ADD: 'hf mfu restore' - added a restore from file command, see helptext for instructions
CHG: some help-text updates and refactored to functions
CHG: 'hf mfu gen' - added the possibility to read uid from card as input
CHG: 'hf mfu dump' - refactored out the dump-printing
FIX: 'hf mf sim x i' - same as above.
In general we only use Moebius attack for "sim x", that means a clean up on device side code. simpler to understand. It still tries to gather 8 different collections of nonces combo. When one is complete, it get sent to client which runs moebius direct.
this version uses int64_t (signed) to signify end-of-lists (-1). It also needs its own compare function for the qsort. I didn't merge this into existing code which uses uint64_t. (too lazy)
- Fix `hf mf sim` to use nonce_t structures, so key recovery works
- Increases verbosity on the key recovery functionality
- Fix use-after-free for k_sector
- Add help info on `e` option to `hf mf sim`
J_Run's 2nd phase of multiple sector nested authentication key recovery
You have a known 4 last bytes of a key recovered with mf_nonce_brute tool.
First 2 bytes of key will be bruteforced
Usage: hf mf keybrute [h] <block number> <A|B> <key>
options:
h this help
<block number> target block number
<A|B> target key type
<key> candidate key from mf_nonce_brute tool
samples:
hf mf keybrute 1 A 000011223344
FIX: The flushing of logentries.
ADD: "hf mf sniff" - added the sniffing of UID's with a uidlen of 10.
Whats left? The key is not always found even if we use the "mfkey64" approach.
ADD: added the parity_zero attack in "hf mf mifare". Still not working since piwi's changes to the iso14443a.c, maybe needs a param to tell it to collect nonces for this special attack.
CHG: extracted some help-texts into usage_* methods. Changed some text as well
FIX: "hf mf sim" command now uses both mfkey32 and mfkey32_moebius version to find the key in attack mode.
CHG: "hf mf sim" also now defaults to emul_memory to read a 4 byte UID.
CHG: increased the time-out message 2sec, in proxmark, to make "hf mf chk" work better.
CHG: still trying to solve the "hf mf mifare" WDT_HIT bug.
With these changes, the "hf mf chk" / "Hf mf nested" looks similar and should be a bit faster.
CHG: textual helptext change in "hf mf nested"
CHG: loop inside "nested". Still not fast enough. I wonder if qsort can be exchanged for radixsort or bucket sort?
Experiment: unfolded a loop.
Experiment: speeding up "Hf mf nested"
CHG: removed some default keys from "hf mf nested". It wasn't being used anyway.
CHG: changed the way "hf mf nested" reports back keys
CHG: "hf mf nested" and "hf mf chk" now prints the key-table.
CHG: changed the output list for "hf mf chk"
ADD: Implemented a addon to "hf mf nested" if there is KEY_A 's found but not the same KEY_B, try just read it from tag.
Makes the command a bit slower when it does these reads. Plus some annoying debug statements,
CHG: changed the output for "hf mf nested" to write Key A or B instead of 0 & 1..
Things like the ICLASS, tryDecryptWord,
--
My other stuff like default keys, some new Mifare EV1 commands 0x40, 0x43 for the logging annotation, start of the T55x7 configblock helper functionality (ripped from Adam Lauries RFIdler code)
Changes to the PCF7931 functions written, which has a lousy input check..
.. ntag simulation stuff from @marshmellows branch "ntag/sim"
.. hf mf mifare fixes from @pwpivi.
.. hw status command
.. speedtest function from @pwpivi
.. Viking Functionalities, (not a proper DEMOD, but a start)
.. GetCountUS better precision from @pwpivi
.. bin2hex, hex2bin from @holiman
...
starting with getting the T55x7 CONFIGURATION_BLOCK for different clone situations. Ripped from Adam Lauries RFidler, nothing working or finished..
...
Started working with the T55x7 read command with password actually performs a write block... See Issue #136https://github.com/Proxmark/proxmark3/issues/136 Not solved yet.
...
Started add SHA256.. not working yet..
MOV: moved the try32/try64 attacks (mfkey32/mfkey64) into the nonce2key.c file
CHG: added @marshmellow42 changes to hf mfu dump layout.
ADD: an extra call to BigBuf_free in readcard.. just to make sure that it doesn't leak memory.
ADD: expermimental call to "try32" for "hf mf sim x".
- provided a BigBuf_malloc() function to dynamically allocate parts of BigBuf
e.g. for DMA-Buffers, Frame-Buffers, Emulator-Memory
- the whole rest of BigBuf is now available for traces (instead of a small fixed amount)
- send actual traceLen together with trace data
- changed client side to cope with varying traceLen
- changed small buffers to automatic variables instead of parts of BigBuf
FIX: a solution for the issue "hf eload, esave, cload, save - filepath variable too short"
CHG: minor code clean up.
ADD: AES / CRC16 for lua. (and tnp3xx scripts.)
ADD: tnp3dump.lua script to dump tnp3xx tags.
ADD: tnp3sim.lua script to let PM3 imitate an tnp3xx tag. Needs to be tested live
ADD: added a manufacturer list in "hf 14a reader", only viable when UID is double or triple size. Thanks to Asper for the list.
ADD: detect chinese magic backdoor commands in "hf 14a reader"
CHG: minor code clean up.
CHG: USB_CMD_DATA_SIZE is now used as maxsize for transfer of data between client and pm3device
CHG: suggested a fix for the underscore problem in ioclass\fileutils.c
ADD: tnp3xx support
ADD: nxp tag idents.
ADD: identifiction of chinese backdoor commands to hf 14a reader.
- buffers were too small to handle 256 byte frames
- parity bits were only handled for up to 32 byte frames
- trace format was inefficient
- removed parity calculation from decoders in iclass.c (parity not used on air anyway)
- hf mf dump: abort on unrecoverable errors. Don't create file dumpdata.bin in this case.
- hf mf chk: re-enabled and fixed option d (dump keys to dumpkeys.bin).
if there are unknown keys, write 0xffffffffffff instead to the file.
- provide a default key dictionary file for hf mf chk (default_keys.dic). Contents taken from
mf_default_keys.lua
- hf mf rdsc (fix): didn't account for 16 block sectors, allowed max sector 63 instead of 39
- hf mf ecfill (add): added (optional) card size parameter and support for non 1K cards
- hf mf dump (add): added (optional) card size parameter and support for non 1K cards
- hf mf dump (fix): Access Condition 011 not handled correctly (tried to access with key A)
- hf mf restore (add): added (optional) card size parameter and support for non 1K cards
- hf mf nested (fix): didn't account for 16 block sectors, allowed max sector 63 instead of 39
- hf mf nested (fix): always dumped 16 keys to dumpkeys.bin instead of correct number
- hf mf chk (fix): always dumped 16 keys to dumpkeys.bin instead of correct number
- hf mf eget (fix): displayed three instead of one block
- hf mf eload (add): load 4K .eml files (but accepts 1K .eml files for backwards compatibility)
- hf mf esave (add): always save the whole emulator memory (4K) instead of 1K only
- hf mf ecfill (add): added (optional) card size parameter and support for non 1K cards
- output of debug messages caused communication failures due to timing issues.
hf mf dbg 4 now required to see these debug messages.
- changed help text for hf mf dbg
- fixed minor bugs in help texts for hf mf sim and hf mf ecset
- display "key A" or "key B" instead of "key=0" or "key=1 in hf mf sim
- tracing was not always enabled when starting hf mf sniff or hf 14a snoop
- ATQA was displayed in wrong byte order in hf mf sniff
- 4 Byte UIDs were displayed as 7 Byte UIDs (padded with 0x000000) in hf mf sniff
- same for logfile names.
- assignment (=) had been used instead of == in comparisons (shouldn't have been relevant though)
- fixed a circular buffer rollover bug in iso14443a.c
- fixed 7 Byte UID handling in hf mf sniff
- fixed "cannot append" error in hf mf sniff d
- fixed hint on mfkey32 in hf mf sim x
- fixed hf mf sniff sometimes showing rogue data from previous calloc
- improve snooping/sniffing by syncing modulation detector window with reader signal (hi_iso14443a.v)
- code cleanup of hi_iso14443a.v
- enhanced tracing: hf 14a list now shows meaningful timing information. With new option f it also shows the frame delay times (fdt)
- small fix for hf 14b list - it used to run into the trace trailer
- hf 14a sim now obeys iso14443 timing (fdt of 1172 or 1234 resp.)
Note: you need to flash FPGA as well.
More details in http://www.proxmark.org/forum/viewtopic.php?pid=9721#p9721
- PM: used GetCountMifare in MifareNested() for improved timing accuracy and to deliver better quality nonces
- PM: MifareNested now delivers exactly two different nonces to avoid time consuming multiple lfsr_recovery32() on client side
- Client: replaced quicksort by bucketsort in crapto1.c which is faster
- Client: use multithreading (two parallel calls to lfsr_recovery32())
- Client: fixed a small bug in mfnested() (always showed trgkey=0)
- Client: introduced a mutex for PrintAndLog() to avoid interlaced printing
Minor rework of hf mf chk:
- Avoid time consuming off/on cycles. Send a "halt" instead.
