J_Run's 2nd phase of multiple sector nested authentication key recovery
You have a known 4 last bytes of a key recovered with mf_nonce_brute tool.
First 2 bytes of key will be bruteforced
Usage: hf mf keybrute [h] <block number> <A|B> <key>
options:
h this help
<block number> target block number
<A|B> target key type
<key> candidate key from mf_nonce_brute tool
samples:
hf mf keybrute 1 A 000011223344
FIX: The flushing of logentries.
ADD: "hf mf sniff" - added the sniffing of UID's with a uidlen of 10.
Whats left? The key is not always found even if we use the "mfkey64" approach.
ADD: added the parity_zero attack in "hf mf mifare". Still not working since piwi's changes to the iso14443a.c, maybe needs a param to tell it to collect nonces for this special attack.
CHG: extracted some help-texts into usage_* methods. Changed some text as well
FIX: "hf mf sim" command now uses both mfkey32 and mfkey32_moebius version to find the key in attack mode.
CHG: "hf mf sim" also now defaults to emul_memory to read a 4 byte UID.
CHG: increased the time-out message 2sec, in proxmark, to make "hf mf chk" work better.
CHG: still trying to solve the "hf mf mifare" WDT_HIT bug.
With these changes, the "hf mf chk" / "Hf mf nested" looks similar and should be a bit faster.
CHG: textual helptext change in "hf mf nested"
CHG: loop inside "nested". Still not fast enough. I wonder if qsort can be exchanged for radixsort or bucket sort?
Experiment: unfolded a loop.
Experiment: speeding up "Hf mf nested"
CHG: removed some default keys from "hf mf nested". It wasn't being used anyway.
CHG: changed the way "hf mf nested" reports back keys
CHG: "hf mf nested" and "hf mf chk" now prints the key-table.
CHG: changed the output list for "hf mf chk"
Things like the ICLASS, tryDecryptWord,
--
My other stuff like default keys, some new Mifare EV1 commands 0x40, 0x43 for the logging annotation, start of the T55x7 configblock helper functionality (ripped from Adam Lauries RFIdler code)
Changes to the PCF7931 functions written, which has a lousy input check..
.. ntag simulation stuff from @marshmellows branch "ntag/sim"
.. hf mf mifare fixes from @pwpivi.
.. hw status command
.. speedtest function from @pwpivi
.. Viking Functionalities, (not a proper DEMOD, but a start)
.. GetCountUS better precision from @pwpivi
.. bin2hex, hex2bin from @holiman
...
starting with getting the T55x7 CONFIGURATION_BLOCK for different clone situations. Ripped from Adam Lauries RFidler, nothing working or finished..
...
Started working with the T55x7 read command with password actually performs a write block... See Issue #136https://github.com/Proxmark/proxmark3/issues/136 Not solved yet.
...
Started add SHA256.. not working yet..
CHG: USB_CMD_DATA_SIZE is now used as maxsize for transfer of data between client and pm3device
CHG: suggested a fix for the underscore problem in ioclass\fileutils.c
ADD: tnp3xx support
ADD: nxp tag idents.
ADD: identifiction of chinese backdoor commands to hf 14a reader.
FIX: a suggested patch for "hf mf csetuid" (https://github.com/Proxmark/proxmark3/issues/35)
FIX: fixed a bug in iso14443a_select_card where the len variable wasnt set, this made desfire/magic cards not work.
Applied PwPiwi's new parity fix.
Applied Marshmellw's fixes for FSKdemod (HID, IO)
FIX: a potential bigbuffer fault given pwpiwi's change inside lfops.c CmdIOdemodFSK & CmdHIDdemodFSK
FIX: change some "int" parameters to uint's.
FIX: changed the lfops.c - DoAcquisition125k_internal to respect pwpiwi's definitions of FREE_BUFFER_OFFSET
HEADS up: The ultralight functions hasn't been verified since pwpiwi's changes.
- buffers were too small to handle 256 byte frames
- parity bits were only handled for up to 32 byte frames
- trace format was inefficient
- removed parity calculation from decoders in iclass.c (parity not used on air anyway)
- PM: used GetCountMifare in MifareNested() for improved timing accuracy and to deliver better quality nonces
- PM: MifareNested now delivers exactly two different nonces to avoid time consuming multiple lfsr_recovery32() on client side
- Client: replaced quicksort by bucketsort in crapto1.c which is faster
- Client: use multithreading (two parallel calls to lfsr_recovery32())
- Client: fixed a small bug in mfnested() (always showed trgkey=0)
- Client: introduced a mutex for PrintAndLog() to avoid interlaced printing
Minor rework of hf mf chk:
- Avoid time consuming off/on cycles. Send a "halt" instead.
2. added abilities to: clear, get, set, load from card, load from nested card emulator dump
3. tried to fix proxmark promt have seen everywhere (not so good)
4. reorganized arm code
