X-Git-Url: http://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/ef3f88bca9fbf8f228781f7e7b41fb6435130d84..4c16ae80f0bffae2092e208c46a5005356c24ce1:/client/cmdhfmf.c

diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 36c8e6c3..3fc3f8f7 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -8,6 +8,7 @@
 // High frequency MIFARE commands
 //-----------------------------------------------------------------------------
 
+#include <inttypes.h>
 #include "cmdhfmf.h"
 #include "./nonce2key/nonce2key.h"
 
@@ -34,8 +35,10 @@ int CmdHF14AMifare(const char *Cmd)
     SendCommand(&c);
 	
 	//flush queue
-	while (ukbhit())	getchar();
-
+	while (ukbhit()) {
+		int c = getchar(); (void) c;
+	}
+	
 	// wait cycle
 	while (true) {
         printf(".");
@@ -82,7 +85,7 @@ int CmdHF14AMifare(const char *Cmd)
 	} else {
 		isOK = 0;
 		printf("------------------------------------------------------------------\n");
-		PrintAndLog("Found valid key:%012"llx" \n", r_key);
+		PrintAndLog("Found valid key:%012" PRIx64 " \n", r_key);
 	}
 	
 	PrintAndLog("");
@@ -302,7 +305,8 @@ int CmdHF14AMfDump(const char *Cmd)
 	
 	// Read keys A from file
 	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {
+		size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error.");
 			fclose(fin);
 			return 2;
@@ -311,7 +315,8 @@ int CmdHF14AMfDump(const char *Cmd)
 	
 	// Read keys B from file
 	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {
+		size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error.");
 			fclose(fin);
 			return 2;
@@ -466,16 +471,17 @@ int CmdHF14AMfRestore(const char *Cmd)
 	}
 	
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
-		if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {
+		size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
-
 			fclose(fkeys);
 			return 2;
 		}
 	}
 
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
-		if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {
+		size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);
+		if (bytes_read != 6) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
 			fclose(fkeys);
 			return 2;
@@ -495,7 +501,8 @@ int CmdHF14AMfRestore(const char *Cmd)
 			UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};
 			memcpy(c.d.asBytes, key, 6);
 			
-			if (fread(bldata, 1, 16, fdump) == 0) {
+			size_t bytes_read = fread(bldata, 1, 16, fdump);
+			if (bytes_read != 16) {
 				PrintAndLog("File reading error (dumpdata.bin).");
 				fclose(fdump);
 				return 2;
@@ -632,7 +639,7 @@ int CmdHF14AMfNested(const char *Cmd)
 		}
 		key64 = bytes_to_num(keyBlock, 6);
 		if (key64) {
-			PrintAndLog("Found valid key:%012"llx, key64);
+			PrintAndLog("Found valid key:%012" PRIx64, key64);
 
 			// transfer key to the emulator
 			if (transferToEml) {
@@ -718,7 +725,7 @@ int CmdHF14AMfNested(const char *Cmd)
 
 					key64 = bytes_to_num(keyBlock, 6);
 					if (key64) {
-						PrintAndLog("Found valid key:%012"llx, key64);
+						PrintAndLog("Found valid key:%012" PRIx64, key64);
 						e_sector[sectorNo].foundKey[trgKeyType] = 1;
 						e_sector[sectorNo].Key[trgKeyType] = key64;
 					}
@@ -734,7 +741,7 @@ int CmdHF14AMfNested(const char *Cmd)
 		PrintAndLog("|sec|key A           |res|key B           |res|");
 		PrintAndLog("|---|----------------|---|----------------|---|");
 		for (i = 0; i < SectorsCnt; i++) {
-			PrintAndLog("|%03d|  %012"llx"  | %d |  %012"llx"  | %d |", i,
+			PrintAndLog("|%03d|  %012" PRIx64 "  | %d |  %012" PRIx64 "  | %d |", i,
 				e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);
 		}
 		PrintAndLog("|---|----------------|---|----------------|---|");
@@ -919,13 +926,14 @@ int CmdHF14AMfChk(const char *Cmd)
 						if (!p) {
 							PrintAndLog("Cannot allocate memory for defKeys");
 							free(keyBlock);
+							fclose(f);
 							return 2;
 						}
 						keyBlock = p;
 					}
 					memset(keyBlock + 6 * keycnt, 0, 6);
 					num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);
-					PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
+					PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
 					keycnt++;
 					memset(buf, 0, sizeof(buf));
 				}
@@ -969,7 +977,7 @@ int CmdHF14AMfChk(const char *Cmd)
 				res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);
 				if (res != 1) {
 					if (!res) {
-						PrintAndLog("Found valid key:[%012"llx"]",key64);
+						PrintAndLog("Found valid key:[%012" PRIx64 "]",key64);
 						num_to_bytes(key64, 6, foundKey[t][i]);
 						validKey[t][i] = true;
 					} 
@@ -1016,7 +1024,7 @@ int CmdHF14AMfChk(const char *Cmd)
 	return 0;
 }
 
-void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {
 	#define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()
 	uint64_t key = 0;
 	typedef struct {
@@ -1034,7 +1042,7 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
 	for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {
 		if (ar_resp[i].ar2 > 0) {
 			//PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);
-			if (mfkey32(ar_resp[i], &key)) {
+			if (doStandardAttack && mfkey32(ar_resp[i], &key)) {
 				PrintAndLog("  Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));
 
 				for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
@@ -1054,6 +1062,34 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {
 						}
 					}
 				}
+			} else if (tryMfk32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {
+				uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;
+				uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;
+
+				PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"
+					, keyType ? "B" : "A"
+					, sectorNum
+					, key
+				);
+
+				for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {
+					if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {
+						if (keyType==0) {
+							//keyA
+							sector_trailer[ii].keyA = key;
+							stSector[ii] = sectorNum;
+							key_cnt[ii]++;
+							break;
+						} else {
+							//keyB
+							sector_trailer[ii].keyB = key;
+							stSector[ii] = sectorNum;
+							key_cnt[ii]++;
+							break;
+						}
+					}
+				}
+				continue;
 			}
 		}
 	}
@@ -1100,6 +1136,7 @@ int usage_hf14_mf1ksim(void) {
 	PrintAndLog("      x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");
 	PrintAndLog("      e    (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");
 	PrintAndLog("      f    (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");
+	PrintAndLog("      r    (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");
 	PrintAndLog("samples:");
 	PrintAndLog("           hf mf sim u 0a0a0a0a");
 	PrintAndLog("           hf mf sim u 11223344556677");
@@ -1164,6 +1201,11 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			exitAfterNReads = param_get8(Cmd, pnr+1);
 			cmdp += 2;
 			break;
+		case 'r':
+		case 'R':
+			flags |= FLAG_RANDOM_NONCE;
+			cmdp++;
+			break;
 		case 'u':
 		case 'U':
 			param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
@@ -1246,7 +1288,8 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			//got a response
 			nonces_t ar_resp[ATTACK_KEY_COUNT*2];
 			memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
-			readerAttack(ar_resp, setEmulatorMem);
+			// We can skip the standard attack if we have RANDOM_NONCE set.
+			readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
 			if ((bool)resp.arg[1]) {
 				PrintAndLog("Device button pressed - quitting");
 				fclose(f);
@@ -1278,7 +1321,8 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 			if (flags & FLAG_NR_AR_ATTACK) {
 				nonces_t ar_resp[ATTACK_KEY_COUNT*2];
 				memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));
-				readerAttack(ar_resp, setEmulatorMem);
+				// We can skip the standard attack if we have RANDOM_NONCE set.
+				readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));
 			}
 		}
 	}
@@ -1411,7 +1455,7 @@ int CmdHF14AMfELoad(const char *Cmd)
 
 	len = param_getstr(Cmd,nameParamNo,filename);
 	
-	if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
 	fnameptr += len;
 
@@ -1510,7 +1554,7 @@ int CmdHF14AMfESave(const char *Cmd)
 
 	len = param_getstr(Cmd,nameParamNo,filename);
 	
-	if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 	
 	// user supplied filename?
 	if (len < 1) {
@@ -1634,7 +1678,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
 		}
 		keyA = bytes_to_num(data, 6);
 		keyB = bytes_to_num(data + 10, 6);
-		PrintAndLog("|%03d|  %012"llx"  |  %012"llx"  |", i, keyA, keyB);
+		PrintAndLog("|%03d|  %012" PRIx64 "  |  %012" PRIx64 "  |", i, keyA, keyB);
 	}
 	PrintAndLog("|---|----------------|----------------|");
 	
@@ -1786,7 +1830,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 		return 0;
 	} else {
 		len = strlen(Cmd);
-		if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
 		memcpy(filename, Cmd, len);
 		fnameptr += len;
@@ -1827,6 +1871,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 
 			if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
 				PrintAndLog("Can't set magic card block: %d", blockNum);
+				fclose(f);
 				return 3;
 			}
 			blockNum++;
@@ -1955,7 +2000,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
 		return 0;
 	} else {
 		len = strlen(Cmd);
-		if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 	
 		if (len < 1) {
 			// get filename
@@ -2075,11 +2120,14 @@ int CmdHF14AMfSniff(const char *Cmd){
 			uint16_t traceLen = resp.arg[1];
 			len = resp.arg[2];
 
-			if (res == 0) return 0;						// we are done
+			if (res == 0) {								// we are done
+				free(buf);
+				return 0;
+			}
 
 			if (res == 1) {								// there is (more) data to be transferred
 				if (pckNum == 0) {						// first packet, (re)allocate necessary buffer
-					if (traceLen > bufsize) {
+					if (traceLen > bufsize || buf == NULL) {
 						uint8_t *p;
 						if (buf == NULL) {				// not yet allocated
 							p = malloc(traceLen);