//-----------------------------------------------------------------------------\r
\r
#include "cmdhfmf.h"\r
+#include "./nonce2key/nonce2key.h"\r
\r
static int CmdHelp(const char *Cmd);\r
\r
uint32_t nt = 0, nr = 0;\r
uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
int16_t isOK = 0;\r
- uint8_t keyBlock[8] = {0};\r
\r
UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
\r
printf("-------------------------------------------------------------------------\n");\r
\r
\r
-start:\r
+ start:\r
clearCommandBuffer();\r
SendCommand(&c);\r
\r
case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
+ case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+ PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;\r
default: ;\r
}\r
break;\r
if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
isOK = 2;\r
PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt); \r
- } else {\r
- printf("------------------------------------------------------------------\n");\r
- PrintAndLog("Key found:%012"llx" \n", r_key);\r
-\r
- num_to_bytes(r_key, 6, keyBlock);\r
- isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);\r
- }\r
- \r
- if (!isOK) \r
- PrintAndLog("Found valid key:%012"llx, r_key);\r
- else\r
- {\r
- if (isOK != 2) PrintAndLog("Found invalid key. "); \r
PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");\r
c.arg[0] = false;\r
goto start;\r
+ } else {\r
+ isOK = 0;\r
+ printf("------------------------------------------------------------------\n");\r
+ PrintAndLog("Found valid key:%012"llx" \n", r_key);\r
}\r
\r
PrintAndLog("");\r
for (j = 0; j < 2; j++) {\r
if (e_sector[i].foundKey[j]) continue;\r
\r
- res = mfCheckKeys(FirstBlockOfSector(i), j, 6, keyBlock, &key64);\r
+ res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);\r
\r
if (!res) {\r
e_sector[i].Key[j] = key64;\r
uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;\r
for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;\r
- res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64);\r
+ res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
if (res != 1) {\r
if (!res) {\r
PrintAndLog("Found valid key:[%012"llx"]",key64);\r
//We're waiting only 1.5 s at a time, otherwise we get the\r
// annoying message about "Waiting for a response... "\r
}\r
+ //got a response\r
+ if (flags & FLAG_NR_AR_ATTACK) {\r
+ typedef struct {\r
+ uint32_t cuid;\r
+ uint8_t sector;\r
+ uint8_t keytype;\r
+ uint32_t nonce;\r
+ uint32_t ar;\r
+ uint32_t nr;\r
+ uint32_t nonce2;\r
+ uint32_t ar2;\r
+ uint32_t nr2;\r
+ } nonces_t;\r
+ nonces_t ar_resp[4];\r
+ //uint32_t ar_responses[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};\r
+ uint64_t key = 0;\r
+ //uint64_t keyB = 0;\r
+ //uint8_t arnr_len = 8;\r
+ memcpy (ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+ \r
+ for (uint8_t i = 0; i<4; i++) {\r
+ if (ar_resp[i].ar2 > 0) {\r
+ key = mfkey32(ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+ if (key>0) {\r
+ PrintAndLog("\nFound Key%s for sector %d: [%04x%08x]", (i<2) ? "A" : "B", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ } \r
+ }\r
+ }\r
+ /*\r
+ if (ar_resp[1] && ar_responses[2] && ar_responses[3] && ar_responses[6] && ar_responses[7]) {\r
+ keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]);\r
+ if (keyA>0) {\r
+ PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ } else {\r
+ keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]); \r
+ if (keyA>0) {\r
+ PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ }\r
+ }\r
+ } else {\r
+ PrintAndLog("keyA response error: %d %d %d %d %d",ar_responses[1] , ar_responses[2] , ar_responses[3] , ar_responses[6] , ar_responses[7]);\r
+ }\r
+ if (ar_responses[1] && ar_responses[2+arnr_len] && ar_responses[3+arnr_len] && ar_responses[6+arnr_len] && ar_responses[7+arnr_len]) {\r
+ keyB = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2+arnr_len],ar_responses[3+arnr_len],ar_responses[6+arnr_len],ar_responses[7+arnr_len]);\r
+ if (keyB>0) {\r
+ PrintAndLog("\nFound KeyB: [%04x%08x]\n\n", (uint32_t) (keyB>>32), (uint32_t) (keyB & 0xFFFFFFFF));\r
+ //set emulator memory for key\r
+ }\r
+ }\r
+ if (keyA || keyB) {\r
+ //TODO retry sim with new keys in emulator memory? (somehow flag to check that to see if new key has successful auth now?)\r
+ // to validate key is correct\r
+ }\r
+ */\r
+ }\r
}\r
\r
return 0;\r
return 0;\r
}\r
\r
+//needs nt, ar, at, Data to decrypt\r
+int CmdDecryptTraceCmds(const char *Cmd){\r
+ uint8_t data[50];\r
+ int len = 0;\r
+ param_gethex_ex(Cmd,3,data,&len);\r
+ return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);\r
+}\r
\r
static command_t CommandTable[] =\r
{\r
{"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
{"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
{"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
+ {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
{NULL, NULL, 0, NULL}\r
};\r
\r
projects / proxmark3-svn / blobdiff