]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdhfmf.c
PCF-fix bytepos range from 0-3 to 0-15
[proxmark3-svn] / client / cmdhfmf.c
index f225359d7d8801cfb4e053f0d47bce73e1f831e1..48e78b1c2fcad2a74a90de187356d346ed54492c 100644 (file)
@@ -17,15 +17,14 @@ int CmdHF14AMifare(const char *Cmd)
        uint32_t uid = 0;\r
        uint32_t nt = 0, nr = 0;\r
        uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
-       uint8_t isOK = 0;\r
-       uint8_t keyBlock[8] = {0};\r
+       int16_t isOK = 0;\r
 \r
        UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
 \r
        // message\r
        printf("-------------------------------------------------------------------------\n");\r
        printf("Executing command. Expected execution time: 25sec on average  :-)\n");\r
-       printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
+       printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");\r
        printf("-------------------------------------------------------------------------\n");\r
 \r
        \r
@@ -47,15 +46,22 @@ start:
                }\r
                \r
                UsbCommand resp;\r
-               if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {\r
-                       isOK  = resp.arg[0] & 0xff;\r
+               if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {\r
+                       isOK  = resp.arg[0];\r
                        uid = (uint32_t)bytes_to_num(resp.d.asBytes +  0, 4);\r
                        nt =  (uint32_t)bytes_to_num(resp.d.asBytes +  4, 4);\r
                        par_list = bytes_to_num(resp.d.asBytes +  8, 8);\r
                        ks_list = bytes_to_num(resp.d.asBytes +  16, 8);\r
                        nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
                        printf("\n\n");\r
-                       if (!isOK) PrintAndLog("Proxmark can't get statistic info. Execution aborted.\n");\r
+                       switch (isOK) {\r
+                               case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+                               case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
+                               case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
+                               case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+                                                       PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;\r
+                               default: ;\r
+                       }\r
                        break;\r
                }\r
        }       \r
@@ -69,22 +75,13 @@ start:
        if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
                isOK = 2;\r
                PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);    \r
-       } else {\r
-               printf("------------------------------------------------------------------\n");\r
-               PrintAndLog("Key found:%012"llx" \n", r_key);\r
-\r
-               num_to_bytes(r_key, 6, keyBlock);\r
-               isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);\r
-       }\r
-       \r
-       if (!isOK) \r
-               PrintAndLog("Found valid key:%012"llx, r_key);\r
-       else\r
-       {\r
-               if (isOK != 2) PrintAndLog("Found invalid key. ");      \r
                PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");\r
                c.arg[0] = false;\r
                goto start;\r
+       } else {\r
+               isOK = 0;\r
+               printf("------------------------------------------------------------------\n");\r
+               PrintAndLog("Found valid key:%012"llx" \n", r_key);\r
        }\r
        \r
        PrintAndLog("");\r
@@ -434,7 +431,7 @@ int CmdHF14AMfRestore(const char *Cmd)
 {\r
        uint8_t sectorNo,blockNo;\r
        uint8_t keyType = 0;\r
-       uint8_t key[6] = {0xFF};\r
+       uint8_t key[6] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};\r
        uint8_t bldata[16] = {0x00};\r
        uint8_t keyA[40][6];\r
        uint8_t keyB[40][6];\r
@@ -547,7 +544,7 @@ int CmdHF14AMfNested(const char *Cmd)
        uint8_t trgKeyType = 0;\r
        uint8_t SectorsCnt = 0;\r
        uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
-       uint8_t keyBlock[13*6];\r
+       uint8_t keyBlock[14*6];\r
        uint64_t key64 = 0;\r
        bool transferToEml = false;\r
        \r
@@ -622,8 +619,14 @@ int CmdHF14AMfNested(const char *Cmd)
        \r
        if (cmdp == 'o') {\r
                PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');\r
-               if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) {\r
-                       PrintAndLog("Nested error.");\r
+               int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);\r
+               if (isOK) {\r
+                       switch (isOK) {\r
+                               case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+                               case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+                               case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+                               default : PrintAndLog("Unknown Error.\n");\r
+                       }\r
                        return 2;\r
                }\r
                key64 = bytes_to_num(keyBlock, 6);\r
@@ -678,7 +681,7 @@ int CmdHF14AMfNested(const char *Cmd)
                        for (j = 0; j < 2; j++) {\r
                                if (e_sector[i].foundKey[j]) continue;\r
                                \r
-                               res = mfCheckKeys(FirstBlockOfSector(i), j, 6, keyBlock, &key64);\r
+                               res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);\r
                                \r
                                if (!res) {\r
                                        e_sector[i].Key[j] = key64;\r
@@ -696,11 +699,17 @@ int CmdHF14AMfNested(const char *Cmd)
                                for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
                                        if (e_sector[sectorNo].foundKey[trgKeyType]) continue;\r
                                        PrintAndLog("-----------------------------------------------");\r
-                                       if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {\r
-                                               PrintAndLog("Nested error.\n");\r
+                                       int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);\r
+                                       if(isOK) {\r
+                                               switch (isOK) {\r
+                                                       case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+                                                       case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+                                                       case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+                                                       default : PrintAndLog("Unknown Error.\n");\r
+                                               }\r
                                                free(e_sector);\r
-                                               return 2;                                       }\r
-                                       else {\r
+                                               return 2;\r
+                                       else {\r
                                                calibrate = false;\r
                                        }\r
                                        \r
@@ -956,7 +965,7 @@ int CmdHF14AMfChk(const char *Cmd)
                        uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;\r
                        for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
                                uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;\r
-                               res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64);\r
+                               res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
                                if (res != 1) {\r
                                        if (!res) {\r
                                                PrintAndLog("Found valid key:[%012"llx"]",key64);\r
@@ -1200,7 +1209,7 @@ int CmdHF14AMfELoad(const char *Cmd)
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
-       if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
 \r
        fnameptr += len;\r
 \r
@@ -1299,17 +1308,20 @@ int CmdHF14AMfESave(const char *Cmd)
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
-       if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
        \r
        // user supplied filename?\r
        if (len < 1) {\r
                // get filename (UID from memory)\r
                if (mfEmlGetMem(buf, 0, 1)) {\r
                        PrintAndLog("Can\'t get UID from block: %d", 0);\r
-                       sprintf(filename, "dump.eml"); \r
+                       len = sprintf(fnameptr, "dump");\r
+                       fnameptr += len;\r
+               }\r
+               else {\r
+                       for (j = 0; j < 7; j++, fnameptr += 2)\r
+                               sprintf(fnameptr, "%02X", buf[j]);\r
                }\r
-               for (j = 0; j < 7; j++, fnameptr += 2)\r
-                       sprintf(fnameptr, "%02X", buf[j]); \r
        } else {\r
                fnameptr += len;\r
        }\r
@@ -1433,27 +1445,60 @@ int CmdHF14AMfCSetUID(const char *Cmd)
        uint8_t wipeCard = 0;\r
        uint8_t uid[8] = {0x00};\r
        uint8_t oldUid[8] = {0x00};\r
+       uint8_t atqa[2] = {0x00};\r
+       uint8_t sak[1] = {0x00};\r
+       uint8_t atqaPresent = 1;\r
        int res;\r
-\r
-       if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
-               PrintAndLog("Usage:  hf mf csetuid <UID 8 hex symbols> <w>");\r
-               PrintAndLog("sample:  hf mf csetuid 01020304 w");\r
-               PrintAndLog("Set UID for magic Chinese card (only works with!!!)");\r
-               PrintAndLog("If you want wipe card then add 'w' into command line. \n");\r
+       char ctmp;\r
+       int argi=0;\r
+\r
+       if (strlen(Cmd) < 1 || param_getchar(Cmd, argi) == 'h') {\r
+               PrintAndLog("Usage:  hf mf csetuid <UID 8 hex symbols> [ATQA 4 hex symbols SAK 2 hex symbols] [w]");\r
+               PrintAndLog("sample:  hf mf csetuid 01020304");\r
+               PrintAndLog("sample:  hf mf csetuid 01020304 0004 08 w");\r
+               PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)");\r
+               PrintAndLog("If you also want to wipe the card then add 'w' at the end of the command line.");\r
                return 0;\r
-       }       \r
+       }\r
 \r
-       if (param_getchar(Cmd, 0) && param_gethex(Cmd, 0, uid, 8)) {\r
+       if (param_getchar(Cmd, argi) && param_gethex(Cmd, argi, uid, 8)) {\r
                PrintAndLog("UID must include 8 HEX symbols");\r
                return 1;\r
        }\r
+       argi++;\r
+\r
+       ctmp = param_getchar(Cmd, argi);\r
+       if (ctmp == 'w' || ctmp == 'W') {\r
+               wipeCard = 1;\r
+               atqaPresent = 0;\r
+       }\r
+\r
+       if (atqaPresent) {\r
+               if (param_getchar(Cmd, argi)) {\r
+                       if (param_gethex(Cmd, argi, atqa, 4)) {\r
+                               PrintAndLog("ATQA must include 4 HEX symbols");\r
+                               return 1;\r
+                       }\r
+                       argi++;\r
+                       if (!param_getchar(Cmd, argi) || param_gethex(Cmd, argi, sak, 2)) {\r
+                               PrintAndLog("SAK must include 2 HEX symbols");\r
+                               return 1;\r
+                       }\r
+                       argi++;\r
+               } else\r
+                       atqaPresent = 0;\r
+       }\r
+\r
+       if(!wipeCard) {\r
+               ctmp = param_getchar(Cmd, argi);\r
+               if (ctmp == 'w' || ctmp == 'W') {\r
+                       wipeCard = 1;\r
+               }\r
+       }\r
 \r
-       char ctmp = param_getchar(Cmd, 1);\r
-       if (ctmp == 'w' || ctmp == 'W') wipeCard = 1;\r
-       \r
        PrintAndLog("--wipe card:%s  uid:%s", (wipeCard)?"YES":"NO", sprint_hex(uid, 4));\r
 \r
-       res = mfCSetUID(uid, oldUid, wipeCard);\r
+       res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid, wipeCard);\r
        if (res) {\r
                        PrintAndLog("Can't set UID. error=%d", res);\r
                        return 1;\r
@@ -1466,16 +1511,16 @@ int CmdHF14AMfCSetUID(const char *Cmd)
 \r
 int CmdHF14AMfCSetBlk(const char *Cmd)\r
 {\r
-       uint8_t uid[8] = {0x00};\r
        uint8_t memBlock[16] = {0x00};\r
        uint8_t blockNo = 0;\r
+       bool wipeCard = FALSE;\r
        int res;\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
-               PrintAndLog("Usage:  hf mf csetblk <block number> <block data (32 hex symbols)>");\r
+               PrintAndLog("Usage:  hf mf csetblk <block number> <block data (32 hex symbols)> [w]");\r
                PrintAndLog("sample:  hf mf csetblk 1 01020304050607080910111213141516");\r
-               PrintAndLog("Set block data for magic Chinese card (only works with!!!)");\r
-               PrintAndLog("If you want wipe card then add 'w' into command line. \n");\r
+               PrintAndLog("Set block data for magic Chinese card (only works with such cards)");\r
+               PrintAndLog("If you also want wipe the card then add 'w' at the end of the command line");\r
                return 0;\r
        }       \r
 \r
@@ -1486,14 +1531,15 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
                return 1;\r
        }\r
 \r
+       char ctmp = param_getchar(Cmd, 2);\r
+       wipeCard = (ctmp == 'w' || ctmp == 'W');\r
        PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16));\r
 \r
-       res = mfCSetBlock(blockNo, memBlock, uid, 0, CSETBLOCK_SINGLE_OPER);\r
+       res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER);\r
        if (res) {\r
-                       PrintAndLog("Can't write block. error=%d", res);\r
-                       return 1;\r
-               }\r
-       \r
+               PrintAndLog("Can't write block. error=%d", res);\r
+               return 1;\r
+       }\r
        return 0;\r
 }\r
 \r
@@ -1506,7 +1552,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
        char buf[64] = {0x00};\r
        uint8_t buf8[64] = {0x00};\r
        uint8_t fillFromEmulator = 0;\r
-       int i, len, blockNum, flags;\r
+       int i, len, blockNum, flags=0;\r
        \r
        if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {\r
                PrintAndLog("It loads magic Chinese card from the file `filename.eml`");\r
@@ -1521,15 +1567,14 @@ int CmdHF14AMfCLoad(const char *Cmd)
        if (ctmp == 'e' || ctmp == 'E') fillFromEmulator = 1;\r
        \r
        if (fillFromEmulator) {\r
-               flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
                for (blockNum = 0; blockNum < 16 * 4; blockNum += 1) {\r
                        if (mfEmlGetMem(buf8, blockNum, 1)) {\r
                                PrintAndLog("Cant get block: %d", blockNum);\r
                                return 2;\r
                        }\r
-                       \r
-                       if (blockNum == 2) flags = 0;\r
-                       if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+                       if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;                               // switch on field and send magic sequence\r
+                       if (blockNum == 1) flags = 0;                                                                                                   // just write\r
+                       if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;             // Done. Magic Halt and switch off field.\r
 \r
                        if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                PrintAndLog("Cant set magic card block: %d", blockNum);\r
@@ -1539,7 +1584,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
 \r
                memcpy(filename, Cmd, len);\r
                fnameptr += len;\r
@@ -1554,27 +1599,29 @@ int CmdHF14AMfCLoad(const char *Cmd)
                }\r
        \r
                blockNum = 0;\r
-               flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;\r
                while(!feof(f)){\r
                \r
                        memset(buf, 0, sizeof(buf));\r
                        \r
                        if (fgets(buf, sizeof(buf), f) == NULL) {\r
+                               fclose(f);\r
                                PrintAndLog("File reading error.");\r
                                return 2;\r
                        }\r
 \r
-                       if (strlen(buf) < 32){\r
+                       if (strlen(buf) < 32) {\r
                                if(strlen(buf) && feof(f))\r
                                        break;\r
                                PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
+                               fclose(f);\r
                                return 2;\r
                        }\r
                        for (i = 0; i < 32; i += 2)\r
                                sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]);\r
 \r
-                       if (blockNum == 2) flags = 0;\r
-                       if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;\r
+                       if (blockNum == 0) flags = CSETBLOCK_INIT_FIELD + CSETBLOCK_WUPC;                               // switch on field and send magic sequence\r
+                       if (blockNum == 1) flags = 0;                                                                                                   // just write\r
+                       if (blockNum == 16 * 4 - 1) flags = CSETBLOCK_HALT + CSETBLOCK_RESET_FIELD;             // Done. Switch off field.\r
 \r
                        if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                PrintAndLog("Can't set magic card block: %d", blockNum);\r
@@ -1605,7 +1652,7 @@ int CmdHF14AMfCGetBlk(const char *Cmd) {
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("Usage:  hf mf cgetblk <block number>");\r
                PrintAndLog("sample:  hf mf cgetblk 1");\r
-               PrintAndLog("Get block data from magic Chinese card (only works with!!!)\n");\r
+               PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");\r
                return 0;\r
        }       \r
 \r
@@ -1632,7 +1679,7 @@ int CmdHF14AMfCGetSc(const char *Cmd) {
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
                PrintAndLog("Usage:  hf mf cgetsc <sector number>");\r
                PrintAndLog("sample:  hf mf cgetsc 0");\r
-               PrintAndLog("Get sector data from magic Chinese card (only works with!!!)\n");\r
+               PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");\r
                return 0;\r
        }       \r
 \r
@@ -1706,16 +1753,19 @@ int CmdHF14AMfCSave(const char *Cmd) {
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;\r
+               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
        \r
                if (len < 1) {\r
                        // get filename\r
                        if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) {\r
                                PrintAndLog("Cant get block: %d", 0);\r
-                               return 1;\r
+                               len = sprintf(fnameptr, "dump");\r
+                               fnameptr += len;\r
+                       }\r
+                       else {\r
+                               for (j = 0; j < 7; j++, fnameptr += 2)\r
+                                       sprintf(fnameptr, "%02x", buf[j]); \r
                        }\r
-                       for (j = 0; j < 7; j++, fnameptr += 2)\r
-                               sprintf(fnameptr, "%02x", buf[j]); \r
                } else {\r
                        memcpy(filename, Cmd, len);\r
                        fnameptr += len;\r
@@ -1901,6 +1951,13 @@ int CmdHF14AMfSniff(const char *Cmd){
        return 0;\r
 }\r
 \r
+//needs nt, ar, at, Data to decrypt\r
+int CmdDecryptTraceCmds(const char *Cmd){\r
+       uint8_t data[50];\r
+       int len = 0;\r
+       param_gethex_ex(Cmd,3,data,&len);\r
+       return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);\r
+}\r
 \r
 static command_t CommandTable[] =\r
 {\r
@@ -1929,6 +1986,7 @@ static command_t CommandTable[] =
   {"cgetsc",   CmdHF14AMfCGetSc,               0, "Read sector - Magic Chinese card"},\r
   {"cload",            CmdHF14AMfCLoad,                0, "Load dump into magic Chinese card"},\r
   {"csave",            CmdHF14AMfCSave,                0, "Save dump from magic Chinese card into file or emulator"},\r
+  {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
   {NULL, NULL, 0, NULL}\r
 };\r
 \r
Impressum, Datenschutz