CHG: moved a xor function into util.c

CHG: added some calls to clearCommandBuffer() in /hf mfu/hf 14a sim/hf mf sim/ commands.
CHG: minor adjustments to relative pathing.
This commit is contained in:
iceman1001 2015-05-26 11:04:57 +02:00
parent 7c60a801d6
commit c3c241f389
13 changed files with 134 additions and 91 deletions

View file

@ -45,7 +45,6 @@ ARMSRC = fpgaloader.c \
BigBuf.c \
optimized_cipher.c
# stdint.h provided locally until GCC 4.5 becomes C99 compliant
APP_CFLAGS += -I.

View file

@ -10,16 +10,17 @@
// executes.
//-----------------------------------------------------------------------------
#include "../common/usb_cdc.h"
#include "../common/cmd.h"
#include "../include/proxmark3.h"
#include "../include/hitag2.h"
#include "usb_cdc.h"
#include "cmd.h"
#include "proxmark3.h"
#include "apps.h"
#include "util.h"
#include "printf.h"
#include "string.h"
#include <stdarg.h>
#include "legicrf.h"
#include <hitag2.h>
#include "lfsampling.h"
#include "BigBuf.h"

View file

@ -1007,7 +1007,7 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
response2a[0] = data[3];
response2a[1] = data[4];
response2a[2] = data[5];
response2a[3] = data[7];
response2a[3] = data[6]; //??
response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
// Configure the ATQA and SAK accordingly
@ -1034,7 +1034,7 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
response3a[0] = sak & 0xFB;
ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
uint8_t response5[] = { 0x01, 0x02, 0x03, 0x04 }; // Very random tag nonce
uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS:
// Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present,
// TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
@ -2310,7 +2310,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
uint8_t cardWRBL = 0;
uint8_t cardAUTHSC = 0;
uint8_t cardAUTHKEY = 0xff; // no authentication
uint32_t cardRr = 0;
// uint32_t cardRr = 0;
uint32_t cuid = 0;
//uint32_t rn_enc = 0;
uint32_t ans = 0;
@ -2328,7 +2328,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
//uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic
uint8_t rSAK[] = {0x09, 0x3f, 0xcc }; // Mifare Mini
uint8_t rSAK1[] = {0x04, 0xda, 0x17};
uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
@ -2337,9 +2338,11 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
//Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
// This can be used in a reader-only attack.
// (it can also be retrieved via 'hf 14a list', but hey...
uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0};
uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
uint8_t ar_nr_collected = 0;
Dbprintf("FIRE");
// free eventually allocated BigBuf memory but keep Emulator Memory
BigBuf_free_keep_EM();
@ -2347,6 +2350,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
clear_trace();
set_tracing(TRUE);
Dbprintf("ICE");
// Authenticate response - nonce
uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
@ -2376,6 +2380,12 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
}
}
Dbprintf("ICE2");
// save uid.
ar_nr_responses[0*5] = bytes_to_num(rUIDBCC1+1, 3);
if ( _7BUID )
ar_nr_responses[0*5+1] = bytes_to_num(rUIDBCC2, 4);
/*
* Regardless of what method was used to set the UID, set fifth byte and modify
* the ATQA for 4 or 7-byte UID
@ -2403,6 +2413,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
}
}
Dbprintf("ICE3");
bool finished = FALSE;
while (!BUTTON_PRESS() && !finished) {
WDT_HIT();
@ -2418,7 +2429,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
if(cardSTATE == MFEMUL_NOFIELD) continue;
//Now, get data
res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
if (res == 2) { //Field is off!
cardSTATE = MFEMUL_NOFIELD;
@ -2493,10 +2503,11 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
if(ar_nr_collected < 2){
if(ar_nr_responses[2] != ar)
{// Avoid duplicates... probably not necessary, ar should vary.
ar_nr_responses[ar_nr_collected*4] = cuid;
ar_nr_responses[ar_nr_collected*4+1] = nonce;
ar_nr_responses[ar_nr_collected*4+2] = ar;
ar_nr_responses[ar_nr_collected*4+3] = nr;
//ar_nr_responses[ar_nr_collected*5] = 0;
//ar_nr_responses[ar_nr_collected*5+1] = 0;
ar_nr_responses[ar_nr_collected*5+2] = nonce;
ar_nr_responses[ar_nr_collected*5+3] = nr;
ar_nr_responses[ar_nr_collected*5+4] = ar;
ar_nr_collected++;
}
// Interactive mode flag, means we need to send ACK
@ -2507,22 +2518,23 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
}
// --- crypto
crypto1_word(pcs, ar , 1);
cardRr = nr ^ crypto1_word(pcs, 0, 0);
//crypto1_word(pcs, ar , 1);
//cardRr = nr ^ crypto1_word(pcs, 0, 0);
// test if auth OK
if (cardRr != prng_successor(nonce, 64)){
if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
cardRr, prng_successor(nonce, 64));
//test if auth OK
//if (cardRr != prng_successor(nonce, 64)){
//if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
// cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
// cardRr, prng_successor(nonce, 64));
// Shouldn't we respond anything here?
// Right now, we don't nack or anything, which causes the
// reader to do a WUPA after a while. /Martin
// -- which is the correct response. /piwi
cardSTATE_TO_IDLE();
LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
break;
}
//cardSTATE_TO_IDLE();
//LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
//break;
//}
ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
@ -2630,13 +2642,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
|| receivedCmd[0] == 0xB0) { // transfer
if (receivedCmd[1] >= 16 * 4) {
EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
break;
}
if (receivedCmd[1] / 4 != cardAUTHSC) {
EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
break;
}
}
@ -2668,7 +2680,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) {
if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
if (emlCheckValBl(receivedCmd[1])) {
if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
break;
}
@ -2770,35 +2782,37 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK
{
//May just aswell send the collected ar_nr in the response aswell
cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,1,0,&ar_nr_responses,ar_nr_collected*4*4);
uint8_t len = ar_nr_collected*5*4;
cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
}
if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1 )
{
if(ar_nr_collected > 1 ) {
Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
ar_nr_responses[0], // UID
ar_nr_responses[1], // NT
ar_nr_responses[2], // AR1
ar_nr_responses[3], // NR1
ar_nr_responses[6], // AR2
ar_nr_responses[7] // NR2
Dbprintf("../tools/mfkey/mfkey32 %06x%08x %08x %08x %08x %08x %08x",
ar_nr_responses[0], // UID1
ar_nr_responses[1], // UID2
ar_nr_responses[2], // NT
ar_nr_responses[3], // AR1
ar_nr_responses[4], // NR1
ar_nr_responses[8], // AR2
ar_nr_responses[9] // NR2
);
} else {
Dbprintf("Failed to obtain two AR/NR pairs!");
if(ar_nr_collected > 0 ) {
Dbprintf("Only got these: UID=%08x, nonce=%08x, AR1=%08x, NR1=%08x",
ar_nr_responses[0], // UID
ar_nr_responses[1], // NT
ar_nr_responses[2], // AR1
ar_nr_responses[3] // NR1
Dbprintf("Only got these: UID=%07x%08x, nonce=%08x, AR1=%08x, NR1=%08x",
ar_nr_responses[0], // UID1
ar_nr_responses[1], // UID2
ar_nr_responses[2], // NT
ar_nr_responses[3], // AR1
ar_nr_responses[4] // NR1
);
}
}
}
if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
if (MF_DBGLEVEL >= 1) Dbprintf("Emulator stopped. Tracing: %d trace length: %d ", tracing, BigBuf_get_traceLen());
}

View file

@ -9,7 +9,7 @@
// with the linker script.
//-----------------------------------------------------------------------------
#include "../include/proxmark3.h"
#include "proxmark3.h"
#include "apps.h"
extern char __data_start__, __data_src_start__, __data_end__, __bss_start__, __bss_end__;

View file

@ -8,7 +8,7 @@
// Utility functions used in many places, not specific to any piece of code.
//-----------------------------------------------------------------------------
#include "../include/proxmark3.h"
#include "proxmark3.h"
#include "util.h"
#include "string.h"
#include "apps.h"

View file

@ -481,6 +481,8 @@ int CmdHF14ASim(const char *Cmd)
uint64_t uid = 0;
uint8_t cmdp = 0;
clearCommandBuffer();
while(param_getchar(Cmd, cmdp) != 0x00)
{
switch(param_getchar(Cmd, cmdp))
@ -537,19 +539,18 @@ int CmdHF14ASim(const char *Cmd)
uint8_t data[40];
uint8_t key[6];
UsbCommand resp;
while(!ukbhit()){
UsbCommand resp;
WaitForResponseTimeout(CMD_ACK,&resp,1500);
PrintAndLog("CMD_SIMULATE_MIFARE_CARD [%04X] -- %04X", CMD_SIMULATE_MIFARE_CARD, resp.arg[0]);
if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
memset(data, 0x00, sizeof(data));
memset(key, 0x00, sizeof(key));
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
memcpy(data, resp.d.asBytes, len);
tryMfk32(uid, data, key);
//tryMfk64(uid, data, key);
PrintAndLog("--");
if ( WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
memset(data, 0x00, sizeof(data));
memset(key, 0x00, sizeof(key));
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
memcpy(data, resp.d.asBytes, len);
tryMfk32(uid, data, key);
//tryMfk64(uid, data, key);
PrintAndLog("--");
}
}
}
return 0;

View file

@ -1012,8 +1012,10 @@ int CmdHF14AMf1kSim(const char *Cmd)
uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};
uint8_t exitAfterNReads = 0;
uint8_t flags = 0;
uint8_t cmdp = param_getchar(Cmd, 0);
clearCommandBuffer();
if (cmdp == 'h' || cmdp == 'H') {
PrintAndLog("Usage: hf mf sim u <uid (8 hex symbols)> n <numreads> i x");
@ -1065,25 +1067,38 @@ int CmdHF14AMf1kSim(const char *Cmd)
if(flags & FLAG_INTERACTIVE)
{
uint64_t corr_uid = bytes_to_num(uid, ( flags & FLAG_4B_UID_IN_DATA ) ? 4 : 7 );
PrintAndLog("Press pm3-button to abort simulation");
uint8_t data[40];
uint8_t key[6];
while(!ukbhit()){
UsbCommand resp;
WaitForResponseTimeout(CMD_ACK,&resp,1500);
PrintAndLog("CMD_SIMULATE_MIFARE_CARD [%04X] -- %04X", CMD_SIMULATE_MIFARE_CARD, resp.arg[0]);
if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
memset(data, 0x00, sizeof(data));
memset(key, 0x00, sizeof(key));
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
memcpy(data, resp.d.asBytes, len);
tryMfk32(corr_uid, data, key);
//tryMfk64(corr_uid, data, key);
PrintAndLog("--");
UsbCommand resp;
while(!ukbhit() ){
if ( WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {
if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){
memset(data, 0x00, sizeof(data));
memset(key, 0x00, sizeof(key));
int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
memcpy(data, resp.d.asBytes, len);
uint64_t corr_uid = 0;
if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {
corr_uid = (data[3] << 24) | (data[2] << 16) | (data[1] << 8) | data[0];
}
else {
corr_uid |= (uint64_t)data[2] << 48;
corr_uid |= (uint64_t)data[1] << 40;
corr_uid |= (uint64_t)data[0] << 32;
corr_uid |= data[7] << 24;
corr_uid |= data[6] << 16;
corr_uid |= data[5] << 8;
corr_uid |= data[4];
}
tryMfk32(corr_uid, data, key);
//tryMfk64(corr_uid, data, key);
PrintAndLog("--");
}
}
}
}

View file

@ -36,9 +36,6 @@ uint8_t key_defa_data[16] = { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,
uint8_t key_picc_data[16] = { 0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f };
static int CmdHelp(const char *Cmd);
static void xor(unsigned char * dst, unsigned char * src, size_t len);
static int32_t le24toh (uint8_t data[3]);
int CmdHF14ADesWb(const char *Cmd)
{
@ -640,23 +637,14 @@ int CmdHF14ADesAuth(const char *Cmd){
}
static void xor(unsigned char * dst, unsigned char * src, size_t len) {
for( ; len > 0; len--,dst++,src++)
*dst ^= *src;
}
static int32_t le24toh (uint8_t data[3]) {
return (data[2] << 16) | (data[1] << 8) | data[0];
}
static command_t CommandTable[] =
{
{"help", CmdHelp, 1, "This help"},
{"auth", CmdHF14ADesAuth, 0, "Tries a MIFARE DesFire Authentication"},
{"rb", CmdHF14ADesRb, 0, "Read MIFARE DesFire block"},
{"wb", CmdHF14ADesWb, 0, "write MIFARE DesFire block"},
{"info", CmdHF14ADesInfo, 0, "Get MIFARE DesFire information"},
{"enum", CmdHF14ADesEnumApplications,0, "Tries enumerate all applications"},
{"auth", CmdHF14ADesAuth, 0, "Tries a MIFARE DesFire Authentication"},
{"rdbl", CmdHF14ADesRb, 0, "Read MIFARE DesFire block"},
{"wrbl", CmdHF14ADesWb, 0, "write MIFARE DesFire block"},
{NULL, NULL, 0, NULL}
};

View file

@ -646,6 +646,8 @@ int CmdHF14AMfUInfo(const char *Cmd){
int len = 0;
char tempStr[50];
clearCommandBuffer();
while(param_getchar(Cmd, cmdp) != 0x00)
{
switch(param_getchar(Cmd, cmdp))
@ -857,6 +859,8 @@ int CmdHF14AMfUWrBl(const char *Cmd){
uint8_t authenticationkey[16] = {0x00};
uint8_t *authKeyPtr = authenticationkey;
clearCommandBuffer();
// starting with getting tagtype
TagTypeUL_t tagtype = GetHF14AMfU_Type();
if (tagtype == UL_ERROR) return -1;
@ -982,7 +986,9 @@ int CmdHF14AMfURdBl(const char *Cmd){
uint8_t data[16] = {0x00};
uint8_t authenticationkey[16] = {0x00};
uint8_t *authKeyPtr = authenticationkey;
clearCommandBuffer();
// starting with getting tagtype
TagTypeUL_t tagtype = GetHF14AMfU_Type();
if (tagtype == UL_ERROR) return -1;
@ -1179,6 +1185,8 @@ int CmdHF14AMfUDump(const char *Cmd){
uint8_t startPage = 0;
char tempStr[50];
clearCommandBuffer();
while(param_getchar(Cmd, cmdp) != 0x00)
{
switch(param_getchar(Cmd, cmdp))
@ -1403,6 +1411,8 @@ int CmdHF14AMfucAuth(const char *Cmd){
char cmdp = param_getchar(Cmd, 0);
clearCommandBuffer();
//Change key to user defined one
if (cmdp == 'k' || cmdp == 'K'){
keyNo = param_get8(Cmd, 1);
@ -1542,6 +1552,8 @@ int CmdHF14AMfucSetPwd(const char *Cmd){
char cmdp = param_getchar(Cmd, 0);
clearCommandBuffer();
if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') {
PrintAndLog("Usage: hf mfu setpwd <password (32 hex symbols)>");
PrintAndLog(" [password] - (32 hex symbols)");
@ -1588,6 +1600,8 @@ int CmdHF14AMfucSetUid(const char *Cmd){
uint8_t uid[7] = {0x00};
char cmdp = param_getchar(Cmd, 0);
clearCommandBuffer();
if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') {
PrintAndLog("Usage: hf mfu setuid <uid (14 hex symbols)>");
PrintAndLog(" [uid] - (14 hex symbols)");

View file

@ -15,7 +15,6 @@
#include "ui.h"
#include "proxmark3.h"
#include "cmdparser.h"
#include "cmddata.h"
#include "cmdhw.h"
#include "cmdmain.h"
#include "cmddata.h"

View file

@ -34,7 +34,7 @@ static int CmdHelp(const char *Cmd);
static int CmdQuit(const char *Cmd);
//For storing command that are received from the device
#define CMD_BUFFER_SIZE 50
#define CMD_BUFFER_SIZE 60
static UsbCommand cmdBuffer[CMD_BUFFER_SIZE];
//Points to the next empty position to write to
static int cmd_head;//Starts as 0

View file

@ -444,3 +444,12 @@ void wiegand_add_parity(char *target, char *source, char length)
target += length;
*(target)= GetParity(source + length / 2, ODD, length / 2);
}
void xor(unsigned char * dst, unsigned char * src, size_t len) {
for( ; len > 0; len--,dst++,src++)
*dst ^= *src;
}
int32_t le24toh (uint8_t data[3]) {
return (data[2] << 16) | (data[1] << 8) | data[0];
}

View file

@ -63,3 +63,6 @@ void binarraytobinstring(char *target, char *source, int length);
uint8_t GetParity( char *string, uint8_t type, int length);
void wiegand_add_parity(char *target, char *source, char length);
void xor(unsigned char * dst, unsigned char * src, size_t len);
int32_t le24toh (uint8_t data[3]);