]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdhfmf.c
needs a ; ... ...
[proxmark3-svn] / client / cmdhfmf.c
index 9f337a5b2ed4cd98cb474421948326ebcd2ef1c0..3fde208f6ab520b7778f32f9313940e26b102529 100644 (file)
@@ -9,86 +9,47 @@
 //-----------------------------------------------------------------------------\r
 \r
 #include "cmdhfmf.h"\r
-#include "./nonce2key/nonce2key.h"\r
 \r
-static int CmdHelp(const char *Cmd);\r
+#include <inttypes.h>\r
+#include <string.h>\r
+#include <stdio.h>\r
+#include <stdlib.h>\r
+#include <ctype.h>\r
+#include "proxmark3.h"\r
+#include "cmdmain.h"\r
+#include "cmdhfmfhard.h"\r
+#include "util.h"\r
+#include "usb_cmd.h"\r
+#include "ui.h"\r
+#include "mifarehost.h"\r
+#include "mifare.h"\r
+#include "mfkey.h"\r
 \r
-int CmdHF14AMifare(const char *Cmd)\r
-{\r
-       uint32_t uid = 0;\r
-       uint32_t nt = 0, nr = 0;\r
-       uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
-       int16_t isOK = 0;\r
+#define NESTED_SECTOR_RETRY     10                     // how often we try mfested() until we give up\r
 \r
-       UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
-\r
-       // message\r
-       printf("-------------------------------------------------------------------------\n");\r
-       printf("Executing command. Expected execution time: 25sec on average  :-)\n");\r
-       printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");\r
-       printf("-------------------------------------------------------------------------\n");\r
-\r
-       \r
- start:\r
-    clearCommandBuffer();\r
-    SendCommand(&c);\r
-       \r
-       //flush queue\r
-       while (ukbhit())        getchar();\r
 \r
-       // wait cycle\r
-       while (true) {\r
-        printf(".");\r
-               fflush(stdout);\r
-               if (ukbhit()) {\r
-                       getchar();\r
-                       printf("\naborted via keyboard!\n");\r
-                       break;\r
-               }\r
-               \r
-               UsbCommand resp;\r
-               if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {\r
-                       isOK  = resp.arg[0];\r
-                       uid = (uint32_t)bytes_to_num(resp.d.asBytes +  0, 4);\r
-                       nt =  (uint32_t)bytes_to_num(resp.d.asBytes +  4, 4);\r
-                       par_list = bytes_to_num(resp.d.asBytes +  8, 8);\r
-                       ks_list = bytes_to_num(resp.d.asBytes +  16, 8);\r
-                       nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
-                       printf("\n\n");\r
-                       switch (isOK) {\r
-                               case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
-                               case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
-                               case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
-                               case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
-                                                       PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;\r
-                               default: ;\r
-                       }\r
-                       break;\r
-               }\r
-       }       \r
+static int CmdHelp(const char *Cmd);\r
 \r
-       printf("\n");\r
-       \r
-       // error\r
-       if (isOK != 1) return 1;\r
-       \r
-       // execute original function from util nonce2key\r
-       if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
-               isOK = 2;\r
-               PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);    \r
-               PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");\r
-               c.arg[0] = false;\r
-               goto start;\r
-       } else {\r
-               isOK = 0;\r
-               printf("------------------------------------------------------------------\n");\r
-               PrintAndLog("Found valid key:%012"llx" \n", r_key);\r
+int CmdHF14AMifare(const char *Cmd)\r
+{\r
+       int isOK = 0;\r
+       uint64_t key = 0;\r
+       isOK = mfDarkside(&key);\r
+       switch (isOK) {\r
+               case -1 : PrintAndLog("Button pressed. Aborted."); return 1;\r
+               case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests)."); return 1;\r
+               case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable)."); return 1;\r
+               case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+                                 PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour."); return 1;\r
+               case -5 : PrintAndLog("Aborted via keyboard.");  return 1;\r
+               default : PrintAndLog("Found valid key:%012" PRIx64 "\n", key);\r
        }\r
        \r
        PrintAndLog("");\r
        return 0;\r
 }\r
 \r
+\r
 int CmdHF14AMfWrBl(const char *Cmd)\r
 {\r
        uint8_t blockNo = 0;\r
@@ -302,7 +263,8 @@ int CmdHF14AMfDump(const char *Cmd)
        \r
        // Read keys A from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
-               if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {\r
+               size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
@@ -311,7 +273,8 @@ int CmdHF14AMfDump(const char *Cmd)
        \r
        // Read keys B from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
-               if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {\r
+               size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
@@ -323,29 +286,32 @@ int CmdHF14AMfDump(const char *Cmd)
        PrintAndLog("|-----------------------------------------|");\r
        PrintAndLog("|------ Reading sector access bits...-----|");\r
        PrintAndLog("|-----------------------------------------|");\r
-       \r
+       uint8_t tries = 0;\r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
-               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
-               memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
-               SendCommand(&c);\r
+               for (tries = 0; tries < 3; tries++) {           \r
+                       UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
+                       memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
+                       SendCommand(&c);\r
 \r
-               if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
-                       uint8_t isOK  = resp.arg[0] & 0xff;\r
-                       uint8_t *data  = resp.d.asBytes;\r
-                       if (isOK){\r
-                               rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0\r
-                               rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
-                               rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
-                               rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
+                       if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               uint8_t isOK  = resp.arg[0] & 0xff;\r
+                               uint8_t *data  = resp.d.asBytes;\r
+                               if (isOK){\r
+                                       rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0\r
+                                       rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
+                                       rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
+                                       rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
+                                       break;\r
+                               } else if (tries == 2) { // on last try set defaults\r
+                                       PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
+                                       rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
+                                       rights[sectorNo][3] = 0x01;\r
+                               }\r
                        } else {\r
-                               PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
+                               PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);\r
                                rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
                                rights[sectorNo][3] = 0x01;\r
                        }\r
-               } else {\r
-                       PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);\r
-                       rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
-                       rights[sectorNo][3] = 0x01;\r
                }\r
        }\r
        \r
@@ -357,27 +323,33 @@ int CmdHF14AMfDump(const char *Cmd)
        for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
                for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
                        bool received = false;\r
-                       \r
-                       if (blockNo == NumBlocksPerSector(sectorNo) - 1) {              // sector trailer. At least the Access Conditions can always be read with key A. \r
-                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
-                               memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
-                               SendCommand(&c);\r
-                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
-                       } else {                                                                                                // data block. Check if it can be read with key A or key B\r
-                               uint8_t data_area = sectorNo<32?blockNo:blockNo/5;\r
-                               if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) {   // only key B would work\r
-                                       UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
-                                       memcpy(c.d.asBytes, keyB[sectorNo], 6);\r
-                                       SendCommand(&c);\r
-                                       received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
-                               } else if (rights[sectorNo][data_area] == 0x07) {                                                                               // no key would work\r
-                                       isOK = false;\r
-                                       PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
-                               } else {                                                                                                                                                                // key A would work\r
+                       for (tries = 0; tries < 3; tries++) {                   \r
+                               if (blockNo == NumBlocksPerSector(sectorNo) - 1) {              // sector trailer. At least the Access Conditions can always be read with key A. \r
                                        UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
                                        memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
                                        SendCommand(&c);\r
                                        received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                               } else {                                                                                                // data block. Check if it can be read with key A or key B\r
+                                       uint8_t data_area = sectorNo<32?blockNo:blockNo/5;\r
+                                       if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) {   // only key B would work\r
+                                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
+                                               memcpy(c.d.asBytes, keyB[sectorNo], 6);\r
+                                               SendCommand(&c);\r
+                                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                                       } else if (rights[sectorNo][data_area] == 0x07) {                                                                               // no key would work\r
+                                               isOK = false;\r
+                                               PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
+                                               tries = 2;\r
+                                       } else {                                                                                                                                                                // key A would work\r
+                                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
+                                               memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
+                                               SendCommand(&c);\r
+                                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                                       }\r
+                               }\r
+                               if (received) {\r
+                                       isOK  = resp.arg[0] & 0xff;\r
+                                       if (isOK) break;\r
                                }\r
                        }\r
 \r
@@ -466,16 +438,17 @@ int CmdHF14AMfRestore(const char *Cmd)
        }\r
        \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
-               if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {\r
+               size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
-\r
                        fclose(fkeys);\r
                        return 2;\r
                }\r
        }\r
 \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
-               if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {\r
+               size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
                        fclose(fkeys);\r
                        return 2;\r
@@ -495,7 +468,8 @@ int CmdHF14AMfRestore(const char *Cmd)
                        UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};\r
                        memcpy(c.d.asBytes, key, 6);\r
                        \r
-                       if (fread(bldata, 1, 16, fdump) == 0) {\r
+                       size_t bytes_read = fread(bldata, 1, 16, fdump);\r
+                       if (bytes_read != 16) {\r
                                PrintAndLog("File reading error (dumpdata.bin).");\r
                                fclose(fdump);\r
                                return 2;\r
@@ -535,10 +509,17 @@ int CmdHF14AMfRestore(const char *Cmd)
        return 0;\r
 }\r
 \r
+\r
+typedef struct {\r
+       uint64_t Key[2];\r
+       int foundKey[2];\r
+} sector_t;\r
+\r
+\r
 int CmdHF14AMfNested(const char *Cmd)\r
 {\r
        int i, j, res, iterations;\r
-       sector *e_sector = NULL;\r
+       sector_t *e_sector = NULL;\r
        uint8_t blockNo = 0;\r
        uint8_t keyType = 0;\r
        uint8_t trgBlockNo = 0;\r
@@ -632,7 +613,7 @@ int CmdHF14AMfNested(const char *Cmd)
                }\r
                key64 = bytes_to_num(keyBlock, 6);\r
                if (key64) {\r
-                       PrintAndLog("Found valid key:%012"llx, key64);\r
+                       PrintAndLog("Found valid key:%012" PRIx64, key64);\r
 \r
                        // transfer key to the emulator\r
                        if (transferToEml) {\r
@@ -655,10 +636,10 @@ int CmdHF14AMfNested(const char *Cmd)
                }\r
        }\r
        else { // ------------------------------------  multiple sectors working\r
-               clock_t time1;\r
-               time1 = clock();\r
+               uint64_t msclock1;\r
+               msclock1 = msclock();\r
 \r
-               e_sector = calloc(SectorsCnt, sizeof(sector));\r
+               e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
                if (e_sector == NULL) return 1;\r
                \r
                //test current key and additional standard keys first\r
@@ -718,7 +699,7 @@ int CmdHF14AMfNested(const char *Cmd)
 \r
                                        key64 = bytes_to_num(keyBlock, 6);\r
                                        if (key64) {\r
-                                               PrintAndLog("Found valid key:%012"llx, key64);\r
+                                               PrintAndLog("Found valid key:%012" PRIx64, key64);\r
                                                e_sector[sectorNo].foundKey[trgKeyType] = 1;\r
                                                e_sector[sectorNo].Key[trgKeyType] = key64;\r
                                        }\r
@@ -726,7 +707,7 @@ int CmdHF14AMfNested(const char *Cmd)
                        }\r
                }\r
 \r
-               printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/CLOCKS_PER_SEC, ((float)clock() - time1)/iterations/CLOCKS_PER_SEC);\r
+               printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)(msclock() - msclock1))/1000.0, ((float)(msclock() - msclock1))/iterations/1000.0);\r
                \r
                PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);\r
                //print them\r
@@ -734,7 +715,7 @@ int CmdHF14AMfNested(const char *Cmd)
                PrintAndLog("|sec|key A           |res|key B           |res|");\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
                for (i = 0; i < SectorsCnt; i++) {\r
-                       PrintAndLog("|%03d|  %012"llx"  | %d |  %012"llx"  | %d |", i,\r
+                       PrintAndLog("|%03d|  %012" PRIx64 "  | %d |  %012" PRIx64 "  | %d |", i,\r
                                e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
                }\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
@@ -785,6 +766,127 @@ int CmdHF14AMfNested(const char *Cmd)
        return 0;\r
 }\r
 \r
+\r
+int CmdHF14AMfNestedHard(const char *Cmd)\r
+{\r
+       uint8_t blockNo = 0;\r
+       uint8_t keyType = 0;\r
+       uint8_t trgBlockNo = 0;\r
+       uint8_t trgKeyType = 0;\r
+       uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
+       uint8_t trgkey[6] = {0, 0, 0, 0, 0, 0};\r
+       \r
+       char ctmp;\r
+       ctmp = param_getchar(Cmd, 0);\r
+\r
+       if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) {\r
+               PrintAndLog("Usage:");\r
+               PrintAndLog("      hf mf hardnested <block number> <key A|B> <key (12 hex symbols)>");\r
+               PrintAndLog("                       <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]");\r
+               PrintAndLog("  or  hf mf hardnested r [known target key]");\r
+               PrintAndLog(" ");\r
+               PrintAndLog("Options: ");\r
+               PrintAndLog("      w: Acquire nonces and write them to binary file nonces.bin");\r
+               PrintAndLog("      s: Slower acquisition (required by some non standard cards)");\r
+               PrintAndLog("      r: Read nonces.bin and start attack");\r
+               PrintAndLog(" ");\r
+               PrintAndLog("      sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A");\r
+               PrintAndLog("      sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w");\r
+               PrintAndLog("      sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s");\r
+               PrintAndLog("      sample4: hf mf hardnested r");\r
+               PrintAndLog(" ");\r
+               PrintAndLog("Add the known target key to check if it is present in the remaining key space:");\r
+               PrintAndLog("      sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF");\r
+               return 0;\r
+       }       \r
+       \r
+       bool know_target_key = false;\r
+       bool nonce_file_read = false;\r
+       bool nonce_file_write = false;\r
+       bool slow = false;\r
+       int tests = 0;\r
+       \r
+       \r
+       if (ctmp == 'R' || ctmp == 'r') {\r
+               nonce_file_read = true;\r
+               if (!param_gethex(Cmd, 1, trgkey, 12)) {\r
+                       know_target_key = true;\r
+               }\r
+       } else if (ctmp == 'T' || ctmp == 't') {\r
+               tests = param_get32ex(Cmd, 1, 100, 10);\r
+               if (!param_gethex(Cmd, 2, trgkey, 12)) {\r
+                       know_target_key = true;\r
+               }\r
+       } else {\r
+               blockNo = param_get8(Cmd, 0);\r
+               ctmp = param_getchar(Cmd, 1);\r
+               if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+                       PrintAndLog("Key type must be A or B");\r
+                       return 1;\r
+               }\r
+               if (ctmp != 'A' && ctmp != 'a') { \r
+                       keyType = 1;\r
+               }\r
+               \r
+               if (param_gethex(Cmd, 2, key, 12)) {\r
+                       PrintAndLog("Key must include 12 HEX symbols");\r
+                       return 1;\r
+               }\r
+               \r
+               trgBlockNo = param_get8(Cmd, 3);\r
+               ctmp = param_getchar(Cmd, 4);\r
+               if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {\r
+                       PrintAndLog("Target key type must be A or B");\r
+                       return 1;\r
+               }\r
+               if (ctmp != 'A' && ctmp != 'a') {\r
+                       trgKeyType = 1;\r
+               }\r
+\r
+               uint16_t i = 5;\r
+\r
+               if (!param_gethex(Cmd, 5, trgkey, 12)) {\r
+                       know_target_key = true;\r
+                       i++;\r
+               }\r
+\r
+               while ((ctmp = param_getchar(Cmd, i))) {\r
+                       if (ctmp == 's' || ctmp == 'S') {\r
+                               slow = true;\r
+                       } else if (ctmp == 'w' || ctmp == 'W') {\r
+                               nonce_file_write = true;\r
+                       } else {\r
+                               PrintAndLog("Possible options are w and/or s");\r
+                               return 1;\r
+                       }\r
+                       i++;\r
+               }\r
+       }\r
+\r
+       PrintAndLog("--target block no:%3d, target key type:%c, known target key: 0x%02x%02x%02x%02x%02x%02x%s, file action: %s, Slow: %s, Tests: %d ", \r
+                       trgBlockNo, \r
+                       trgKeyType?'B':'A',\r
+                       trgkey[0], trgkey[1], trgkey[2], trgkey[3], trgkey[4], trgkey[5],\r
+                       know_target_key?"":" (not set)",\r
+                       nonce_file_write?"write":nonce_file_read?"read":"none",\r
+                       slow?"Yes":"No",\r
+                       tests);\r
+\r
+       int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key?trgkey:NULL, nonce_file_read, nonce_file_write, slow, tests);\r
+\r
+       if (isOK) {\r
+               switch (isOK) {\r
+                       case 1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+                       case 2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+                       default : break;\r
+               }\r
+               return 2;\r
+       }\r
+\r
+       return 0;\r
+}\r
+\r
+\r
 int CmdHF14AMfChk(const char *Cmd)\r
 {\r
        if (strlen(Cmd)<3) {\r
@@ -868,6 +970,7 @@ int CmdHF14AMfChk(const char *Cmd)
                break;\r
        default:\r
                PrintAndLog("Key type must be A , B or ?");\r
+               free(keyBlock);\r
                return 1;\r
        };\r
        \r
@@ -919,13 +1022,14 @@ int CmdHF14AMfChk(const char *Cmd)
                                                if (!p) {\r
                                                        PrintAndLog("Cannot allocate memory for defKeys");\r
                                                        free(keyBlock);\r
+                                                       fclose(f);\r
                                                        return 2;\r
                                                }\r
                                                keyBlock = p;\r
                                        }\r
                                        memset(keyBlock + 6 * keycnt, 0, 6);\r
                                        num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
-                                       PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
+                                       PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
                                        keycnt++;\r
                                        memset(buf, 0, sizeof(buf));\r
                                }\r
@@ -969,7 +1073,7 @@ int CmdHF14AMfChk(const char *Cmd)
                                res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
                                if (res != 1) {\r
                                        if (!res) {\r
-                                               PrintAndLog("Found valid key:[%012"llx"]",key64);\r
+                                               PrintAndLog("Found valid key:[%012" PRIx64 "]",key64);\r
                                                num_to_bytes(key64, 6, foundKey[t][i]);\r
                                                validKey[t][i] = true;\r
                                        } \r
@@ -1016,8 +1120,9 @@ int CmdHF14AMfChk(const char *Cmd)
        return 0;\r
 }\r
 \r
-void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {\r
-       #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()\r
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {\r
+       #define ATTACK_KEY_COUNT 7 // keep same as define in iso14443a.c -> Mifare1ksim()\r
+                                  // cannot be more than 7 or it will overrun c.d.asBytes(512)\r
        uint64_t key = 0;\r
        typedef struct {\r
                        uint64_t keyA;\r
@@ -1034,7 +1139,7 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
        for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
                if (ar_resp[i].ar2 > 0) {\r
                        //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
-                       if (mfkey32(ar_resp[i], &key)) {\r
+                       if (doStandardAttack && mfkey32(ar_resp[i], &key)) {\r
                                PrintAndLog("  Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
 \r
                                for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
@@ -1054,6 +1159,34 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
                                                }\r
                                        }\r
                                }\r
+                       } else if (mfkey32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {\r
+                               uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;\r
+                               uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;\r
+\r
+                               PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"\r
+                                       , keyType ? "B" : "A"\r
+                                       , sectorNum\r
+                                       , key\r
+                               );\r
+\r
+                               for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+                                       if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {\r
+                                               if (keyType==0) {\r
+                                                       //keyA\r
+                                                       sector_trailer[ii].keyA = key;\r
+                                                       stSector[ii] = sectorNum;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               } else {\r
+                                                       //keyB\r
+                                                       sector_trailer[ii].keyB = key;\r
+                                                       stSector[ii] = sectorNum;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               }\r
+                                       }\r
+                               }\r
+                               continue;\r
                        }\r
                }\r
        }\r
@@ -1079,14 +1212,15 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
                        }\r
                }\r
        }\r
-       //moebius attack\r
+       /*\r
+       //un-comment to use as well moebius attack\r
        for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
                if (ar_resp[i].ar2 > 0) {\r
                        if (tryMfk32_moebius(ar_resp[i], &key)) {\r
                                PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
                        }\r
                }\r
-       }\r
+       }*/\r
 }\r
 \r
 int usage_hf14_mf1ksim(void) {\r
@@ -1099,6 +1233,7 @@ int usage_hf14_mf1ksim(void) {
        PrintAndLog("      x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
        PrintAndLog("      e    (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");\r
        PrintAndLog("      f    (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");\r
+       PrintAndLog("      r    (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");\r
        PrintAndLog("samples:");\r
        PrintAndLog("           hf mf sim u 0a0a0a0a");\r
        PrintAndLog("           hf mf sim u 11223344556677");\r
@@ -1123,7 +1258,6 @@ int CmdHF14AMf1kSim(const char *Cmd) {
        memset(filename, 0x00, sizeof(filename));\r
        int len = 0;\r
        char buf[64];\r
-       uint8_t uidBuffer[64];\r
 \r
        uint8_t cmdp = 0;\r
        bool errors = false;\r
@@ -1164,6 +1298,11 @@ int CmdHF14AMf1kSim(const char *Cmd) {
                        exitAfterNReads = param_get8(Cmd, pnr+1);\r
                        cmdp += 2;\r
                        break;\r
+               case 'r':\r
+               case 'R':\r
+                       flags |= FLAG_RANDOM_NONCE;\r
+                       cmdp++;\r
+                       break;\r
                case 'u':\r
                case 'U':\r
                        param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);\r
@@ -1202,7 +1341,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
                PrintAndLog("Loading file and simulating. Press keyboard to abort");\r
                while(!feof(f) && !ukbhit()){\r
                        memset(buf, 0, sizeof(buf));\r
-                       memset(uidBuffer, 0, sizeof(uidBuffer));\r
+                       memset(uid, 0, sizeof(uid));\r
 \r
                        if (fgets(buf, sizeof(buf), f) == NULL) {                       \r
                                if (count > 0) break;\r
@@ -1211,21 +1350,21 @@ int CmdHF14AMf1kSim(const char *Cmd) {
                                fclose(f);\r
                                return 2;\r
                        }\r
-                       if(strlen(buf) && feof(f)) break;\r
+                       if(!strlen(buf) && feof(f)) break;\r
 \r
-                       uidlen = strlen(buf);\r
+                       uidlen = strlen(buf)-1;\r
                        switch(uidlen) {\r
-                               case 20: flags = FLAG_10B_UID_IN_DATA;  break; //not complete\r
-                               case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
-                               case  8: flags = FLAG_4B_UID_IN_DATA; break;\r
+                               case 20: flags |= FLAG_10B_UID_IN_DATA; break; //not complete\r
+                               case 14: flags |= FLAG_7B_UID_IN_DATA; break;\r
+                               case  8: flags |= FLAG_4B_UID_IN_DATA; break;\r
                                default: \r
-                                       PrintAndLog("uid in file wrong length at %d",count);\r
+                                       PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);\r
                                        fclose(f);\r
                                        return 2;\r
                        }\r
 \r
                        for (uint8_t i = 0; i < uidlen; i += 2) {\r
-                               sscanf(&buf[i], "%02x", (unsigned int *)&uidBuffer[i / 2]);\r
+                               sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);\r
                        }\r
                        \r
                        PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",\r
@@ -1246,7 +1385,8 @@ int CmdHF14AMf1kSim(const char *Cmd) {
                        //got a response\r
                        nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
                        memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
-                       readerAttack(ar_resp, setEmulatorMem);\r
+                       // We can skip the standard attack if we have RANDOM_NONCE set.\r
+                       readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
                        if ((bool)resp.arg[1]) {\r
                                PrintAndLog("Device button pressed - quitting");\r
                                fclose(f);\r
@@ -1278,7 +1418,8 @@ int CmdHF14AMf1kSim(const char *Cmd) {
                        if (flags & FLAG_NR_AR_ATTACK) {\r
                                nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
                                memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
-                               readerAttack(ar_resp, setEmulatorMem);\r
+                               // We can skip the standard attack if we have RANDOM_NONCE set.\r
+                               readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
                        }\r
                }\r
        }\r
@@ -1411,7 +1552,7 @@ int CmdHF14AMfELoad(const char *Cmd)
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
-       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+       if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
 \r
        fnameptr += len;\r
 \r
@@ -1510,7 +1651,7 @@ int CmdHF14AMfESave(const char *Cmd)
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
-       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+       if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
        \r
        // user supplied filename?\r
        if (len < 1) {\r
@@ -1634,7 +1775,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
                }\r
                keyA = bytes_to_num(data, 6);\r
                keyB = bytes_to_num(data + 10, 6);\r
-               PrintAndLog("|%03d|  %012"llx"  |  %012"llx"  |", i, keyA, keyB);\r
+               PrintAndLog("|%03d|  %012" PRIx64 "  |  %012" PRIx64 "  |", i, keyA, keyB);\r
        }\r
        PrintAndLog("|---|----------------|----------------|");\r
        \r
@@ -1715,7 +1856,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
 {\r
        uint8_t memBlock[16] = {0x00};\r
        uint8_t blockNo = 0;\r
-       bool wipeCard = FALSE;\r
+       bool wipeCard = false;\r
        int res;\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
@@ -1786,7 +1927,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+               if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
 \r
                memcpy(filename, Cmd, len);\r
                fnameptr += len;\r
@@ -1827,6 +1968,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 \r
                        if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                PrintAndLog("Can't set magic card block: %d", blockNum);\r
+                               fclose(f);\r
                                return 3;\r
                        }\r
                        blockNum++;\r
@@ -1955,7 +2097,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+               if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
        \r
                if (len < 1) {\r
                        // get filename\r
@@ -2075,11 +2217,14 @@ int CmdHF14AMfSniff(const char *Cmd){
                        uint16_t traceLen = resp.arg[1];\r
                        len = resp.arg[2];\r
 \r
-                       if (res == 0) return 0;                                         // we are done\r
+                       if (res == 0) {                                                         // we are done\r
+                               free(buf);\r
+                               return 0;\r
+                       }\r
 \r
                        if (res == 1) {                                                         // there is (more) data to be transferred\r
                                if (pckNum == 0) {                                              // first packet, (re)allocate necessary buffer\r
-                                       if (traceLen > bufsize) {\r
+                                       if (traceLen > bufsize || buf == NULL) {\r
                                                uint8_t *p;\r
                                                if (buf == NULL) {                              // not yet allocated\r
                                                        p = malloc(traceLen);\r
@@ -2163,33 +2308,34 @@ int CmdDecryptTraceCmds(const char *Cmd){
 \r
 static command_t CommandTable[] =\r
 {\r
-  {"help",             CmdHelp,                                1, "This help"},\r
-  {"dbg",              CmdHF14AMfDbg,                  0, "Set default debug mode"},\r
-  {"rdbl",             CmdHF14AMfRdBl,                 0, "Read MIFARE classic block"},\r
-  {"rdsc",             CmdHF14AMfRdSc,                 0, "Read MIFARE classic sector"},\r
-  {"dump",             CmdHF14AMfDump,                 0, "Dump MIFARE classic tag to binary file"},\r
-  {"restore",  CmdHF14AMfRestore,              0, "Restore MIFARE classic binary file to BLANK tag"},\r
-  {"wrbl",             CmdHF14AMfWrBl,                 0, "Write MIFARE classic block"},\r
-  {"chk",              CmdHF14AMfChk,                  0, "Test block keys"},\r
-  {"mifare",   CmdHF14AMifare,                 0, "Read parity error messages."},\r
-  {"nested",   CmdHF14AMfNested,               0, "Test nested authentication"},\r
-  {"sniff",            CmdHF14AMfSniff,                0, "Sniff card-reader communication"},\r
-  {"sim",              CmdHF14AMf1kSim,                0, "Simulate MIFARE card"},\r
-  {"eclr",             CmdHF14AMfEClear,               0, "Clear simulator memory block"},\r
-  {"eget",             CmdHF14AMfEGet,                 0, "Get simulator memory block"},\r
-  {"eset",             CmdHF14AMfESet,                 0, "Set simulator memory block"},\r
-  {"eload",            CmdHF14AMfELoad,                0, "Load from file emul dump"},\r
-  {"esave",            CmdHF14AMfESave,                0, "Save to file emul dump"},\r
-  {"ecfill",   CmdHF14AMfECFill,               0, "Fill simulator memory with help of keys from simulator"},\r
-  {"ekeyprn",  CmdHF14AMfEKeyPrn,              0, "Print keys from simulator memory"},\r
-  {"csetuid",  CmdHF14AMfCSetUID,              0, "Set UID for magic Chinese card"},\r
-  {"csetblk",  CmdHF14AMfCSetBlk,              0, "Write block - Magic Chinese card"},\r
-  {"cgetblk",  CmdHF14AMfCGetBlk,              0, "Read block - Magic Chinese card"},\r
-  {"cgetsc",   CmdHF14AMfCGetSc,               0, "Read sector - Magic Chinese card"},\r
-  {"cload",            CmdHF14AMfCLoad,                0, "Load dump into magic Chinese card"},\r
-  {"csave",            CmdHF14AMfCSave,                0, "Save dump from magic Chinese card into file or emulator"},\r
-  {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
-  {NULL, NULL, 0, NULL}\r
+  {"help",             CmdHelp,                 1, "This help"},\r
+  {"dbg",              CmdHF14AMfDbg,           0, "Set default debug mode"},\r
+  {"rdbl",             CmdHF14AMfRdBl,          0, "Read MIFARE classic block"},\r
+  {"rdsc",             CmdHF14AMfRdSc,          0, "Read MIFARE classic sector"},\r
+  {"dump",             CmdHF14AMfDump,          0, "Dump MIFARE classic tag to binary file"},\r
+  {"restore",                 CmdHF14AMfRestore,       0, "Restore MIFARE classic binary file to BLANK tag"},\r
+  {"wrbl",             CmdHF14AMfWrBl,          0, "Write MIFARE classic block"},\r
+  {"chk",              CmdHF14AMfChk,           0, "Test block keys"},\r
+  {"mifare",           CmdHF14AMifare,          0, "Read parity error messages."},\r
+  {"hardnested",       CmdHF14AMfNestedHard,    0, "Nested attack for hardened Mifare cards"},\r
+  {"nested",           CmdHF14AMfNested,        0, "Test nested authentication"},\r
+  {"sniff",            CmdHF14AMfSniff,         0, "Sniff card-reader communication"},\r
+  {"sim",              CmdHF14AMf1kSim,         0, "Simulate MIFARE card"},\r
+  {"eclr",             CmdHF14AMfEClear,        0, "Clear simulator memory block"},\r
+  {"eget",             CmdHF14AMfEGet,          0, "Get simulator memory block"},\r
+  {"eset",             CmdHF14AMfESet,          0, "Set simulator memory block"},\r
+  {"eload",            CmdHF14AMfELoad,         0, "Load from file emul dump"},\r
+  {"esave",            CmdHF14AMfESave,         0, "Save to file emul dump"},\r
+  {"ecfill",           CmdHF14AMfECFill,        0, "Fill simulator memory with help of keys from simulator"},\r
+  {"ekeyprn",          CmdHF14AMfEKeyPrn,       0, "Print keys from simulator memory"},\r
+  {"csetuid",          CmdHF14AMfCSetUID,       0, "Set UID for magic Chinese card"},\r
+  {"csetblk",          CmdHF14AMfCSetBlk,       0, "Write block - Magic Chinese card"},\r
+  {"cgetblk",          CmdHF14AMfCGetBlk,       0, "Read block - Magic Chinese card"},\r
+  {"cgetsc",           CmdHF14AMfCGetSc,        0, "Read sector - Magic Chinese card"},\r
+  {"cload",            CmdHF14AMfCLoad,         0, "Load dump into magic Chinese card"},\r
+  {"csave",            CmdHF14AMfCSave,         0, "Save dump from magic Chinese card into file or emulator"},\r
+  {"decrypt",          CmdDecryptTraceCmds,     1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
+  {NULL,               NULL,                    0, NULL}\r
 };\r
 \r
 int CmdHFMF(const char *Cmd)\r
Impressum, Datenschutz