X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/73ab92d14c8d80f1313f54d9a9b939cd9452b91b..e88c04f924abb31589f9f58691fcf94238fead63:/client/cmdhfmf.c

diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 07d2ab26..3fc3f8f7 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -8,6 +8,7 @@
 // High frequency MIFARE commands
 //-----------------------------------------------------------------------------
 
+#include <inttypes.h>
 #include "cmdhfmf.h"
 #include "./nonce2key/nonce2key.h"
 
@@ -34,8 +35,10 @@ int CmdHF14AMifare(const char *Cmd)
     SendCommand(&c);
 	
 	//flush queue
-	while (ukbhit())	getchar();
-
+	while (ukbhit()) {
+		int c = getchar(); (void) c;
+	}
+	
 	// wait cycle
 	while (true) {
         printf(".");
@@ -82,7 +85,7 @@ int CmdHF14AMifare(const char *Cmd)
 	} else {
 		isOK = 0;
 		printf("------------------------------------------------------------------\n");
-		PrintAndLog("Found valid key:%012"llx" \n", r_key);
+		PrintAndLog("Found valid key:%012" PRIx64 " \n", r_key);
 	}
 	
 	PrintAndLog("");
@@ -302,7 +305,8 @@ int CmdHF14AMfDump(const char *Cmd)
 	
 	// Read keys A from file
 	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {
+		size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error.");
 			fclose(fin);
 			return 2;
@@ -311,7 +315,8 @@ int CmdHF14AMfDump(const char *Cmd)
 	
 	// Read keys B from file
 	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {
+		size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error.");
 			fclose(fin);
 			return 2;
@@ -466,16 +471,17 @@ int CmdHF14AMfRestore(const char *Cmd)
 	}
 	
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
-		if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {
+		size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
-
 			fclose(fkeys);
 			return 2;
 		}
 	}
 
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
-		if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {
+		size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
 			fclose(fkeys);
 			return 2;
@@ -495,7 +501,8 @@ int CmdHF14AMfRestore(const char *Cmd)
 			UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};
 			memcpy(c.d.asBytes, key, 6);
 			
-			if (fread(bldata, 1, 16, fdump) == 0) {
+			size_t bytes_read = fread(bldata, 1, 16, fdump);
+			if (bytes_read != 16) {
 				PrintAndLog("File reading error (dumpdata.bin).");
 				fclose(fdump);
 				return 2;
@@ -632,7 +639,7 @@ int CmdHF14AMfNested(const char *Cmd)
 		}
 		key64 = bytes_to_num(keyBlock, 6);
 		if (key64) {
-			PrintAndLog("Found valid key:%012"llx, key64);
+			PrintAndLog("Found valid key:%012" PRIx64, key64);
 
 			// transfer key to the emulator
 			if (transferToEml) {
@@ -718,7 +725,7 @@ int CmdHF14AMfNested(const char *Cmd)
 
 					key64 = bytes_to_num(keyBlock, 6);
 					if (key64) {
-						PrintAndLog("Found valid key:%012"llx, key64);
+						PrintAndLog("Found valid key:%012" PRIx64, key64);
 						e_sector[sectorNo].foundKey[trgKeyType] = 1;
 						e_sector[sectorNo].Key[trgKeyType] = key64;
 					}
@@ -734,7 +741,7 @@ int CmdHF14AMfNested(const char *Cmd)
 		PrintAndLog("|sec|key A           |res|key B           |res|");
 		PrintAndLog("|---|----------------|---|----------------|---|");
 		for (i = 0; i < SectorsCnt; i++) {
-			PrintAndLog("|%03d|  %012"llx"  | %d |  %012"llx"  | %d |", i,
+			PrintAndLog("|%03d|  %012" PRIx64 "  | %d |  %012" PRIx64 "  | %d |", i,
 				e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);
 		}
 		PrintAndLog("|---|----------------|---|----------------|---|");
@@ -919,13 +926,14 @@ int CmdHF14AMfChk(const char *Cmd)
 						if (!p) {
 							PrintAndLog("Cannot allocate memory for defKeys");
 							free(keyBlock);
+							fclose(f);
 							return 2;
 						}
 						keyBlock = p;
 					}
 					memset(keyBlock + 6 * keycnt, 0, 6);
 					num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);
-					PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
+					PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
 					keycnt++;
 					memset(buf, 0, sizeof(buf));
 				}
@@ -969,7 +977,7 @@ int CmdHF14AMfChk(const char *Cmd)
 				res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);
 				if (res != 1) {
 					if (!res) {
-						PrintAndLog("Found valid key:[%012"llx"]",key64);
+						PrintAndLog("Found valid key:[%012" PRIx64 "]",key64);
 						num_to_bytes(key64, 6, foundKey[t][i]);
 						validKey[t][i] = true;
 					} 
@@ -1016,12 +1024,11 @@ int CmdHF14AMfChk(const char *Cmd)
 	return 0;
 }
 
-void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
-	#define ATTACK_KEY_COUNT 8
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {
+	#define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()
 	uint64_t key = 0;
 	typedef struct {
 			uint64_t keyA;
-			uint32_t security;
 			uint64_t keyB;
 	} st_t;
 	st_t sector_trailer[ATTACK_KEY_COUNT];
@@ -1034,9 +1041,9 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
 
 	for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
 		if (ar_resp[i].ar2 > 0) {
-			//PrintAndLog("Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);
-			if (mfkey32(ar_resp[i], &key)) {
-				PrintAndLog("Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
+			//PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);
+			if (doStandardAttack && mfkey32(ar_resp[i], &key)) {
+				PrintAndLog("  Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
 
 				for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
 					if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {
@@ -1055,6 +1062,34 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
 						}
 					}
 				}
+			} else if (tryMfk32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {
+				uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;
+				uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;
+
+				PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"
+					, keyType ? "B" : "A"
+					, sectorNum
+					, key
+				);
+
+				for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
+					if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {
+						if (keyType==0) {
+							//keyA
+							sector_trailer[ii].keyA = key;
+							stSector[ii] = sectorNum;
+							key_cnt[ii]++;
+							break;
+						} else {
+							//keyB
+							sector_trailer[ii].keyB = key;
+							stSector[ii] = sectorNum;
+							key_cnt[ii]++;
+							break;
+						}
+					}
+				}
+				continue;
 			}
 		}
 	}
@@ -1062,7 +1097,6 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
 	if (setEmulatorMem) {
 		for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
 			if (key_cnt[i]>0) {
-				//PrintAndLog	("block %d, keyA:%04x%08x, keyb:%04x%08x",stSector[i]*4+3, (uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));
 				uint8_t	memBlock[16];
 				memset(memBlock, 0x00, sizeof(memBlock));
 				char cmd1[36];
@@ -1081,30 +1115,35 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
 			}
 		}
 	}
-	//moebius attack
+	/*
+	//un-comment to use as well moebius attack
 	for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {
 		if (ar_resp[i].ar2 > 0) {
 			if (tryMfk32_moebius(ar_resp[i], &key)) {
 				PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
 			}
 		}
-	}
+	}*/
 }
 
 int usage_hf14_mf1ksim(void) {
-	PrintAndLog("Usage:  hf mf sim  [h] u <uid (8,14 hex symbols)> n <numreads> i x");
+	PrintAndLog("Usage:  hf mf sim h u <uid (8, 14, or 20 hex symbols)> n <numreads> i x");
 	PrintAndLog("options:");
 	PrintAndLog("      h    this help");
-	PrintAndLog("      u    (Optional) UID 4,7 bytes. If not specified, the UID 4b from emulator memory will be used");
+	PrintAndLog("      u    (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used");
 	PrintAndLog("      n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");
 	PrintAndLog("      i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");
 	PrintAndLog("      x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
-	PrintAndLog("      e    (Optional) set keys found from 'reader attack' to emulator memory");
+	PrintAndLog("      e    (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");
 	PrintAndLog("      f    (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");
+	PrintAndLog("      r    (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");
 	PrintAndLog("samples:");
 	PrintAndLog("           hf mf sim u 0a0a0a0a");
 	PrintAndLog("           hf mf sim u 11223344556677");
-	PrintAndLog("           hf mf sim u 112233445566778899AA");	
+	PrintAndLog("           hf mf sim u 112233445566778899AA");
+	PrintAndLog("           hf mf sim f uids.txt");
+	PrintAndLog("           hf mf sim u 0a0a0a0a e");
+		
 	return 0;
 }
 
@@ -1122,7 +1161,6 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 	memset(filename, 0x00, sizeof(filename));
 	int len = 0;
 	char buf[64];
-	uint8_t uidBuffer[64];
 
 	uint8_t cmdp = 0;
 	bool errors = false;
@@ -1132,6 +1170,9 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 		case 'e':
 		case 'E':
 			setEmulatorMem = true;
+			//implies x and i
+			flags |= FLAG_INTERACTIVE;
+			flags |= FLAG_NR_AR_ATTACK;
 			cmdp++;
 			break;
 		case 'f':
@@ -1142,7 +1183,10 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 				return 0;
 			}
 			attackFromFile = true;
-			cmdp+=2;
+			//implies x and i
+			flags |= FLAG_INTERACTIVE;
+			flags |= FLAG_NR_AR_ATTACK;
+			cmdp += 2;
 			break;
 		case 'h':
 		case 'H':
@@ -1157,6 +1201,11 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			exitAfterNReads = param_get8(Cmd, pnr+1);
 			cmdp += 2;
 			break;
+		case 'r':
+		case 'R':
+			flags |= FLAG_RANDOM_NONCE;
+			cmdp++;
+			break;
 		case 'u':
 		case 'U':
 			param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
@@ -1166,7 +1215,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 				case  8: flags = FLAG_4B_UID_IN_DATA; break;
 				default: return usage_hf14_mf1ksim();
 			}
-			cmdp +=2;
+			cmdp += 2;
 			break;
 		case 'x':
 		case 'X':
@@ -1183,9 +1232,6 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 	//Validations
 	if(errors) return usage_hf14_mf1ksim();
 
-	// attack from file implies nr ar attack and interactive...
-	if (!(flags & FLAG_NR_AR_ATTACK) && attackFromFile) flags |= FLAG_NR_AR_ATTACK | FLAG_INTERACTIVE;
-	
 	//get uid from file
 	if (attackFromFile) {
 		int count = 0;
@@ -1198,7 +1244,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 		PrintAndLog("Loading file and simulating. Press keyboard to abort");
 		while(!feof(f) && !ukbhit()){
 			memset(buf, 0, sizeof(buf));
-			memset(uidBuffer, 0, sizeof(uidBuffer));
+			memset(uid, 0, sizeof(uid));
 
 			if (fgets(buf, sizeof(buf), f) == NULL) {			
 				if (count > 0) break;
@@ -1207,21 +1253,21 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 				fclose(f);
 				return 2;
 			}
-			if(strlen(buf) && feof(f)) break;
+			if(!strlen(buf) && feof(f)) break;
 
-			uidlen = strlen(buf);
+			uidlen = strlen(buf)-1;
 			switch(uidlen) {
-				case 20: flags = FLAG_10B_UID_IN_DATA;	break; //not complete
-				case 14: flags = FLAG_7B_UID_IN_DATA; break;
-				case  8: flags = FLAG_4B_UID_IN_DATA; break;
+				case 20: flags |= FLAG_10B_UID_IN_DATA;	break; //not complete
+				case 14: flags |= FLAG_7B_UID_IN_DATA; break;
+				case  8: flags |= FLAG_4B_UID_IN_DATA; break;
 				default: 
-					PrintAndLog("uid in file wrong length at %d",count);
+					PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);
 					fclose(f);
 					return 2;
 			}
 
 			for (uint8_t i = 0; i < uidlen; i += 2) {
-				sscanf(&buf[i], "%02x", (unsigned int *)&uidBuffer[i / 2]);
+				sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);
 			}
 			
 			PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",
@@ -1242,8 +1288,9 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			//got a response
 			nonces_t ar_resp[ATTACK_KEY_COUNT*2];
 			memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
-			readerAttack(ar_resp, setEmulatorMem);
-			if (resp.arg[1]) {
+			// We can skip the standard attack if we have RANDOM_NONCE set.
+			readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
+			if ((bool)resp.arg[1]) {
 				PrintAndLog("Device button pressed - quitting");
 				fclose(f);
 				return 4;
@@ -1251,7 +1298,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			count++;
 		}
 		fclose(f);
-	} else {
+	} else { //not from file
 
 		PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",
 				flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
@@ -1274,7 +1321,8 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			if (flags & FLAG_NR_AR_ATTACK) {
 				nonces_t ar_resp[ATTACK_KEY_COUNT*2];
 				memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
-				readerAttack(ar_resp, setEmulatorMem);
+				// We can skip the standard attack if we have RANDOM_NONCE set.
+				readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
 			}
 		}
 	}
@@ -1407,7 +1455,7 @@ int CmdHF14AMfELoad(const char *Cmd)
 
 	len = param_getstr(Cmd,nameParamNo,filename);
 	
-	if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
 	fnameptr += len;
 
@@ -1506,7 +1554,7 @@ int CmdHF14AMfESave(const char *Cmd)
 
 	len = param_getstr(Cmd,nameParamNo,filename);
 	
-	if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 	
 	// user supplied filename?
 	if (len < 1) {
@@ -1630,7 +1678,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
 		}
 		keyA = bytes_to_num(data, 6);
 		keyB = bytes_to_num(data + 10, 6);
-		PrintAndLog("|%03d|  %012"llx"  |  %012"llx"  |", i, keyA, keyB);
+		PrintAndLog("|%03d|  %012" PRIx64 "  |  %012" PRIx64 "  |", i, keyA, keyB);
 	}
 	PrintAndLog("|---|----------------|----------------|");
 	
@@ -1782,7 +1830,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 		return 0;
 	} else {
 		len = strlen(Cmd);
-		if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
 		memcpy(filename, Cmd, len);
 		fnameptr += len;
@@ -1823,6 +1871,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 
 			if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
 				PrintAndLog("Can't set magic card block: %d", blockNum);
+				fclose(f);
 				return 3;
 			}
 			blockNum++;
@@ -1951,7 +2000,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
 		return 0;
 	} else {
 		len = strlen(Cmd);
-		if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 	
 		if (len < 1) {
 			// get filename
@@ -2071,11 +2120,14 @@ int CmdHF14AMfSniff(const char *Cmd){
 			uint16_t traceLen = resp.arg[1];
 			len = resp.arg[2];
 
-			if (res == 0) return 0;						// we are done
+			if (res == 0) {								// we are done
+				free(buf);
+				return 0;
+			}
 
 			if (res == 1) {								// there is (more) data to be transferred
 				if (pckNum == 0) {						// first packet, (re)allocate necessary buffer
-					if (traceLen > bufsize) {
+					if (traceLen > bufsize || buf == NULL) {
 						uint8_t *p;
 						if (buf == NULL) {				// not yet allocated
 							p = malloc(traceLen);