+
+ if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1)) {
+ if (MF_DBGLEVEL >= 1) Dbprintf("Auth1 error");
+ break;
+ };
+
+ // nested authentication
+ len = mifare_sendcmd_shortex(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, &par);
+ if (len != 4) {
+ if (MF_DBGLEVEL >= 1) Dbprintf("Auth2 error len=%d", len);
+ break;
+ };
+
+ nt2 = bytes_to_num(receivedAnswer, 4);
+ if (MF_DBGLEVEL >= 4) Dbprintf("r=%d nt1=%08x nt2enc=%08x nt2par=%08x", rtr, nt1, nt2, par);
+
+ // Parity validity check
+ for (i = 0; i < 4; i++) {
+ par_array[i] = (oddparity(receivedAnswer[i]) != ((par & 0x08) >> 3));
+ par = par << 1;
+ }
+
+ ncount = 0;
+ for (m = dmin - NS_TOLERANCE; m < dmax + NS_TOLERANCE; m++) {
+ nttest = prng_successor(nt1, m);
+ ks1 = nt2 ^ nttest;
+
+ if (valid_nonce(nttest, nt2, ks1, par_array) && (ncount < 11)){
+
+ nvector[NES_MAX_INFO][ncount].nt = nttest;
+ nvector[NES_MAX_INFO][ncount].ks1 = ks1;
+ ncount++;
+ nvectorcount[NES_MAX_INFO] = ncount;
+ if (MF_DBGLEVEL >= 4) Dbprintf("valid m=%d ks1=%08x nttest=%08x", m, ks1, nttest);
+ }
+
+ }
+
+ // select vector with length less than got
+ if (nvectorcount[NES_MAX_INFO] != 0) {
+ m = NES_MAX_INFO;
+
+ for (i = 0; i < NES_MAX_INFO; i++)
+ if (nvectorcount[i] > 10) {
+ m = i;
+ break;
+ }
+
+ if (m == NES_MAX_INFO)
+ for (i = 0; i < NES_MAX_INFO; i++)
+ if (nvectorcount[NES_MAX_INFO] < nvectorcount[i]) {
+ m = i;
+ break;
+ }
+
+ if (m != NES_MAX_INFO) {
+ for (i = 0; i < nvectorcount[m]; i++) {
+ nvector[m][i] = nvector[NES_MAX_INFO][i];
+ }
+ nvectorcount[m] = nvectorcount[NES_MAX_INFO];
+ }
+ }
+ }
+
+ LED_C_OFF();
+
+ // ----------------------------- crypto1 destroy
+ crypto1_destroy(pcs);
+
+ // add trace trailer
+ uid[0] = 0xff;
+ uid[1] = 0xff;
+ uid[2] = 0xff;
+ uid[3] = 0xff;
+ LogTrace(uid, 4, 0, 0, TRUE);
+
+ for (i = 0; i < NES_MAX_INFO; i++) {
+ if (nvectorcount[i] > 10) continue;
+
+ for (j = 0; j < nvectorcount[i]; j += 5) {
+ ncount = nvectorcount[i] - j;
+ if (ncount > 5) ncount = 5;
+
+ ack.arg[0] = 0; // isEOF = 0
+ ack.arg[1] = ncount;
+ ack.arg[2] = targetBlockNo + (targetKeyType * 0x100);
+ memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
+
+ memcpy(ack.d.asBytes, &cuid, 4);
+ for (m = 0; m < ncount; m++) {
+ memcpy(ack.d.asBytes + 8 + m * 8 + 0, &nvector[i][m + j].nt, 4);
+ memcpy(ack.d.asBytes + 8 + m * 8 + 4, &nvector[i][m + j].ks1, 4);
+ }
+
+ LED_B_ON();
+ SpinDelay(100);
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+ LED_B_OFF();
+ }
+ }
+
+ // finalize list
+ ack.arg[0] = 1; // isEOF = 1
+ ack.arg[1] = 0;
+ ack.arg[2] = 0;
+ memset(ack.d.asBytes, 0x00, sizeof(ack.d.asBytes));
+
+ LED_B_ON();
+ SpinDelay(300);
+ UsbSendPacket((uint8_t *)&ack, sizeof(UsbCommand));
+ LED_B_OFF();
+
+ if (MF_DBGLEVEL >= 4) DbpString("NESTED FINISHED");
+
+ // Thats it...
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ LEDsoff();
+
+ tracing = TRUE;
+}
+
+//-----------------------------------------------------------------------------
+// MIFARE check keys. key count up to 8.
+//
+//-----------------------------------------------------------------------------
+void MifareChkKeys(uint8_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)
+{
+ // params
+ uint8_t blockNo = arg0;
+ uint8_t keyType = arg1;
+ uint8_t keyCount = arg2;
+ uint64_t ui64Key = 0;
+
+ // variables
+ int i;
+ byte_t isOK = 0;
+ uint8_t uid[8];
+ uint32_t cuid;
+ struct Crypto1State mpcs = {0, 0};
+ struct Crypto1State *pcs;
+ pcs = &mpcs;
+
+ // clear debug level
+ int OLD_MF_DBGLEVEL = MF_DBGLEVEL;
+ MF_DBGLEVEL = MF_DBG_NONE;
+
+ // clear trace
+ traceLen = 0;
+ tracing = TRUE;