X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/16a95d76ac51d07ca56ecf6761fc3a2155bf93a9..4c16ae80f0bffae2092e208c46a5005356c24ce1:/client/cmdhfmf.c

diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index c16b9674..3fc3f8f7 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -8,7 +8,9 @@
 // High frequency MIFARE commands
 //-----------------------------------------------------------------------------
 
+#include <inttypes.h>
 #include "cmdhfmf.h"
+#include "./nonce2key/nonce2key.h"
 
 static int CmdHelp(const char *Cmd);
 
@@ -17,25 +19,26 @@ int CmdHF14AMifare(const char *Cmd)
 	uint32_t uid = 0;
 	uint32_t nt = 0, nr = 0;
 	uint64_t par_list = 0, ks_list = 0, r_key = 0;
-	uint8_t isOK = 0;
-	uint8_t keyBlock[8] = {0};
+	int16_t isOK = 0;
 
 	UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};
 
 	// message
 	printf("-------------------------------------------------------------------------\n");
 	printf("Executing command. Expected execution time: 25sec on average  :-)\n");
-	printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");
+	printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");
 	printf("-------------------------------------------------------------------------\n");
 
 	
-start:
+ start:
     clearCommandBuffer();
     SendCommand(&c);
 	
 	//flush queue
-	while (ukbhit())	getchar();
-
+	while (ukbhit()) {
+		int c = getchar(); (void) c;
+	}
+	
 	// wait cycle
 	while (true) {
         printf(".");
@@ -47,15 +50,22 @@ start:
 		}
 		
 		UsbCommand resp;
-		if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
-			isOK  = resp.arg[0] & 0xff;
+		if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {
+			isOK  = resp.arg[0];
 			uid = (uint32_t)bytes_to_num(resp.d.asBytes +  0, 4);
 			nt =  (uint32_t)bytes_to_num(resp.d.asBytes +  4, 4);
 			par_list = bytes_to_num(resp.d.asBytes +  8, 8);
 			ks_list = bytes_to_num(resp.d.asBytes +  16, 8);
 			nr = bytes_to_num(resp.d.asBytes + 24, 4);
 			printf("\n\n");
-			if (!isOK) PrintAndLog("Proxmark can't get statistic info. Execution aborted.\n");
+			switch (isOK) {
+				case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;
+				case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;
+				case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;
+				case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");
+							PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;
+				default: ;
+			}
 			break;
 		}
 	}	
@@ -69,22 +79,13 @@ start:
 	if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {
 		isOK = 2;
 		PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);	
-	} else {
-		printf("------------------------------------------------------------------\n");
-		PrintAndLog("Key found:%012"llx" \n", r_key);
-
-		num_to_bytes(r_key, 6, keyBlock);
-		isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key);
-	}
-	
-	if (!isOK) 
-		PrintAndLog("Found valid key:%012"llx, r_key);
-	else
-	{
-		if (isOK != 2) PrintAndLog("Found invalid key. ");	
 		PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");
 		c.arg[0] = false;
 		goto start;
+	} else {
+		isOK = 0;
+		printf("------------------------------------------------------------------\n");
+		PrintAndLog("Found valid key:%012" PRIx64 " \n", r_key);
 	}
 	
 	PrintAndLog("");
@@ -304,7 +305,8 @@ int CmdHF14AMfDump(const char *Cmd)
 	
 	// Read keys A from file
 	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {
+		size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error.");
 			fclose(fin);
 			return 2;
@@ -313,7 +315,8 @@ int CmdHF14AMfDump(const char *Cmd)
 	
 	// Read keys B from file
 	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {
+		size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error.");
 			fclose(fin);
 			return 2;
@@ -434,7 +437,7 @@ int CmdHF14AMfRestore(const char *Cmd)
 {
 	uint8_t sectorNo,blockNo;
 	uint8_t keyType = 0;
-	uint8_t key[6] = {0xFF};
+	uint8_t key[6] = {0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
 	uint8_t bldata[16] = {0x00};
 	uint8_t keyA[40][6];
 	uint8_t keyB[40][6];
@@ -468,16 +471,17 @@ int CmdHF14AMfRestore(const char *Cmd)
 	}
 	
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
-		if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {
+		size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
-
 			fclose(fkeys);
 			return 2;
 		}
 	}
 
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
-		if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {
+		size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
 			fclose(fkeys);
 			return 2;
@@ -497,7 +501,8 @@ int CmdHF14AMfRestore(const char *Cmd)
 			UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};
 			memcpy(c.d.asBytes, key, 6);
 			
-			if (fread(bldata, 1, 16, fdump) == 0) {
+			size_t bytes_read = fread(bldata, 1, 16, fdump);
+			if (bytes_read != 16) {
 				PrintAndLog("File reading error (dumpdata.bin).");
 				fclose(fdump);
 				return 2;
@@ -547,7 +552,7 @@ int CmdHF14AMfNested(const char *Cmd)
 	uint8_t trgKeyType = 0;
 	uint8_t SectorsCnt = 0;
 	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
-	uint8_t keyBlock[13*6];
+	uint8_t keyBlock[14*6];
 	uint64_t key64 = 0;
 	bool transferToEml = false;
 	
@@ -622,13 +627,19 @@ int CmdHF14AMfNested(const char *Cmd)
 	
 	if (cmdp == 'o') {
 		PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');
-		if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) {
-			PrintAndLog("Nested error.");
+		int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);
+		if (isOK) {
+			switch (isOK) {
+				case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
+				case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
+				case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
+				default : PrintAndLog("Unknown Error.\n");
+			}
 			return 2;
 		}
 		key64 = bytes_to_num(keyBlock, 6);
 		if (key64) {
-			PrintAndLog("Found valid key:%012"llx, key64);
+			PrintAndLog("Found valid key:%012" PRIx64, key64);
 
 			// transfer key to the emulator
 			if (transferToEml) {
@@ -678,7 +689,7 @@ int CmdHF14AMfNested(const char *Cmd)
 			for (j = 0; j < 2; j++) {
 				if (e_sector[i].foundKey[j]) continue;
 				
-				res = mfCheckKeys(FirstBlockOfSector(i), j, 6, keyBlock, &key64);
+				res = mfCheckKeys(FirstBlockOfSector(i), j, true, 6, keyBlock, &key64);
 				
 				if (!res) {
 					e_sector[i].Key[j] = key64;
@@ -696,11 +707,17 @@ int CmdHF14AMfNested(const char *Cmd)
 				for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { 
 					if (e_sector[sectorNo].foundKey[trgKeyType]) continue;
 					PrintAndLog("-----------------------------------------------");
-					if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {
-						PrintAndLog("Nested error.\n");
+					int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);
+					if(isOK) {
+						switch (isOK) {
+							case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
+							case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
+							case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
+							default : PrintAndLog("Unknown Error.\n");
+						}
 						free(e_sector);
-						return 2;					}
-					else {
+						return 2;
+					} else {
 						calibrate = false;
 					}
 					
@@ -708,7 +725,7 @@ int CmdHF14AMfNested(const char *Cmd)
 
 					key64 = bytes_to_num(keyBlock, 6);
 					if (key64) {
-						PrintAndLog("Found valid key:%012"llx, key64);
+						PrintAndLog("Found valid key:%012" PRIx64, key64);
 						e_sector[sectorNo].foundKey[trgKeyType] = 1;
 						e_sector[sectorNo].Key[trgKeyType] = key64;
 					}
@@ -724,7 +741,7 @@ int CmdHF14AMfNested(const char *Cmd)
 		PrintAndLog("|sec|key A           |res|key B           |res|");
 		PrintAndLog("|---|----------------|---|----------------|---|");
 		for (i = 0; i < SectorsCnt; i++) {
-			PrintAndLog("|%03d|  %012"llx"  | %d |  %012"llx"  | %d |", i,
+			PrintAndLog("|%03d|  %012" PRIx64 "  | %d |  %012" PRIx64 "  | %d |", i,
 				e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);
 		}
 		PrintAndLog("|---|----------------|---|----------------|---|");
@@ -909,13 +926,14 @@ int CmdHF14AMfChk(const char *Cmd)
 						if (!p) {
 							PrintAndLog("Cannot allocate memory for defKeys");
 							free(keyBlock);
+							fclose(f);
 							return 2;
 						}
 						keyBlock = p;
 					}
 					memset(keyBlock + 6 * keycnt, 0, 6);
 					num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);
-					PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
+					PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
 					keycnt++;
 					memset(buf, 0, sizeof(buf));
 				}
@@ -956,10 +974,10 @@ int CmdHF14AMfChk(const char *Cmd)
 			uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;
 			for (uint32_t c = 0; c < keycnt; c+=max_keys) {
 				uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;
-				res = mfCheckKeys(b, t, size, &keyBlock[6*c], &key64);
+				res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);
 				if (res != 1) {
 					if (!res) {
-						PrintAndLog("Found valid key:[%012"llx"]",key64);
+						PrintAndLog("Found valid key:[%012" PRIx64 "]",key64);
 						num_to_bytes(key64, 6, foundKey[t][i]);
 						validKey[t][i] = true;
 					} 
@@ -1006,72 +1024,309 @@ int CmdHF14AMfChk(const char *Cmd)
 	return 0;
 }
 
-int CmdHF14AMf1kSim(const char *Cmd)
-{
-	uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {
+	#define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()
+	uint64_t key = 0;
+	typedef struct {
+			uint64_t keyA;
+			uint64_t keyB;
+	} st_t;
+	st_t sector_trailer[ATTACK_KEY_COUNT];
+	memset(sector_trailer, 0x00, sizeof(sector_trailer));
+
+	uint8_t	stSector[ATTACK_KEY_COUNT];
+	memset(stSector, 0x00, sizeof(stSector));
+	uint8_t key_cnt[ATTACK_KEY_COUNT];
+	memset(key_cnt, 0x00, sizeof(key_cnt));
+
+	for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
+		if (ar_resp[i].ar2 > 0) {
+			//PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);
+			if (doStandardAttack && mfkey32(ar_resp[i], &key)) {
+				PrintAndLog("  Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
+
+				for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
+					if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {
+						if (ar_resp[i].keytype==0) {
+							//keyA
+							sector_trailer[ii].keyA = key;
+							stSector[ii] = ar_resp[i].sector;
+							key_cnt[ii]++;
+							break;
+						} else {
+							//keyB
+							sector_trailer[ii].keyB = key;
+							stSector[ii] = ar_resp[i].sector;
+							key_cnt[ii]++;
+							break;
+						}
+					}
+				}
+			} else if (tryMfk32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {
+				uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;
+				uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;
+
+				PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"
+					, keyType ? "B" : "A"
+					, sectorNum
+					, key
+				);
+
+				for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
+					if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {
+						if (keyType==0) {
+							//keyA
+							sector_trailer[ii].keyA = key;
+							stSector[ii] = sectorNum;
+							key_cnt[ii]++;
+							break;
+						} else {
+							//keyB
+							sector_trailer[ii].keyB = key;
+							stSector[ii] = sectorNum;
+							key_cnt[ii]++;
+							break;
+						}
+					}
+				}
+				continue;
+			}
+		}
+	}
+	//set emulator memory for keys
+	if (setEmulatorMem) {
+		for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
+			if (key_cnt[i]>0) {
+				uint8_t	memBlock[16];
+				memset(memBlock, 0x00, sizeof(memBlock));
+				char cmd1[36];
+				memset(cmd1,0x00,sizeof(cmd1));
+				snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));
+				PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);
+				if (param_gethex(cmd1, 0, memBlock, 32)) {
+					PrintAndLog("block data must include 32 HEX symbols");
+					return;
+				}
+				
+				UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};
+				memcpy(c.d.asBytes, memBlock, 16);
+				clearCommandBuffer();
+				SendCommand(&c);			
+			}
+		}
+	}
+	/*
+	//un-comment to use as well moebius attack
+	for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {
+		if (ar_resp[i].ar2 > 0) {
+			if (tryMfk32_moebius(ar_resp[i], &key)) {
+				PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
+			}
+		}
+	}*/
+}
+
+int usage_hf14_mf1ksim(void) {
+	PrintAndLog("Usage:  hf mf sim h u <uid (8, 14, or 20 hex symbols)> n <numreads> i x");
+	PrintAndLog("options:");
+	PrintAndLog("      h    this help");
+	PrintAndLog("      u    (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used");
+	PrintAndLog("      n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");
+	PrintAndLog("      i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");
+	PrintAndLog("      x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
+	PrintAndLog("      e    (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");
+	PrintAndLog("      f    (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");
+	PrintAndLog("      r    (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");
+	PrintAndLog("samples:");
+	PrintAndLog("           hf mf sim u 0a0a0a0a");
+	PrintAndLog("           hf mf sim u 11223344556677");
+	PrintAndLog("           hf mf sim u 112233445566778899AA");
+	PrintAndLog("           hf mf sim f uids.txt");
+	PrintAndLog("           hf mf sim u 0a0a0a0a e");
+		
+	return 0;
+}
+
+int CmdHF14AMf1kSim(const char *Cmd) {
+	UsbCommand resp;
+	uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
 	uint8_t exitAfterNReads = 0;
 	uint8_t flags = 0;
-
-	uint8_t cmdp = param_getchar(Cmd, 0);
-	
-	if (cmdp == 'h' || cmdp == 'H') {
-		PrintAndLog("Usage:  hf mf sim  u <uid (8 hex symbols)> n <numreads> i x");
-		PrintAndLog("           h    this help");
-		PrintAndLog("           u    (Optional) UID. If not specified, the UID from emulator memory will be used");
-		PrintAndLog("           n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");
-		PrintAndLog("           i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");
-		PrintAndLog("           x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
-		PrintAndLog("");
-		PrintAndLog("           sample: hf mf sim u 0a0a0a0a ");
-		return 0;
-	}
+	int uidlen = 0;
 	uint8_t pnr = 0;
-	if (param_getchar(Cmd, pnr) == 'u') {
-		if(param_gethex(Cmd, pnr+1, uid, 8) == 0)
-		{
-			flags |= FLAG_4B_UID_IN_DATA; // UID from packet
-		} else if(param_gethex(Cmd,pnr+1,uid,14) == 0) {
-			flags |= FLAG_7B_UID_IN_DATA;// UID from packet
-		} else {
-			PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols");
-			return 1;
+	bool setEmulatorMem = false;
+	bool attackFromFile = false;
+	FILE *f;
+	char filename[FILE_PATH_SIZE];
+	memset(filename, 0x00, sizeof(filename));
+	int len = 0;
+	char buf[64];
+
+	uint8_t cmdp = 0;
+	bool errors = false;
+
+	while(param_getchar(Cmd, cmdp) != 0x00) {
+		switch(param_getchar(Cmd, cmdp)) {
+		case 'e':
+		case 'E':
+			setEmulatorMem = true;
+			//implies x and i
+			flags |= FLAG_INTERACTIVE;
+			flags |= FLAG_NR_AR_ATTACK;
+			cmdp++;
+			break;
+		case 'f':
+		case 'F':
+			len = param_getstr(Cmd, cmdp+1, filename);
+			if (len < 1) {
+				PrintAndLog("error no filename found");
+				return 0;
+			}
+			attackFromFile = true;
+			//implies x and i
+			flags |= FLAG_INTERACTIVE;
+			flags |= FLAG_NR_AR_ATTACK;
+			cmdp += 2;
+			break;
+		case 'h':
+		case 'H':
+			return usage_hf14_mf1ksim();
+		case 'i':
+		case 'I':
+			flags |= FLAG_INTERACTIVE;
+			cmdp++;
+			break;
+		case 'n':
+		case 'N':
+			exitAfterNReads = param_get8(Cmd, pnr+1);
+			cmdp += 2;
+			break;
+		case 'r':
+		case 'R':
+			flags |= FLAG_RANDOM_NONCE;
+			cmdp++;
+			break;
+		case 'u':
+		case 'U':
+			param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
+			switch(uidlen) {
+				case 20: flags = FLAG_10B_UID_IN_DATA;	break; //not complete
+				case 14: flags = FLAG_7B_UID_IN_DATA; break;
+				case  8: flags = FLAG_4B_UID_IN_DATA; break;
+				default: return usage_hf14_mf1ksim();
+			}
+			cmdp += 2;
+			break;
+		case 'x':
+		case 'X':
+			flags |= FLAG_NR_AR_ATTACK;
+			cmdp++;
+			break;
+		default:
+			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+			errors = true;
+			break;
 		}
-		pnr +=2;
-	}
-	if (param_getchar(Cmd, pnr) == 'n') {
-		exitAfterNReads = param_get8(Cmd,pnr+1);
-		pnr += 2;
-	}
-	if (param_getchar(Cmd, pnr) == 'i' ) {
-		//Using a flag to signal interactiveness, least significant bit
-		flags |= FLAG_INTERACTIVE;
-		pnr++;
+		if(errors) break;
 	}
+	//Validations
+	if(errors) return usage_hf14_mf1ksim();
 
-	if (param_getchar(Cmd, pnr) == 'x' ) {
-		//Using a flag to signal interactiveness, least significant bit
-		flags |= FLAG_NR_AR_ATTACK;
-	}
-	PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ",
-				flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
-											  flags & FLAG_7B_UID_IN_DATA	? sprint_hex(uid,7): "N/A"
-				, exitAfterNReads, flags,flags);
+	//get uid from file
+	if (attackFromFile) {
+		int count = 0;
+		// open file
+		f = fopen(filename, "r");
+		if (f == NULL) {
+			PrintAndLog("File %s not found or locked", filename);
+			return 1;
+		}
+		PrintAndLog("Loading file and simulating. Press keyboard to abort");
+		while(!feof(f) && !ukbhit()){
+			memset(buf, 0, sizeof(buf));
+			memset(uid, 0, sizeof(uid));
 
+			if (fgets(buf, sizeof(buf), f) == NULL) {			
+				if (count > 0) break;
+				
+				PrintAndLog("File reading error.");
+				fclose(f);
+				return 2;
+			}
+			if(!strlen(buf) && feof(f)) break;
+
+			uidlen = strlen(buf)-1;
+			switch(uidlen) {
+				case 20: flags |= FLAG_10B_UID_IN_DATA;	break; //not complete
+				case 14: flags |= FLAG_7B_UID_IN_DATA; break;
+				case  8: flags |= FLAG_4B_UID_IN_DATA; break;
+				default: 
+					PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);
+					fclose(f);
+					return 2;
+			}
 
-	UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
-	memcpy(c.d.asBytes, uid, sizeof(uid));
-	SendCommand(&c);
+			for (uint8_t i = 0; i < uidlen; i += 2) {
+				sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);
+			}
+			
+			PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",
+					flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
+						flags & FLAG_7B_UID_IN_DATA	? sprint_hex(uid,7): 
+							flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"
+					, exitAfterNReads, flags, flags);
+
+			UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
+			memcpy(c.d.asBytes, uid, sizeof(uid));
+			clearCommandBuffer();
+			SendCommand(&c);
 
-	if(flags & FLAG_INTERACTIVE)
-	{
-		UsbCommand resp;
-		PrintAndLog("Press pm3-button to abort simulation");
-		while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
-			//We're waiting only 1.5 s at a time, otherwise we get the
-			// annoying message about "Waiting for a response... "
+			while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+				//We're waiting only 1.5 s at a time, otherwise we get the
+				// annoying message about "Waiting for a response... "
+			}
+			//got a response
+			nonces_t ar_resp[ATTACK_KEY_COUNT*2];
+			memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
+			// We can skip the standard attack if we have RANDOM_NONCE set.
+			readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
+			if ((bool)resp.arg[1]) {
+				PrintAndLog("Device button pressed - quitting");
+				fclose(f);
+				return 4;
+			}
+			count++;
+		}
+		fclose(f);
+	} else { //not from file
+
+		PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",
+				flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
+					flags & FLAG_7B_UID_IN_DATA	? sprint_hex(uid,7): 
+						flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"
+				, exitAfterNReads, flags, flags);
+
+		UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
+		memcpy(c.d.asBytes, uid, sizeof(uid));
+		clearCommandBuffer();
+		SendCommand(&c);
+
+		if(flags & FLAG_INTERACTIVE) {
+			PrintAndLog("Press pm3-button to abort simulation");
+			while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+				//We're waiting only 1.5 s at a time, otherwise we get the
+				// annoying message about "Waiting for a response... "
+			}
+			//got a response
+			if (flags & FLAG_NR_AR_ATTACK) {
+				nonces_t ar_resp[ATTACK_KEY_COUNT*2];
+				memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
+				// We can skip the standard attack if we have RANDOM_NONCE set.
+				readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
+			}
 		}
 	}
-	
+
 	return 0;
 }
 
@@ -1200,7 +1455,7 @@ int CmdHF14AMfELoad(const char *Cmd)
 
 	len = param_getstr(Cmd,nameParamNo,filename);
 	
-	if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
 	fnameptr += len;
 
@@ -1299,17 +1554,20 @@ int CmdHF14AMfESave(const char *Cmd)
 
 	len = param_getstr(Cmd,nameParamNo,filename);
 	
-	if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 	
 	// user supplied filename?
 	if (len < 1) {
 		// get filename (UID from memory)
 		if (mfEmlGetMem(buf, 0, 1)) {
 			PrintAndLog("Can\'t get UID from block: %d", 0);
-			sprintf(filename, "dump.eml"); 
+			len = sprintf(fnameptr, "dump");
+			fnameptr += len;
+		}
+		else {
+			for (j = 0; j < 7; j++, fnameptr += 2)
+				sprintf(fnameptr, "%02X", buf[j]);
 		}
-		for (j = 0; j < 7; j++, fnameptr += 2)
-			sprintf(fnameptr, "%02X", buf[j]); 
 	} else {
 		fnameptr += len;
 	}
@@ -1420,7 +1678,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
 		}
 		keyA = bytes_to_num(data, 6);
 		keyB = bytes_to_num(data + 10, 6);
-		PrintAndLog("|%03d|  %012"llx"  |  %012"llx"  |", i, keyA, keyB);
+		PrintAndLog("|%03d|  %012" PRIx64 "  |  %012" PRIx64 "  |", i, keyA, keyB);
 	}
 	PrintAndLog("|---|----------------|----------------|");
 	
@@ -1499,16 +1757,16 @@ int CmdHF14AMfCSetUID(const char *Cmd)
 
 int CmdHF14AMfCSetBlk(const char *Cmd)
 {
-	uint8_t uid[8] = {0x00};
 	uint8_t memBlock[16] = {0x00};
 	uint8_t blockNo = 0;
+	bool wipeCard = FALSE;
 	int res;
 
 	if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
-		PrintAndLog("Usage:  hf mf csetblk <block number> <block data (32 hex symbols)>");
+		PrintAndLog("Usage:  hf mf csetblk <block number> <block data (32 hex symbols)> [w]");
 		PrintAndLog("sample:  hf mf csetblk 1 01020304050607080910111213141516");
-		PrintAndLog("Set block data for magic Chinese card (only works with!!!)");
-		PrintAndLog("If you want wipe card then add 'w' into command line. \n");
+		PrintAndLog("Set block data for magic Chinese card (only works with such cards)");
+		PrintAndLog("If you also want wipe the card then add 'w' at the end of the command line");
 		return 0;
 	}	
 
@@ -1519,14 +1777,15 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
 		return 1;
 	}
 
+	char ctmp = param_getchar(Cmd, 2);
+	wipeCard = (ctmp == 'w' || ctmp == 'W');
 	PrintAndLog("--block number:%2d data:%s", blockNo, sprint_hex(memBlock, 16));
 
-	res = mfCSetBlock(blockNo, memBlock, uid, 0, CSETBLOCK_SINGLE_OPER);
+	res = mfCSetBlock(blockNo, memBlock, NULL, wipeCard, CSETBLOCK_SINGLE_OPER);
 	if (res) {
-			PrintAndLog("Can't write block. error=%d", res);
-			return 1;
-		}
-	
+		PrintAndLog("Can't write block. error=%d", res);
+		return 1;
+	}
 	return 0;
 }
 
@@ -1539,7 +1798,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 	char buf[64] = {0x00};
 	uint8_t buf8[64] = {0x00};
 	uint8_t fillFromEmulator = 0;
-	int i, len, blockNum, flags;
+	int i, len, blockNum, flags=0;
 	
 	if (param_getchar(Cmd, 0) == 'h' || param_getchar(Cmd, 0)== 0x00) {
 		PrintAndLog("It loads magic Chinese card from the file `filename.eml`");
@@ -1571,7 +1830,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 		return 0;
 	} else {
 		len = strlen(Cmd);
-		if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
 		memcpy(filename, Cmd, len);
 		fnameptr += len;
@@ -1591,6 +1850,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 			memset(buf, 0, sizeof(buf));
 			
 			if (fgets(buf, sizeof(buf), f) == NULL) {
+				fclose(f);
 				PrintAndLog("File reading error.");
 				return 2;
 			}
@@ -1599,6 +1859,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 				if(strlen(buf) && feof(f))
 					break;
 				PrintAndLog("File content error. Block data must include 32 HEX symbols");
+				fclose(f);
 				return 2;
 			}
 			for (i = 0; i < 32; i += 2)
@@ -1610,6 +1871,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 
 			if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
 				PrintAndLog("Can't set magic card block: %d", blockNum);
+				fclose(f);
 				return 3;
 			}
 			blockNum++;
@@ -1637,7 +1899,7 @@ int CmdHF14AMfCGetBlk(const char *Cmd) {
 	if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
 		PrintAndLog("Usage:  hf mf cgetblk <block number>");
 		PrintAndLog("sample:  hf mf cgetblk 1");
-		PrintAndLog("Get block data from magic Chinese card (only works with!!!)\n");
+		PrintAndLog("Get block data from magic Chinese card (only works with such cards)\n");
 		return 0;
 	}	
 
@@ -1664,7 +1926,7 @@ int CmdHF14AMfCGetSc(const char *Cmd) {
 	if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
 		PrintAndLog("Usage:  hf mf cgetsc <sector number>");
 		PrintAndLog("sample:  hf mf cgetsc 0");
-		PrintAndLog("Get sector data from magic Chinese card (only works with!!!)\n");
+		PrintAndLog("Get sector data from magic Chinese card (only works with such cards)\n");
 		return 0;
 	}	
 
@@ -1738,16 +2000,19 @@ int CmdHF14AMfCSave(const char *Cmd) {
 		return 0;
 	} else {
 		len = strlen(Cmd);
-		if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
+		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 	
 		if (len < 1) {
 			// get filename
 			if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) {
 				PrintAndLog("Cant get block: %d", 0);
-				return 1;
+				len = sprintf(fnameptr, "dump");
+				fnameptr += len;
+			}
+			else {
+				for (j = 0; j < 7; j++, fnameptr += 2)
+					sprintf(fnameptr, "%02x", buf[j]); 
 			}
-			for (j = 0; j < 7; j++, fnameptr += 2)
-				sprintf(fnameptr, "%02x", buf[j]); 
 		} else {
 			memcpy(filename, Cmd, len);
 			fnameptr += len;
@@ -1855,11 +2120,14 @@ int CmdHF14AMfSniff(const char *Cmd){
 			uint16_t traceLen = resp.arg[1];
 			len = resp.arg[2];
 
-			if (res == 0) return 0;						// we are done
+			if (res == 0) {								// we are done
+				free(buf);
+				return 0;
+			}
 
 			if (res == 1) {								// there is (more) data to be transferred
 				if (pckNum == 0) {						// first packet, (re)allocate necessary buffer
-					if (traceLen > bufsize) {
+					if (traceLen > bufsize || buf == NULL) {
 						uint8_t *p;
 						if (buf == NULL) {				// not yet allocated
 							p = malloc(traceLen);
@@ -1933,6 +2201,13 @@ int CmdHF14AMfSniff(const char *Cmd){
 	return 0;
 }
 
+//needs nt, ar, at, Data to decrypt
+int CmdDecryptTraceCmds(const char *Cmd){
+	uint8_t data[50];
+	int len = 0;
+	param_gethex_ex(Cmd,3,data,&len);
+	return tryDecryptWord(param_get32ex(Cmd,0,0,16),param_get32ex(Cmd,1,0,16),param_get32ex(Cmd,2,0,16),data,len/2);
+}
 
 static command_t CommandTable[] =
 {
@@ -1961,6 +2236,7 @@ static command_t CommandTable[] =
   {"cgetsc",	CmdHF14AMfCGetSc,		0, "Read sector - Magic Chinese card"},
   {"cload",		CmdHF14AMfCLoad,		0, "Load dump into magic Chinese card"},
   {"csave",		CmdHF14AMfCSave,		0, "Save dump from magic Chinese card into file or emulator"},
+  {"decrypt", CmdDecryptTraceCmds,1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
   {NULL, NULL, 0, NULL}
 };