-int CmdHF14AMf1kSim(const char *Cmd)\r
-{\r
- uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};\r
- uint8_t exitAfterNReads = 0;\r
- uint8_t flags = 0;\r
-\r
- uint8_t cmdp = param_getchar(Cmd, 0);\r
- \r
- if (cmdp == 'h' || cmdp == 'H') {\r
- PrintAndLog("Usage: hf mf sim u <uid (8 hex symbols)> n <numreads> i x");\r
- PrintAndLog(" h this help");\r
- PrintAndLog(" u (Optional) UID. If not specified, the UID from emulator memory will be used");\r
- PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
- PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
- PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
- PrintAndLog("");\r
- PrintAndLog(" sample: hf mf sim u 0a0a0a0a ");\r
- return 0;\r
- }\r
- uint8_t pnr = 0;\r
- if (param_getchar(Cmd, pnr) == 'u') {\r
- if(param_gethex(Cmd, pnr+1, uid, 8) == 0)\r
- {\r
- flags |= FLAG_4B_UID_IN_DATA; // UID from packet\r
- } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) {\r
- flags |= FLAG_7B_UID_IN_DATA;// UID from packet\r
- } else {\r
- PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols");\r
- return 1;\r
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {\r
+ #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()\r
+ uint64_t key = 0;\r
+ typedef struct {\r
+ uint64_t keyA;\r
+ uint64_t keyB;\r
+ } st_t;\r
+ st_t sector_trailer[ATTACK_KEY_COUNT];\r
+ memset(sector_trailer, 0x00, sizeof(sector_trailer));\r
+\r
+ uint8_t stSector[ATTACK_KEY_COUNT];\r
+ memset(stSector, 0x00, sizeof(stSector));\r
+ uint8_t key_cnt[ATTACK_KEY_COUNT];\r
+ memset(key_cnt, 0x00, sizeof(key_cnt));\r
+\r
+ for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+ if (ar_resp[i].ar2 > 0) {\r
+ //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+ if (doStandardAttack && mfkey32(ar_resp[i], &key)) {\r
+ PrintAndLog(" Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+\r
+ for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+ if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
+ if (ar_resp[i].keytype==0) {\r
+ //keyA\r
+ sector_trailer[ii].keyA = key;\r
+ stSector[ii] = ar_resp[i].sector;\r
+ key_cnt[ii]++;\r
+ break;\r
+ } else {\r
+ //keyB\r
+ sector_trailer[ii].keyB = key;\r
+ stSector[ii] = ar_resp[i].sector;\r
+ key_cnt[ii]++;\r
+ break;\r
+ }\r
+ }\r
+ }\r
+ } else if (tryMfk32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {\r
+ uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;\r
+ uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;\r
+\r
+ PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"\r
+ , keyType ? "B" : "A"\r
+ , sectorNum\r
+ , key\r
+ );\r
+\r
+ for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+ if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {\r
+ if (keyType==0) {\r
+ //keyA\r
+ sector_trailer[ii].keyA = key;\r
+ stSector[ii] = sectorNum;\r
+ key_cnt[ii]++;\r
+ break;\r
+ } else {\r
+ //keyB\r
+ sector_trailer[ii].keyB = key;\r
+ stSector[ii] = sectorNum;\r
+ key_cnt[ii]++;\r
+ break;\r
+ }\r
+ }\r
+ }\r
+ continue;\r
+ }\r