the idea is to have a statistically solid conclusion if tag does or does not have the NACK bug.
-in short, ref https://github.com/iceman1001/proxmark3/issues/141
NACK bug; when a tag responds with a NACK to a 8 byte nonce exchange during authentication when the bytes are wrong but the parity bits are correct.
This is a strong oracle which is used in the darkside attack.
Using a dictionary file with 421keys,
Current implementation of checkkeys takes 300 sec.
This implementation of checkkeys takes 250 sec.
I implemented it as a separate command so it will be easier to compare between the old and new checkkeys.
Its also doing much on deviceside, which is a step to much funnier standalone modes :))
'hf iclass sniff' - playing with this one. Don't expect it to work yet :(
- increase dma_buffer_size to 256
- moved initialization to a own function. Just looks cleaner :)
- change the debug output to follow MF_DBGLEVEL
'hf mf sniff' - unnecessary cast removed
fix: 'hf mf hardnested' test cases doesn't need to verify key.
add: 'hf mf ' - collect nonces from classic tag.
chg: switch_off on armside, a more unified way, so we don't forget to turn of the antenna ...
chg: renamed 'hf iclass snoop' into 'hf iclass sniff' in an attempt to make all sniff/snoop commands only SNIFF
chg: 'standalone' -> starting the work of moving all standalone mods into a plugin kind of style, in its own folder.
ref: https://github.com/iceman1001/proxmark3/issues/110
FIX: 'hf 14a raw' - zero lenth commands and AppendCrc14443a doesn't work well together.
FIX: 'hf 14a raw' - made clear comments and making params comparing as it should be.
FIX: 'hf 14a raw' - when selecting tag, and it failed, the PM3 device was left with antenna on. This has now been fixed as it turns off antenna and leds.
CHG: call params to selectcard too few
CHG: 'standalone HF mode' - when copying second UID onto data array, it should append after first one, not over the first one.
ref: https://github.com/iceman1001/proxmark3/issues/77 Lets see if this fixes the HF part of this issue
FIX: 'hf mf sim x i' - same as above.
In general we only use Moebius attack for "sim x", that means a clean up on device side code. simpler to understand. It still tries to gather 8 different collections of nonces combo. When one is complete, it get sent to client which runs moebius direct.
- Fix `hf mf sim` to use nonce_t structures, so key recovery works
- Increases verbosity on the key recovery functionality
- Fix use-after-free for k_sector
- Add help info on `e` option to `hf mf sim`
CHG: returned the iso14443a_setup order, it might influence my older PM3 device.
*Note* my Elechouse revisions PM3 works great with this but my older xpfga (green pcb) is hopeless. It can't fix onto the nonces in 'hf mf mifare' I think its too slow.
CHG: "hf 14a sim" command, changed the data collection for the attackmode in SimulateIso14443aTag. It now uses @holiman 's original implementation. But we can't change "NR", so we do next.
CHG: "hf 14a sim" command, nonce is increase with every new auth. This is for the "mfkey32_moebius" attack to work.
CHG: "hf mf sim" command (function void Mifare1ksim ) now handles UID' with length 10.
CHG: "hf mf sim" command nonce is increase with every new auth. This is for the "mfkey32_moebius" attack to work.
and some clean up in the "hf mf mifare" code. I removed the three strategies Pivi added to make the code easier and added a lot of comments to understand.
the WDT bug is still there in this code. Needs further testing yet, before I commit the fix.
So far the fix is quite stable on ubuntu, but on mingw/win is breaking still. Which at this point doesnt make any sense.
I also made the SRi read functions better by combining them. The demodulation / uart code should be the same as last summers changes. The device side code can now be even smaller.
CHG: increased the time-out message 2sec, in proxmark, to make "hf mf chk" work better.
CHG: still trying to solve the "hf mf mifare" WDT_HIT bug.
With these changes, the "hf mf chk" / "Hf mf nested" looks similar and should be a bit faster.
Things like the ICLASS, tryDecryptWord,
--
My other stuff like default keys, some new Mifare EV1 commands 0x40, 0x43 for the logging annotation, start of the T55x7 configblock helper functionality (ripped from Adam Lauries RFIdler code)
Changes to the PCF7931 functions written, which has a lousy input check..
.. ntag simulation stuff from @marshmellows branch "ntag/sim"
.. hf mf mifare fixes from @pwpivi.
.. hw status command
.. speedtest function from @pwpivi
.. Viking Functionalities, (not a proper DEMOD, but a start)
.. GetCountUS better precision from @pwpivi
.. bin2hex, hex2bin from @holiman
...
starting with getting the T55x7 CONFIGURATION_BLOCK for different clone situations. Ripped from Adam Lauries RFidler, nothing working or finished..
...
Started working with the T55x7 read command with password actually performs a write block... See Issue #136https://github.com/Proxmark/proxmark3/issues/136 Not solved yet.
...
Started add SHA256.. not working yet..
MERGED: @piwi changes
MERGED: @marshmellows changes.
I'm not even gonna try write up all that stuff..
ADD: changed some commands inside the "Hf 14a sim" on deviceside.
ADD: @mobeius "two nonce" version for mfkey32. It is also inside the "hf 14a sim" with the "x" parameter.
FIX: 14b sim changes in iso14443b.c , *experimental* I took some timing loops from "14a sim" armsrc/iso14443a.c and merged it into the "14b sim". Now using two pm3's I can have one simulating and the other reading and it works. Ask @pwpiwi if you want to know more of what those timing loops does. Something about waiting for the fpga delay queue...
ADD: "hf 14a sim t 7" now implements a simple incr_counter command. it sends ACK to all requests.
ADD: "hf 14a sim t 7" now prints the password when a "0x1B" (Authenticate) command is received.
