b03006794f
parent e66ff99cc9
3 changed files with 58 additions and 81 deletions
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@ -1167,20 +1167,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
 				p_response = NULL;
 		} else if(receivedCmd[0] == 0x3C && tagType == 7) {	// Received a READ SIGNATURE -- 
 				// ECC data,  taken from a NTAG215 amiibo token. might work. LEN: 32, + 2 crc
 				//first 12 blocks of emu are [getversion answer - check tearing - pack - 0x00 - signature]
 				uint16_t start = 4 * 4;
 				uint8_t emdata[34];
 				emlGetMemBt( emdata, start, 32);
 				AppendCrc14443a(emdata, 32);
 				EmSendCmdEx(emdata, sizeof(emdata), false);
 				//uint8_t data[] = {0x56,0x06,0xa6,0x4f,0x43,0x32,0x53,0x6f,
 				//				  0x43,0xda,0x45,0xd6,0x61,0x38,0xaa,0x1e,
 				//				  0xcf,0xd3,0x61,0x36,0xca,0x5f,0xbb,0x05,
 				//				  0xce,0x21,0x24,0x5b,0xa6,0x7a,0x79,0x07,
 				//				  0x00,0x00};
 				//AppendCrc14443a(data, sizeof(data)-2);
 				//EmSendCmdEx(data,sizeof(data),false);
 				p_response = NULL;					
 		} else if (receivedCmd[0] == 0x39 && tagType == 7) {	// Received a READ COUNTER -- 
 			uint8_t index = receivedCmd[1];
@ -1211,8 +1203,6 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
 			AppendCrc14443a(emdata, sizeof(emdata)-2);
 			EmSendCmdEx(emdata, sizeof(emdata), false);	
 			p_response = NULL;		
 			//p_response = &responses[9];				
 		} else if(receivedCmd[0] == 0x50) {	// Received a HALT
 			LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
 			p_response = NULL;
@ -1224,7 +1214,6 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
 				AppendCrc14443a(emdata, sizeof(emdata)-2);
 				EmSendCmdEx(emdata, sizeof(emdata), false);	
 				p_response = NULL;
 				//p_response = &responses[7];
 			} else {
 				p_response = &responses[5]; order = 7;
 			}
@ -1299,7 +1288,6 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data)
 				AppendCrc14443a(emdata, 2);
 				EmSendCmdEx(emdata, sizeof(emdata), false);
 				p_response = NULL;
 				//p_response =  &responses[8]; // PACK response
 				uint32_t pwd = bytes_to_num(receivedCmd+1,4);
 				if ( MF_DBGLEVEL >= 3)  Dbprintf("Auth attempt: %08x", pwd);	
@ -2217,28 +2205,25 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i;
 		nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+1;
-		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+1;
+		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-1;
 		nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+2;
-		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+2;
+		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-2;
 		nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+3;
-		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+3;
+		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-3;
 		nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+4;
-		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+4;
+		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-4;
 		nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+5;
-		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+5;
+		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-5;
 		nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+6;
-		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+6;
+		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-6;
 		nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+7;
-		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+7;
+		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i-7;
 		nttmp1 = prng_successor_one(nttmp1); if (nttmp1 == nt2) return i+8;
 		nttmp2 = prng_successor_one(nttmp2); if (nttmp2 == nt1) return -i+8;
 /*
 		if ( prng_successor(nttmp1, i) == nt2) return i;
 		if ( prng_successor(nttmp2, i) == nt1) return -i;
@ -2260,9 +2245,6 @@ int32_t dist_nt(uint32_t nt1, uint32_t nt2) {
 		if ( prng_successor(nttmp1, i+7) == nt2) return i+7;
 		if ( prng_successor(nttmp2, i+7) == nt1) return -(i+7);
 		if ( prng_successor(nttmp1, i+8) == nt2) return i+8;
 		if ( prng_successor(nttmp2, i+8) == nt1) return -(i+8);
 */
 	}
@ -2283,51 +2265,48 @@ void ReaderMifare(bool first_try, uint8_t block )
 	//uint8_t mf_auth[]    = { 0x60,0x05, 0x58, 0x2c };
 	uint8_t mf_auth[] 	= { 0x60,0x00, 0x00, 0x00 };
 	uint8_t mf_nr_ar[]	= { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 };
-	static uint8_t mf_nr_ar3 = 0;
+	uint8_t uid[10]		= {0,0,0,0,0,0,0,0,0,0};
 	uint8_t par_list[8]	= {0,0,0,0,0,0,0,0};
 	uint8_t ks_list[8]	= {0,0,0,0,0,0,0,0};
 	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
 	uint8_t par[1] = {0};	// maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
 	mf_auth[1] = block;
 	AppendCrc14443a(mf_auth, 2);
 	uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};
 	uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE] = {0x00};
 	byte_t nt_diff = 0;
 	uint8_t par[1] = {0};	// maximum 8 Bytes to be sent here, 1 byte parity is therefore enough
 	static byte_t par_low = 0;
 	uint8_t uid[10] = {0};
 	//uint32_t cuid = 0;
 	uint32_t nt = 0;
 	uint32_t previous_nt = 0;	
-	static uint32_t nt_attacked = 0;
+	uint32_t halt_time = 0;
-	byte_t par_list[8] = {0x00};
+	uint32_t cuid = 0;
 	byte_t ks_list[8] = {0x00};
 	static uint32_t sync_time = 0;
 	static int32_t sync_cycles = 0;
 	int catch_up_cycles = 0;
 	int last_catch_up = 0;
 	uint16_t elapsed_prng_sequences = 1;
 	uint16_t consecutive_resyncs = 0;
 	int isOK = 0;
-	#define PRNG_SEQUENCE_LENGTH  (1 << 16);
+	uint16_t elapsed_prng_sequences = 1;
-	#define MAX_UNEXPECTED_RANDOM	4		// maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
+	uint16_t consecutive_resyncs = 0;
 	#define MAX_SYNC_TRIES			32
 	#define NUM_DEBUG_INFOS			8		// per strategy
 	#define MAX_STRATEGY			3
 	uint16_t unexpected_random = 0;
 	uint16_t sync_tries = 0;
 	uint16_t strategy = 0;
-	uint32_t halt_time = 0;
+
 	static uint32_t nt_attacked = 0;
 	static uint32_t sync_time = 0;
 	static int32_t sync_cycles = 0;
 	static uint8_t par_low = 0;
 	static uint8_t mf_nr_ar3 = 0;
 	#define PRNG_SEQUENCE_LENGTH	(1 << 16)
 	#define MAX_UNEXPECTED_RANDOM	4		// maximum number of unexpected (i.e. real) random numbers when trying to sync. Then give up.
 	#define MAX_SYNC_TRIES		32
 	#define MAX_STRATEGY		3
 	clear_trace();
 	set_tracing(TRUE);
 	LED_A_ON();
 	LED_B_OFF();
 	LED_C_OFF();
 	if (first_try)
 		iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
@ -2337,17 +2316,19 @@ void ReaderMifare(bool first_try, uint8_t block )
 	if (first_try) { 
 		sync_time = GetCountSspClk() & 0xfffffff8;
-		sync_cycles = PRNG_SEQUENCE_LENGTH; //65536;	//0x10000			// theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
+		sync_cycles = PRNG_SEQUENCE_LENGTH + 1100; //65536;	//0x10000			// theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
 		mf_nr_ar3 = 0;			
 		nt_attacked = 0;
-		par[0] = 0;
+
 	} else {
-		// we were unsuccessful on a previous call. Try another READER nonce (first 3 parity bits remain the same)
+		// we were unsuccessful on a previous call. 
-		mf_nr_ar3++;
+		// Try another READER nonce (first 3 parity bits remain the same)
 		++mf_nr_ar3;
 		mf_nr_ar[3] = mf_nr_ar3;
 		par[0] = par_low;
 	}
 		LED_A_ON();
 	LED_C_ON(); 
 	for(uint16_t i = 0; TRUE; ++i) {
@ -2378,18 +2359,22 @@ void ReaderMifare(bool first_try, uint8_t block )
 			WDT_HIT();
 		}
-		if (!iso14443a_select_card(uid, NULL, NULL, true, 0)) {
+		if (!iso14443a_select_card(uid, NULL,  &cuid, true, 0)) {
-			if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card\n");
+			if (MF_DBGLEVEL >= 2) Dbprintf("Mifare: Can't select card\n");
 			continue;
 		}
 		// Sending timeslot of ISO14443a frame
 		sync_time = (sync_time & 0xfffffff8) + sync_cycles + catch_up_cycles;
 		catch_up_cycles = 0;
 		//catch_up_cycles = 0;
 		// if we missed the sync time already, advance to the next nonce repeat
 		while(GetCountSspClk() > sync_time) {
 			++elapsed_prng_sequences;
-			sync_time += sync_cycles;
+			sync_time = (sync_time & 0xfffffff8) + sync_cycles;
 		}
 		// Transmit MIFARE_CLASSIC_AUTH at synctime. Should result in returning the same tag nonce (== nt_attacked) 
 		ReaderTransmit(mf_auth, sizeof(mf_auth), &sync_time);			
@ -2494,6 +2479,7 @@ void ReaderMifare(bool first_try, uint8_t block )
 			par[0] = par_low;
 		} else {
 			// No NACK.	
 			if (nt_diff == 0 && first_try) {
 				par[0]++;
 				if (par[0] == 0x00) {	// tried all 256 possible parities without success. Card doesn't send NACK.
@ -2501,6 +2487,7 @@ void ReaderMifare(bool first_try, uint8_t block )
 					break;
 				}
 			} else {
 				// Why this?
 				par[0] = ((par[0] & 0x1F) + 1) | par_low;
 			}
 		}
@ -2521,8 +2508,8 @@ void ReaderMifare(bool first_try, uint8_t block )
 		par[0] = 0;
 	}
-	byte_t buf[28] = {0x00};
+	uint8_t buf[28] = {0x00};
-	memcpy(buf + 0,  uid, 4);
+	num_to_bytes(cuid, 4, buf);
 	num_to_bytes(nt, 4, buf + 4);
 	memcpy(buf + 8,  par_list, 8);
 	memcpy(buf + 16, ks_list, 8);
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@ -101,7 +101,7 @@ start:
 	t1 = clock() - t1;
 	if ( t1 > 0 )
-		PrintAndLog("Time in darkside: %.0f ticks - %4.2f sec\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC);
+		PrintAndLog("Time in darkside: %.0f ticks\n", (float)t1);
 	return 0;
 }
@ -707,7 +707,7 @@ int CmdHF14AMfNested(const char *Cmd)
 		}
 		clock_t t2 = clock() - t1;
 		if ( t2 > 0 )
-			PrintAndLog("Time to check 6 known keys: %.0f ticks %4.2f sec", (float)t2, ((float)t2)/CLOCKS_PER_SEC);
+			PrintAndLog("Time to check 6 known keys: %.0f ticks", (float)t2 );
 		PrintAndLog("enter nested...");	
@ -747,7 +747,7 @@ int CmdHF14AMfNested(const char *Cmd)
 		t1 = clock() - t1;
 		if ( t1 > 0 )
-			PrintAndLog("Time in nested: %.0f ticks %4.2f sec (%4.2f sec per key)\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/iterations/CLOCKS_PER_SEC);
+			PrintAndLog("Time in nested: %.0f ticks \n", (float)t1);
 		// 20160116 If Sector A is found, but not Sector B,  try just reading it of the tag?
 		PrintAndLog("trying to read key B...");
@ -1150,14 +1150,14 @@ int CmdHF14AMfChk(const char *Cmd)
 					e_sector[i].Key[trgKeyType] = 0xffffffffffff;
 					e_sector[i].foundKey[trgKeyType] = FALSE;
 				}
 				printf(".");
 			}
 			b < 127 ? ( b +=4 ) : ( b += 16 );	
 		}
 	}
 	t1 = clock() - t1;
 	if ( t1 > 0 )
-		printf("Time in checkkeys: %.0f ticks  %1.2f sec (%1.2f sec per key)\n\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/keycnt/CLOCKS_PER_SEC);
+		printf("\nTime in checkkeys: %.0f ticks\n", (float)t1);
 	// 20160116 If Sector A is found, but not Sector B,  try just reading it of the tag?
 	PrintAndLog("testing to read B...");
--- a/client/mifarehost.c
+++ b/client/mifarehost.c
@ -66,10 +66,8 @@ typedef
 // wrapper function for multi-threaded lfsr_recovery32
 void* nested_worker_thread(void *arg)
 {
 	clock_t t1 = clock();
 	struct Crypto1State *p1;
 	StateList_t *statelist = arg;
 	statelist->head.slhead = lfsr_recovery32(statelist->ks1, statelist->nt ^ statelist->uid);	
 	for (p1 = statelist->head.slhead; *(uint64_t *)p1 != 0; p1++);
@ -77,10 +75,6 @@ void* nested_worker_thread(void *arg)
 	statelist->len = p1 - statelist->head.slhead;
 	statelist->tail.sltail = --p1;
 	qsort(statelist->head.slhead, statelist->len, sizeof(uint64_t), Compare16Bits);
 	t1 = clock() - t1;
 	printf("lfsr_recovery32 takes %.0f ticks \n", (float)t1);
 	return statelist->head.slhead;
 }
@ -192,7 +186,6 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
 	// uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt;
 	uint8_t keyBlock[USB_CMD_DATA_SIZE] = {0x00};
 	clock_t t1 = clock();
 	for (i = 0; i < numOfCandidates; ++i){
 		crypto1_get_lfsr(statelists[0].head.slhead + i, &key64);
 		num_to_bytes(key64, 6, keyBlock + i * 6);
@ -203,9 +196,6 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo
 		free(statelists[1].head.slhead);
 		num_to_bytes(key64, 6, resultKey);
 		t1 = clock() - t1;
 		printf("Check candidates takes %.0f ticks \n", (float)t1);	
 		PrintAndLog("UID: %08x target block:%3u key type: %c  -- Found key [%012"llx"]",
 			uid,
 			(uint16_t)resp.arg[2] & 0xff,
@ -235,7 +225,7 @@ int mfCheckKeys (uint8_t blockNo, uint8_t keyType, bool clear_trace, uint8_t key
 	clearCommandBuffer();
 	SendCommand(&c);
 	UsbCommand resp;
-	if (!WaitForResponseTimeout(CMD_ACK,&resp, 3000)) return 1;
+	if (!WaitForResponseTimeout(CMD_ACK,&resp, 2500)) return 1;
 	if ((resp.arg[0] & 0xff) != 0x01) return 2;
 	*key = bytes_to_num(resp.d.asBytes, 6);
 	return 0;