//-----------------------------------------------------------------------------\r
\r
#include "cmdhfmf.h"\r
+#include "./nonce2key/nonce2key.h"\r
\r
static int CmdHelp(const char *Cmd);\r
\r
printf("-------------------------------------------------------------------------\n");\r
\r
\r
-start:\r
+ start:\r
clearCommandBuffer();\r
SendCommand(&c);\r
\r
//We're waiting only 1.5 s at a time, otherwise we get the\r
// annoying message about "Waiting for a response... "\r
}\r
+ //got a response\r
+ if (flags & FLAG_NR_AR_ATTACK) {\r
+ typedef struct {\r
+ uint32_t cuid;\r
+ uint8_t sector;\r
+ uint8_t keytype;\r
+ uint32_t nonce;\r
+ uint32_t ar;\r
+ uint32_t nr;\r
+ uint32_t nonce2;\r
+ uint32_t ar2;\r
+ uint32_t nr2;\r
+ } nonces_t;\r
+ nonces_t ar_resp[4];\r
+ //uint32_t ar_responses[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};\r
+ uint64_t key = 0;\r
+ //uint64_t keyB = 0;\r
+ //uint8_t arnr_len = 8;\r
+ memcpy (ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+ \r
+ for (uint8_t i = 0; i<4; i++) {\r
+ if (ar_resp[i].ar2 > 0) {\r
+ key = mfkey32(ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+ if (key>0) {\r
+ PrintAndLog("\nFound Key%s for sector %d: [%04x%08x]", (i<2) ? "A" : "B", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ } \r
+ }\r
+ }\r
+ /*\r
+ if (ar_resp[1] && ar_responses[2] && ar_responses[3] && ar_responses[6] && ar_responses[7]) {\r
+ keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]);\r
+ if (keyA>0) {\r
+ PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ } else {\r
+ keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]); \r
+ if (keyA>0) {\r
+ PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ }\r
+ }\r
+ } else {\r
+ PrintAndLog("keyA response error: %d %d %d %d %d",ar_responses[1] , ar_responses[2] , ar_responses[3] , ar_responses[6] , ar_responses[7]);\r
+ }\r
+ if (ar_responses[1] && ar_responses[2+arnr_len] && ar_responses[3+arnr_len] && ar_responses[6+arnr_len] && ar_responses[7+arnr_len]) {\r
+ keyB = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2+arnr_len],ar_responses[3+arnr_len],ar_responses[6+arnr_len],ar_responses[7+arnr_len]);\r
+ if (keyB>0) {\r
+ PrintAndLog("\nFound KeyB: [%04x%08x]\n\n", (uint32_t) (keyB>>32), (uint32_t) (keyB & 0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ }\r
+ }\r
+ if (keyA || keyB) {\r
+ //TODO retry sim with new keys in emulator memory? (somehow flag to check that to see if new key has successful auth now?)\r
+ // to validate key is correct\r
+ }\r
+ */\r
+ }\r
}\r
\r
return 0;\r
projects / proxmark3-svn / blobdiff