X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/79db03ef6302ab9cda439cff0bf5ab7808646a21..52ab55ab0da1a34f4ce62d2f730e39ac099d0555:/client/cmdhfmf.c diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 9ccfef95..46a11b56 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -36,7 +36,6 @@ start: //flush queue while (ukbhit()) getchar(); - // wait cycle while (true) { printf("."); @@ -78,6 +77,7 @@ start: num_to_bytes(r_key, 6, keyBlock); isOK = mfCheckKeys(0, 0, 1, keyBlock, &r_key); } + if (!isOK) PrintAndLog("Found valid key:%012"llx, r_key); else @@ -88,6 +88,7 @@ start: goto start; } + PrintAndLog(""); return 0; } @@ -343,10 +344,6 @@ int CmdHF14AMfURdCard(const char *Cmd) uint8_t isOK = 0; uint8_t * data = NULL; - if (sectorNo > 15) { - PrintAndLog("Sector number must be less than 16"); - return 1; - } PrintAndLog("Attempting to Read Ultralight... "); UsbCommand c = {CMD_MIFAREU_READCARD, {sectorNo}}; @@ -359,64 +356,24 @@ int CmdHF14AMfURdCard(const char *Cmd) PrintAndLog("isOk:%02x", isOK); if (isOK) - for (i = 0; i < 16; i++) { - switch(i){ - case 2: - //process lock bytes - lockbytes_t=data+(i*4); - lockbytes[0]=lockbytes_t[2]; - lockbytes[1]=lockbytes_t[3]; - for(int j=0; j<16; j++){ - bit[j]=lockbytes[j/8] & ( 1 <<(7-j%8)); - } - //PrintAndLog("LB %02x %02x", lockbytes[0],lockbytes[1]); - //PrintAndLog("LB2b %02x %02x %02x %02x %02x %02x %02x %02x",bit[8],bit[9],bit[10],bit[11],bit[12],bit[13],bit[14],bit[15]); - PrintAndLog("Block %3d:%s ", i,sprint_hex(data + i * 4, 4)); - break; - case 3: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[4]); - break; - case 4: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[3]); - break; - case 5: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[2]); - break; - case 6: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[1]); - break; - case 7: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[0]); - break; - case 8: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[15]); - break; - case 9: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[14]); - break; - case 10: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[13]); - break; - case 11: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[12]); - break; - case 12: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[11]); - break; - case 13: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[10]); - break; - case 14: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[9]); - break; - case 15: - PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[8]); - break; - default: - PrintAndLog("Block %3d:%s ", i,sprint_hex(data + i * 4, 4)); - break; + { // bit 0 and 1 + PrintAndLog("Block %3d:%s ", 0,sprint_hex(data + 0 * 4, 4)); + PrintAndLog("Block %3d:%s ", 1,sprint_hex(data + 1 * 4, 4)); + // bit 2 + //process lock bytes + lockbytes_t=data+(2*4); + lockbytes[0]=lockbytes_t[2]; + lockbytes[1]=lockbytes_t[3]; + for(int j=0; j<16; j++){ + bit[j]=lockbytes[j/8] & ( 1 <<(7-j%8)); } - } + //remaining + for (i = 3; i < 16; i++) { + int bitnum = (23-i) % 16; + PrintAndLog("Block %3d:%s [%d]", i,sprint_hex(data + i * 4, 4),bit[bitnum]); + } + + } } else { PrintAndLog("Command execute timeout"); } @@ -481,7 +438,6 @@ int CmdHF14AMfRdSc(const char *Cmd) return 0; } - uint8_t FirstBlockOfSector(uint8_t sectorNo) { if (sectorNo < 32) { @@ -491,7 +447,6 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo) } } - uint8_t NumBlocksPerSector(uint8_t sectorNo) { if (sectorNo < 32) { @@ -501,7 +456,6 @@ uint8_t NumBlocksPerSector(uint8_t sectorNo) } } - int CmdHF14AMfDump(const char *Cmd) { uint8_t sectorNo, blockNo; @@ -541,22 +495,24 @@ int CmdHF14AMfDump(const char *Cmd) return 1; } - // Read key file - + // Read keys A from file for (sectorNo=0; sectorNo>4) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>2); - rights[sectorNo][1] = ((data[7] & 0x20)>>5) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>3); - rights[sectorNo][2] = ((data[7] & 0x40)>>6) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>4); - rights[sectorNo][3] = ((data[7] & 0x80)>>7) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>5); + rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0 + rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1 + rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2 + rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer } else { PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo); - rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = rights[sectorNo][3] = 0x01; + rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00; + rights[sectorNo][3] = 0x01; } } else { PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo); - rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = rights[sectorNo][3] = 0x01; + rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00; + rights[sectorNo][3] = 0x01; } } @@ -596,6 +554,7 @@ int CmdHF14AMfDump(const char *Cmd) for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) { for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) { bool received = false; + if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A. UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}}; memcpy(c.d.asBytes, keyA[sectorNo], 6); @@ -603,12 +562,12 @@ int CmdHF14AMfDump(const char *Cmd) received = WaitForResponseTimeout(CMD_ACK,&resp,1500); } else { // data block. Check if it can be read with key A or key B uint8_t data_area = sectorNo<32?blockNo:blockNo/5; - if ((rights[sectorNo][data_area] == 3) || (rights[sectorNo][data_area] == 5)) { // only key B would work + if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}}; memcpy(c.d.asBytes, keyB[sectorNo], 6); SendCommand(&c); received = WaitForResponseTimeout(CMD_ACK,&resp,1500); - } else if (rights[sectorNo][data_area] == 7) { // no key would work + } else if (rights[sectorNo][data_area] == 0x07) { // no key would work isOK = false; PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo); } else { // key A would work @@ -650,7 +609,6 @@ int CmdHF14AMfDump(const char *Cmd) break; } } - } if (isOK) { @@ -664,14 +622,11 @@ int CmdHF14AMfDump(const char *Cmd) PrintAndLog("Dumped %d blocks (%d bytes) to file dumpdata.bin", numblocks, 16*numblocks); } - fclose(fin); return 0; } - int CmdHF14AMfRestore(const char *Cmd) { - uint8_t sectorNo,blockNo; uint8_t keyType = 0; uint8_t key[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; @@ -708,12 +663,15 @@ int CmdHF14AMfRestore(const char *Cmd) } if ((fkeys = fopen("dumpkeys.bin","rb")) == NULL) { PrintAndLog("Could not find file dumpkeys.bin"); + fclose(fdump); return 1; } for (sectorNo = 0; sectorNo < numSectors; sectorNo++) { if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) { PrintAndLog("File reading error (dumpkeys.bin)."); + fclose(fdump); + fclose(fkeys); return 2; } } @@ -721,9 +679,12 @@ int CmdHF14AMfRestore(const char *Cmd) for (sectorNo = 0; sectorNo < numSectors; sectorNo++) { if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) { PrintAndLog("File reading error (dumpkeys.bin)."); + fclose(fdump); + fclose(fkeys); return 2; } } + fclose(fkeys); PrintAndLog("Restoring dumpdata.bin to card"); @@ -734,6 +695,7 @@ int CmdHF14AMfRestore(const char *Cmd) if (fread(bldata, 1, 16, fdump) == 0) { PrintAndLog("File reading error (dumpdata.bin)."); + fclose(fdump); return 2; } @@ -768,11 +730,9 @@ int CmdHF14AMfRestore(const char *Cmd) } fclose(fdump); - fclose(fkeys); return 0; } - int CmdHF14AMfNested(const char *Cmd) { int i, j, res, iterations; @@ -921,6 +881,7 @@ int CmdHF14AMfNested(const char *Cmd) PrintAndLog("-----------------------------------------------"); if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) { PrintAndLog("Nested error.\n"); + free(e_sector); return 2; } else { @@ -995,13 +956,21 @@ int CmdHF14AMfNested(const char *Cmd) free(e_sector); } - return 0; } - int CmdHF14AMfChk(const char *Cmd) { + if (strlen(Cmd)<3) { + PrintAndLog("Usage: hf mf chk |<*card memory> [t] [] []"); + PrintAndLog(" * - all sectors"); + PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); + PrintAndLog("d - write keys to binary file\n"); + PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic"); + PrintAndLog(" hf mf chk *1 ? t"); + return 0; + } + FILE * f; char filename[256]={0}; char buf[13]; @@ -1019,6 +988,7 @@ int CmdHF14AMfChk(const char *Cmd) int transferToEml = 0; int createDumpFile = 0; + keyBlock = calloc(stKeyBlock, 6); if (keyBlock == NULL) return 1; @@ -1045,16 +1015,6 @@ int CmdHF14AMfChk(const char *Cmd) num_to_bytes(defaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6)); } - if (strlen(Cmd)<3) { - PrintAndLog("Usage: hf mf chk |<*card memory> [t] [] []"); - PrintAndLog(" * - all sectors"); - PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); - PrintAndLog("d - write keys to binary file\n"); - PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic"); - PrintAndLog(" hf mf chk *1 ? t"); - return 0; - } - if (param_getchar(Cmd, 0)=='*') { blockNo = 3; switch(param_getchar(Cmd+1, 0)) { @@ -1142,11 +1102,12 @@ int CmdHF14AMfChk(const char *Cmd) keycnt++; memset(buf, 0, sizeof(buf)); } + fclose(f); } else { PrintAndLog("File: %s: not found or locked.", filename); free(keyBlock); return 1; - fclose(f); + } } } @@ -1224,11 +1185,10 @@ int CmdHF14AMfChk(const char *Cmd) } free(keyBlock); - + PrintAndLog(""); return 0; } - int CmdHF14AMf1kSim(const char *Cmd) { uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0}; @@ -1294,7 +1254,6 @@ int CmdHF14AMf1kSim(const char *Cmd) return 0; } - int CmdHF14AMfDbg(const char *Cmd) { int dbgMode = param_get32ex(Cmd, 0, 0, 10); @@ -1319,7 +1278,6 @@ int CmdHF14AMfDbg(const char *Cmd) return 0; } - int CmdHF14AMfEGet(const char *Cmd) { uint8_t blockNo = 0; @@ -1343,7 +1301,6 @@ int CmdHF14AMfEGet(const char *Cmd) return 0; } - int CmdHF14AMfEClear(const char *Cmd) { if (param_getchar(Cmd, 0) == 'h') { @@ -1416,7 +1373,7 @@ int CmdHF14AMfELoad(const char *Cmd) // open file f = fopen(filename, "r"); if (f == NULL) { - PrintAndLog("File not found or locked."); + PrintAndLog("File %s not found or locked", filename); return 1; } @@ -1428,20 +1385,23 @@ int CmdHF14AMfELoad(const char *Cmd) break; } PrintAndLog("File reading error."); + fclose(f); return 2; } if (strlen(buf) < 32){ if(strlen(buf) && feof(f)) break; PrintAndLog("File content error. Block data must include 32 HEX symbols"); + fclose(f); return 2; } for (i = 0; i < 32; i += 2) { sscanf(&buf[i], "%02x", (unsigned int *)&buf8[i / 2]); -// PrintAndLog("data[%02d]:%s", blockNum, sprint_hex(buf8, 16)); } + if (mfEmlSetMem(buf8, blockNum, 1)) { PrintAndLog("Cant set emul block: %3d", blockNum); + fclose(f); return 3; } blockNum++; @@ -1506,7 +1466,7 @@ int CmdHF14AMfESave(const char *Cmd) break; } for (j = 0; j < 16; j++) - fprintf(f, "%02x", buf[j]); + fprintf(f, "%02X", buf[j]); fprintf(f,"\n"); } fclose(f); @@ -1584,8 +1544,8 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) int CmdHF14AMfCSetUID(const char *Cmd) { uint8_t wipeCard = 0; - uint8_t uid[8]; - uint8_t oldUid[8]; + uint8_t uid[8] = {0x00}; + uint8_t oldUid[8] = {0x00}; int res; if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') { @@ -1613,10 +1573,10 @@ int CmdHF14AMfCSetUID(const char *Cmd) } PrintAndLog("old UID:%s", sprint_hex(oldUid, 4)); + PrintAndLog("new UID:%s", sprint_hex(uid, 4)); return 0; } - int CmdHF14AMfCSetBlk(const char *Cmd) { uint8_t uid[8]; @@ -1751,7 +1711,6 @@ int CmdHF14AMfCLoad(const char *Cmd) } } - int CmdHF14AMfCGetBlk(const char *Cmd) { uint8_t memBlock[16]; uint8_t blockNo = 0; @@ -1907,7 +1866,7 @@ int CmdHF14AMfCSave(const char *Cmd) { int CmdHF14AMfSniff(const char *Cmd){ - // params + bool wantLogToFile = 0; bool wantDecrypt = 0; //bool wantSaveToEml = 0; TODO @@ -1924,7 +1883,6 @@ int CmdHF14AMfSniff(const char *Cmd){ uint8_t atqa[2]; uint8_t sak; bool isTag; - uint32_t parity; uint8_t buf[3000]; uint8_t * bufPtr = buf; memset(buf, 0x00, 3000); @@ -1935,8 +1893,8 @@ int CmdHF14AMfSniff(const char *Cmd){ PrintAndLog(" l - save encrypted sequence to logfile `uid.log`"); PrintAndLog(" d - decrypt sequence and put it to log file `uid.log`"); PrintAndLog(" n/a e - decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory"); - PrintAndLog(" r - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`"); - PrintAndLog("Usage: hf mf sniff [l][d][e][r]"); + PrintAndLog(" f - decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`"); + PrintAndLog("Usage: hf mf sniff [l][d][e][f]"); PrintAndLog(" sample: hf mf sniff l d e"); return 0; } @@ -1991,14 +1949,19 @@ int CmdHF14AMfSniff(const char *Cmd){ printf(">\n"); PrintAndLog("received trace len: %d packages: %d", blockLen, pckNum); num = 0; - while (bufPtr - buf + 9 < blockLen) { - isTag = bufPtr[3] & 0x80 ? true:false; - bufPtr += 4; - parity = *((uint32_t *)(bufPtr)); - bufPtr += 4; - len = bufPtr[0]; - bufPtr++; - if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff)) { + while (bufPtr - buf < blockLen) { + bufPtr += 6; + len = *((uint16_t *)bufPtr); + + if(len & 0x8000) { + isTag = true; + len &= 0x7fff; + } else { + isTag = false; + } + bufPtr += 2; + if ((len == 14) && (bufPtr[0] == 0xff) && (bufPtr[1] == 0xff) && (bufPtr[12] == 0xff) && (bufPtr[13] == 0xff)) { + memcpy(uid, bufPtr + 2, 7); memcpy(atqa, bufPtr + 2 + 7, 2); uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4; @@ -2013,17 +1976,21 @@ int CmdHF14AMfSniff(const char *Cmd){ FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len); AddLogCurrentDT(logHexFileName); } - if (wantDecrypt) mfTraceInit(uid, atqa, sak, wantSaveToEmlFile); + if (wantDecrypt) + mfTraceInit(uid, atqa, sak, wantSaveToEmlFile); } else { PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len)); - if (wantLogToFile) AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len); - if (wantDecrypt) mfTraceDecode(bufPtr, len, parity, wantSaveToEmlFile); + if (wantLogToFile) + AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len); + if (wantDecrypt) + mfTraceDecode(bufPtr, len, wantSaveToEmlFile); } bufPtr += len; + bufPtr += ((len-1)/8+1); // ignore parity num++; } } - } // resp not NILL + } // resp not NULL } // while (true) return 0;