RfidResearchGroup/proxmark3
1
1
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-01-07 08:38:35 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' of https://github.com/iceman1001/proxmark3

Browse source
This commit is contained in:
iceman1001 2016-10-28 13:07:09 +02:00
commit d433698311
7 changed files with 60 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -222,7 +222,7 @@ You only need devkitARM, nothing more (no extra lib or anything else) to compile
`export DEVKITARM=/c/devkitPro/devkitARM`
`export PATH=$PATH:$DEVKITARM/bin`
### 6 - Install Strawberry Perl
### 6. Install Strawberry Perl
Download and install: http://strawberry-perl.googlecode.com/files/strawberry-perl-5.10.1.1.msi
### 7. Build and run

9
client/cmdhf14a.c
View file

@ -143,6 +143,7 @@ int usage_hf_14a_sim(void) {
// PrintAndLog(" u : 4, 7 or 10 byte UID");
PrintAndLog(" u : 4, 7 byte UID");
PrintAndLog(" x : (Optional) performs the 'reader attack', nr/ar attack against a legitimate reader");
PrintAndLog(" v : (Optional) show maths used for cracking reader. Useful for debugging.");
PrintAndLog("\n sample : hf 14a sim t 1 u 11223344 x");
PrintAndLog(" : hf 14a sim t 1 u 11223344");
PrintAndLog(" : hf 14a sim t 1 u 11223344556677");
@ -447,6 +448,7 @@ int CmdHF14ASim(const char *Cmd) {
uint8_t uid[10] = {0,0,0,0,0,0,0,0,0,0};
int uidlen = 0;
bool useUIDfromEML = TRUE;
bool showMaths = false;
while(param_getchar(Cmd, cmdp) != 0x00) {
switch(param_getchar(Cmd, cmdp)) {
@ -477,6 +479,11 @@ int CmdHF14ASim(const char *Cmd) {
}
cmdp += 2;
break;
case 'v':
case 'V':
showMaths = true;
cmdp++;
break;
case 'x':
case 'X':
flags |= FLAG_NR_AR_ATTACK;
@ -513,7 +520,7 @@ int CmdHF14ASim(const char *Cmd) {
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
memcpy( data, resp.d.asBytes, sizeof(data) );
readerAttack(data, TRUE);
readerAttack(data, TRUE, showMaths);
}
return 0;
}

17
client/cmdhfmf.c
View file

@ -32,6 +32,7 @@ int usage_hf14_mf1ksim(void){
PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");
PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
PrintAndLog(" e (Optional) Fill simulator keys from what we crack");
PrintAndLog(" v (Optional) Show maths used for cracking reader. Useful for debugging.");
PrintAndLog("samples:");
PrintAndLog(" hf mf sim u 0a0a0a0a");
PrintAndLog(" hf mf sim u 11223344556677");
@ -1364,7 +1365,7 @@ int CmdHF14AMfChk(const char *Cmd) {
#define ATTACK_KEY_COUNT 8
sector *k_sector = NULL;
uint8_t k_sectorsCount = 16;
void readerAttack(nonces_t data[], bool setEmulatorMem) {
void readerAttack(nonces_t data[], bool setEmulatorMem, bool showMaths) {
// initialize storage for found keys
if (k_sector == NULL)
@ -1413,7 +1414,7 @@ void readerAttack(nonces_t data[], bool setEmulatorMem) {
}
#endif
//moebius attack
if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key)) {
if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, showMaths)) {
uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector;
uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype;
@ -1449,11 +1450,14 @@ int CmdHF14AMf1kSim(const char *Cmd) {
uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
uint8_t exitAfterNReads = 0;
uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);
int uidlen = 0;
int uidlen = 0;
bool setEmulatorMem = false;
uint8_t cmdp = 0;
bool errors = false;
// If set to true, we should show our workings when doing NR_AR_ATTACK.
bool showMaths = false;
while(param_getchar(Cmd, cmdp) != 0x00) {
switch(param_getchar(Cmd, cmdp)) {
case 'e':
@ -1485,6 +1489,11 @@ int CmdHF14AMf1kSim(const char *Cmd) {
}
cmdp +=2;
break;
case 'v':
case 'V':
showMaths = true;
cmdp++;
break;
case 'x':
case 'X':
flags |= FLAG_NR_AR_ATTACK;
@ -1524,7 +1533,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
memcpy( data, resp.d.asBytes, sizeof(data) );
readerAttack(data, setEmulatorMem);
readerAttack(data, setEmulatorMem, showMaths);
}
if (k_sector != NULL) {

28
client/cmdhfmf.h
View file

@ -28,19 +28,19 @@
#include "nonce2key/nonce2key.h"
int CmdHFMF(const char *Cmd);
int CmdHF14AMfDbg(const char* cmd);
int CmdHF14AMfRdBl(const char* cmd);
int CmdHF14AMfURdBl(const char* cmd);
int CmdHF14AMfRdSc(const char* cmd);
int CmdHF14SMfURdCard(const char* cmd);
int CmdHF14AMfDump(const char* cmd);
int CmdHF14AMfRestore(const char* cmd);
int CmdHF14AMfWrBl(const char* cmd);
int CmdHF14AMfUWrBl(const char* cmd);
int CmdHF14AMfChk(const char* cmd);
int CmdHF14AMifare(const char* cmd);
int CmdHF14AMfNested(const char* cmd);
int CmdHF14AMfDbg(const char* cmd);
int CmdHF14AMfRdBl(const char* cmd);
int CmdHF14AMfURdBl(const char* cmd);
int CmdHF14AMfRdSc(const char* cmd);
int CmdHF14SMfURdCard(const char* cmd);
int CmdHF14AMfDump(const char* cmd);
int CmdHF14AMfRestore(const char* cmd);
int CmdHF14AMfWrBl(const char* cmd);
int CmdHF14AMfUWrBl(const char* cmd);
int CmdHF14AMfChk(const char* cmd);
int CmdHF14AMifare(const char* cmd);
int CmdHF14AMfNested(const char* cmd);
int CmdHF14AMfNestedHard(const char *Cmd);
int CmdHF14AMfSniff(const char* cmd);
int CmdHF14AMf1kSim(const char* cmd);
@ -60,6 +60,6 @@ int CmdHF14AMfCLoad(const char* cmd);
int CmdHF14AMfCSave(const char* cmd);
int CmdHf14MfDecryptBytes(const char *Cmd);
void readerAttack(nonces_t data[], bool setEmulatorMem);
void readerAttack(nonces_t data[], bool setEmulatorMem, bool showMaths);
void printKeyTable( uint8_t sectorscnt, sector *e_sector );
#endif

28
client/nonce2key/nonce2key.c
View file

@ -208,7 +208,7 @@ bool tryMfk32(nonces_t data, uint64_t *outputkey) {
return isSuccess;
}
bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey) {
bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool showMaths) {
struct Crypto1State *s, *t;
uint64_t outkey = 0;
uint64_t key = 0; // recovered key
@ -223,24 +223,28 @@ bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey) {
bool isSuccess = FALSE;
int counter = 0;
printf("Recovering key for:\n");
printf(" uid: %08x\n",uid);
printf(" nt_0: %08x\n",nt0);
printf(" {nr_0}: %08x\n",nr0_enc);
printf(" {ar_0}: %08x\n",ar0_enc);
printf(" nt_1: %08x\n",nt1);
printf(" {nr_1}: %08x\n",nr1_enc);
printf(" {ar_1}: %08x\n",ar1_enc);
if (showMaths) {
printf("Recovering key for:\n");
printf(" uid: %08x\n", uid);
printf(" nt_0: %08x\n", nt0);
printf(" {nr_0}: %08x\n", nr0_enc);
printf(" {ar_0}: %08x\n", ar0_enc);
printf(" nt_1: %08x\n", nt1);
printf(" {nr_1}: %08x\n", nr1_enc);
printf(" {ar_1}: %08x\n", ar1_enc);
}
//PrintAndLog("Enter mfkey32_moebius");
clock_t t1 = clock();
printf("\nLFSR succesors of the tag challenge:\n");
uint32_t p640 = prng_successor(nt0, 64);
uint32_t p641 = prng_successor(nt1, 64);
printf(" nt': %08x\n", p640);
printf(" nt'': %08x\n", prng_successor(p640, 32));
if (showMaths) {
printf("\nLFSR succesors of the tag challenge:\n");
printf(" nt': %08x\n", p640);
printf(" nt'': %08x\n", prng_successor(p640, 32));
}
s = lfsr_recovery32(ar0_enc ^ p640, 0);

2
client/nonce2key/nonce2key.h
View file

@ -28,7 +28,7 @@ extern int nonce2key_ex(uint8_t blockno, uint8_t keytype, uint32_t uid, uint32_t
//iceman, added these to be able to crack key direct from "hf 14 sim" && "hf mf sim"
bool tryMfk32(nonces_t data, uint64_t *outputkey );
bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey ); // <<-- this one has best success
bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool showMaths ); // <<-- this one has best success
int tryMfk64_ex(uint8_t *data, uint64_t *outputkey );
int tryMfk64(uint32_t uid, uint32_t nt, uint32_t nr_enc, uint32_t ar_enc, uint32_t at_enc, uint64_t *outputkey);
#endif

7
tools/mfkey/.gitignore vendored Normal file
View file

@ -0,0 +1,7 @@
mfkey32
mfkey32v2
mfkey64
mfkey32.exe
mfkey32v2.exe
mfkey64.exe