//-----------------------------------------------------------------------------\r
\r
#include "cmdhfmf.h"\r
+#include "./nonce2key/nonce2key.h"\r
\r
static int CmdHelp(const char *Cmd);\r
\r
printf("-------------------------------------------------------------------------\n");\r
\r
\r
-start:\r
+ start:\r
clearCommandBuffer();\r
SendCommand(&c);\r
\r
case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
+ case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+ PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;\r
default: ;\r
}\r
break;\r
//We're waiting only 1.5 s at a time, otherwise we get the\r
// annoying message about "Waiting for a response... "\r
}\r
+ //got a response\r
+ if (flags & FLAG_NR_AR_ATTACK) {\r
+ typedef struct {\r
+ uint32_t cuid;\r
+ uint8_t sector;\r
+ uint8_t keytype;\r
+ uint32_t nonce;\r
+ uint32_t ar;\r
+ uint32_t nr;\r
+ uint32_t nonce2;\r
+ uint32_t ar2;\r
+ uint32_t nr2;\r
+ } nonces_t;\r
+ nonces_t ar_resp[4];\r
+ //uint32_t ar_responses[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};\r
+ uint64_t key = 0;\r
+ //uint64_t keyB = 0;\r
+ //uint8_t arnr_len = 8;\r
+ memcpy (ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+ \r
+ for (uint8_t i = 0; i<4; i++) {\r
+ if (ar_resp[i].ar2 > 0) {\r
+ key = mfkey32(ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+ if (key>0) {\r
+ PrintAndLog("\nFound Key%s for sector %d: [%04x%08x]", (i<2) ? "A" : "B", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ } \r
+ }\r
+ }\r
+ /*\r
+ if (ar_resp[1] && ar_responses[2] && ar_responses[3] && ar_responses[6] && ar_responses[7]) {\r
+ keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]);\r
+ if (keyA>0) {\r
+ PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ } else {\r
+ keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]); \r
+ if (keyA>0) {\r
+ PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ }\r
+ }\r
+ } else {\r
+ PrintAndLog("keyA response error: %d %d %d %d %d",ar_responses[1] , ar_responses[2] , ar_responses[3] , ar_responses[6] , ar_responses[7]);\r
+ }\r
+ if (ar_responses[1] && ar_responses[2+arnr_len] && ar_responses[3+arnr_len] && ar_responses[6+arnr_len] && ar_responses[7+arnr_len]) {\r
+ keyB = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2+arnr_len],ar_responses[3+arnr_len],ar_responses[6+arnr_len],ar_responses[7+arnr_len]);\r
+ if (keyB>0) {\r
+ PrintAndLog("\nFound KeyB: [%04x%08x]\n\n", (uint32_t) (keyB>>32), (uint32_t) (keyB & 0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ }\r
+ }\r
+ if (keyA || keyB) {\r
+ //TODO retry sim with new keys in emulator memory? (somehow flag to check that to see if new key has successful auth now?)\r
+ // to validate key is correct\r
+ }\r
+ */\r
+ }\r
}\r
\r
return 0;\r
return 0;\r
}\r
\r
+//needs nt, ar, at, Data to decrypt\r
+int CmdDecryptTraceCmds(const char *Cmd){\r
+ uint8_t data[50];\r
+ int len = 0;\r
+ param_gethex_ex(Cmd,3,data,&len);\r
+ return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);\r
+}\r
\r
static command_t CommandTable[] =\r
{\r
{"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
{"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
{"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
+ {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
{NULL, NULL, 0, NULL}\r
};\r
\r