+ if (MF_DBGLEVEL >= 3) DbpString("AcquireEncryptedNonces finished");\r
+\r
+}\r
+\r
+\r
+//-----------------------------------------------------------------------------\r
+// MIFARE nested authentication.\r
+//\r
+//-----------------------------------------------------------------------------\r
+void MifareNested(uint32_t arg0, uint32_t arg1, uint32_t calibrate, uint8_t *datain) {\r
+\r
+ uint8_t blockNo = arg0 & 0xff;\r
+ uint8_t keyType = (arg0 >> 8) & 0xff;\r
+ uint8_t targetBlockNo = arg1 & 0xff;\r
+ uint8_t targetKeyType = (arg1 >> 8) & 0xff;\r
+ uint64_t ui64Key = 0;\r
+\r
+ ui64Key = bytes_to_num(datain, 6);\r
+\r
+ uint16_t rtr, i, j, len;\r
+ uint16_t davg;\r
+ static uint16_t dmin, dmax;\r
+ uint8_t uid[10];\r
+ uint32_t cuid, nt1, nt2, nttmp, nttest, ks1;\r
+ uint8_t par[1];\r
+ uint32_t target_nt[2], target_ks[2];\r
+ uint8_t target_nt_duplicate_count = 0;\r
+\r
+ uint8_t par_array[4];\r
+ uint16_t ncount = 0;\r
+ struct Crypto1State mpcs = {0, 0};\r
+ struct Crypto1State *pcs;\r
+ pcs = &mpcs;\r
+ uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
+\r
+ uint32_t auth1_time, auth2_time, authentication_timeout = 0;\r
+ static uint16_t delta_time;\r
+\r
+ LED_A_ON();\r
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+ // free eventually allocated BigBuf memory\r
+ BigBuf_free();\r
+\r
+ if (calibrate) clear_trace();\r
+ set_tracing(true);\r
+\r
+ // statistics on nonce distance\r
+ int16_t isOK = 0;\r
+ #define NESTED_MAX_TRIES 12\r
+ uint16_t unsuccessfull_tries = 0;\r
+ if (calibrate) { // for first call only. Otherwise reuse previous calibration\r
+ LED_B_ON();\r
+ WDT_HIT();\r
+\r
+ davg = dmax = 0;\r
+ dmin = 2000;\r
+ delta_time = 0;\r
+\r
+ for (rtr = 0; rtr < 17; rtr++) {\r
+\r
+ // prepare next select. No need to power down the card.\r
+ if (mifare_classic_halt(pcs, cuid)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");\r
+ rtr--;\r
+ continue;\r
+ }\r
+\r
+ // Test if the action was cancelled\r
+ if (BUTTON_PRESS()) {\r
+ isOK = -2;\r
+ break;\r
+ }\r
+\r
+ if (!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");\r
+ rtr--;\r
+ continue;\r
+ };\r
+\r
+ auth1_time = 0;\r
+ if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time, NULL)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");\r
+ rtr--;\r
+ continue;\r
+ };\r
+\r
+ if (delta_time) {\r
+ auth2_time = auth1_time + delta_time;\r
+ } else {\r
+ auth2_time = 0;\r
+ }\r
+ if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time, NULL)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");\r
+ rtr--;\r
+ continue;\r
+ };\r
+\r
+ nttmp = prng_successor(nt1, 100); //NXP Mifare is typical around 840,but for some unlicensed/compatible mifare card this can be 160\r
+ for (i = 101; i < 1200; i++) {\r
+ nttmp = prng_successor(nttmp, 1);\r
+ if (nttmp == nt2) break;\r
+ }\r
+\r
+ if (i != 1200) {\r
+ if (rtr != 0) {\r
+ davg += i;\r
+ dmin = MIN(dmin, i);\r
+ dmax = MAX(dmax, i);\r
+ }\r
+ else {\r
+ delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing\r
+ }\r
+ if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);\r
+ } else {\r
+ unsuccessfull_tries++;\r
+ if (unsuccessfull_tries > NESTED_MAX_TRIES) { // card isn't vulnerable to nested attack (random numbers are not predictable)\r
+ isOK = -3;\r
+ }\r
+ }\r
+ }\r
+\r
+ davg = (davg + (rtr - 1)/2) / (rtr - 1);\r
+\r
+ if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);\r
+\r
+ dmin = davg - 2;\r
+ dmax = davg + 2;\r
+\r
+ LED_B_OFF();\r
+\r
+ }\r
+ // -------------------------------------------------------------------------------------------------\r
+\r
+ LED_C_ON();\r
+\r
+ // get crypted nonces for target sector\r
+ for (i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces\r
+\r
+ target_nt[i] = 0;\r
+ while (target_nt[i] == 0 && !isOK) { // continue until we have an unambiguous nonce\r
+\r
+ // prepare next select. No need to power down the card.\r
+ if(mifare_classic_halt(pcs, cuid)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");\r
+ continue;\r
+ }\r
+\r
+ // break out of the loop on button press\r
+ if (BUTTON_PRESS()) {\r
+ isOK = -2;\r
+ break;\r
+ }\r
+\r
+ if (!iso14443a_select_card(uid, NULL, &cuid, true, 0, true)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Can't select card");\r
+ continue;\r
+ }\r
+\r
+ auth1_time = 0;\r
+ authentication_timeout = 0;\r
+ if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, &auth1_time, &authentication_timeout)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth1 error");\r
+ continue;\r
+ }\r
+\r
+ // nested authentication\r
+ auth2_time = auth1_time + delta_time;\r
+ len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);\r
+ if (len != 4) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);\r
+ continue;\r
+ }\r
+\r
+ nt2 = bytes_to_num(receivedAnswer, 4);\r
+ if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);\r
+\r
+ // Parity validity check\r
+ for (j = 0; j < 4; j++) {\r
+ par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));\r
+ }\r
+\r
+ ncount = 0;\r
+ nttest = prng_successor(nt1, dmin - 1);\r
+ for (j = dmin; j < dmax + 1; j++) {\r
+ nttest = prng_successor(nttest, 1);\r
+ ks1 = nt2 ^ nttest;\r
+\r
+ if (valid_nonce(nttest, nt2, ks1, par_array)){\r
+ if (ncount > 0) { // we are only interested in disambiguous nonces, try again\r
+ if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (ambigous), ntdist=%d", i+1, j);\r
+ target_nt[i] = 0;\r
+ break;\r
+ }\r
+ target_nt[i] = nttest;\r
+ target_ks[i] = ks1;\r
+ ncount++;\r
+ if (i == 1 && target_nt[1] == target_nt[0]) { // we need two different nonces\r
+ if( ++target_nt_duplicate_count >= NESTED_MAX_TRIES ) { // unable to get a 2nd nonce after NESTED_MAX_TRIES tries, probably a fixed nonce\r
+ if (MF_DBGLEVEL >= 2) Dbprintf("Nonce#2: cannot get nonce that != nonce#1, continuing anyway with single nonce! ntdist=%d", j);\r
+ break;\r
+ }\r
+\r
+ target_nt[1] = 0;\r
+ if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#2: dismissed (= nonce#1), ntdist=%d", j);\r
+ break;\r
+ }\r
+ if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: valid, ntdist=%d", i+1, j);\r
+ }\r
+ }\r
+ if (target_nt[i] == 0 && j == dmax+1 && MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: dismissed (all invalid)", i+1);\r
+ }\r
+ }\r
+\r
+ LED_C_OFF();\r
+\r
+ // ----------------------------- crypto1 destroy\r
+ crypto1_destroy(pcs);\r
+\r
+ uint8_t buf[4 + 4 * 4 + 4];\r
+ memcpy(buf, &cuid, 4);\r
+ memcpy(buf+4, &target_nt[0], 4);\r
+ memcpy(buf+8, &target_ks[0], 4);\r
+ memcpy(buf+12, &target_nt[1], 4);\r
+ memcpy(buf+16, &target_ks[1], 4);\r
+ memcpy(buf+20, &authentication_timeout, 4);\r
+\r