}
void clear_trace() {
- uint8_t *trace = BigBuf_get_addr();
- uint16_t max_traceLen = BigBuf_max_traceLen();
- memset(trace, 0x44, max_traceLen);
traceLen = 0;
}
}
traceLen += num_paritybytes;
- if(traceLen +4 < max_traceLen)
- { //If it hadn't been cleared, for whatever reason..
- memset(trace+traceLen,0x44, 4);
- }
-
return TRUE;
}
+
+
int LogTraceHitag(const uint8_t * btBytes, int iBits, int iSamples, uint32_t dwParity, int readerToTag)
{
/**
byte_t rx[HITAG_FRAME_LEN];
size_t rxlen=0;
+ FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+
+ // Clean up trace and prepare it for storing frames
+ set_tracing(TRUE);
+ clear_trace();
+
auth_table_len = 0;
auth_table_pos = 0;
+
BigBuf_free();
auth_table = (byte_t *)BigBuf_malloc(AUTH_TABLE_LENGTH);
memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
- // Clean up trace and prepare it for storing frames
- set_tracing(TRUE);
- clear_trace();
-
DbpString("Starting Hitag2 snoop");
LED_D_ON();
// Set up eavesdropping mode, frequency divisor which will drive the FPGA
// and analog mux selection.
- FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_TOGGLE_MODE);
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
bool bQuitTraceFull = false;
bQuiet = false;
+ FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
+
+ // Clean up trace and prepare it for storing frames
+ set_tracing(TRUE);
+ clear_trace();
+
auth_table_len = 0;
auth_table_pos = 0;
byte_t* auth_table;
auth_table = (byte_t *)BigBuf_malloc(AUTH_TABLE_LENGTH);
memset(auth_table, 0x00, AUTH_TABLE_LENGTH);
- // Clean up trace and prepare it for storing frames
- set_tracing(TRUE);
- clear_trace();
-
DbpString("Starting Hitag2 simulation");
LED_D_ON();
hitag2_init();
// Set up simulator mode, frequency divisor which will drive the FPGA
// and analog mux selection.
- FpgaDownloadAndGo(FPGA_BITSTREAM_LF);
FpgaWriteConfWord(FPGA_MAJOR_MODE_LF_EDGE_DETECT | FPGA_LF_EDGE_DETECT_READER_FIELD);
FpgaSendCommand(FPGA_CMD_SET_DIVISOR, 95); //125Khz
SetAdcMuxFor(GPIO_MUXSEL_LOPKD);
int resp_cc_len;
uint8_t *receivedCmd = BigBuf_malloc(MAX_FRAME_SIZE);
- memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
int len;
// Prepare card messages
}
}
- memset(receivedCmd, 0x44, MAX_FRAME_SIZE);
}
//Dbprintf("%x", cmdsRecvd);
LEDsoff();
- // We won't start recording the frames that we acquire until we trigger;
- // a good trigger condition to get started is probably when we see a
- // response from the tag.
- // triggered == FALSE -- to wait first for card
- bool triggered = !(param & 0x03);
-
+ iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
+
// Allocate memory from BigBuf for some buffers
// free all previous allocations first
BigBuf_free();
bool TagIsActive = FALSE;
bool ReaderIsActive = FALSE;
- iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
-
// Set up the demodulator for tag -> reader responses.
DemodInit(receivedResponse, receivedResponsePar);
// Setup and start DMA.
FpgaSetupSscDma((uint8_t *)dmaBuf, DMA_BUFFER_SIZE);
+ // We won't start recording the frames that we acquire until we trigger;
+ // a good trigger condition to get started is probably when we see a
+ // response from the tag.
+ // triggered == FALSE -- to wait first for card
+ bool triggered = !(param & 0x03);
+
// And now we loop, receiving samples.
for(uint32_t rsamples = 0; TRUE; ) {
.modulation_n = 0
};
+ // We need to listen to the high-frequency, peak-detected path.
+ iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
BigBuf_free_keep_EM();
// allocate buffers:
int happened2 = 0;
int cmdsRecvd = 0;
- // We need to listen to the high-frequency, peak-detected path.
- iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
-
cmdsRecvd = 0;
tag_response_info_t* p_response;
nttmp1 = prng_successor(nttmp1, 1);
if (nttmp1 == nt2) return i;
nttmp2 = prng_successor(nttmp2, 1);
- if (nttmp2 == nt1) return -i;
+ if (nttmp2 == nt1) return -i;
}
return(-99999); // either nt1 or nt2 are invalid nonces
uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE];
uint8_t receivedAnswerPar[MAX_MIFARE_PARITY_SIZE];
+ if (first_try) {
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
+ }
+
// free eventually allocated BigBuf memory. We want all for tracing.
BigBuf_free();
if (first_try) {
mf_nr_ar3 = 0;
- iso14443a_setup(FPGA_HF_ISO14443A_READER_MOD);
sync_time = GetCountSspClk() & 0xfffffff8;
sync_cycles = 65536; // theory: Mifare Classic's random generator repeats every 2^16 cycles (and so do the nonces).
nt_attacked = 0;
LED_B_OFF();
LED_C_OFF();
-
+
+ #define DARKSIDE_MAX_TRIES 32 // number of tries to sync on PRNG cycle. Then give up.
+ uint16_t unsuccessfull_tries = 0;
+
for(uint16_t i = 0; TRUE; i++) {
+ LED_C_ON();
WDT_HIT();
// Test if the action was cancelled
if(BUTTON_PRESS()) {
+ isOK = -1;
break;
}
- LED_C_ON();
-
if(!iso14443a_select_card(uid, NULL, &cuid)) {
if (MF_DBGLEVEL >= 1) Dbprintf("Mifare: Can't select card");
continue;
nt_attacked = nt;
}
else {
- if (nt_distance == -99999) { // invalid nonce received, try again
- continue;
+ if (nt_distance == -99999) { // invalid nonce received
+ unsuccessfull_tries++;
+ if (!nt_attacked && unsuccessfull_tries > DARKSIDE_MAX_TRIES) {
+ isOK = -3; // Card has an unpredictable PRNG. Give up
+ break;
+ } else {
+ continue; // continue trying...
+ }
}
sync_cycles = (sync_cycles - nt_distance);
if (MF_DBGLEVEL >= 3) Dbprintf("calibrating in cycle %d. nt_distance=%d, Sync_cycles: %d\n", i, nt_distance, sync_cycles);
if (nt_diff == 0 && first_try)
{
par[0]++;
+ if (par[0] == 0x00) { // tried all 256 possible parities without success. Card doesn't send NACK.
+ isOK = -2;
+ break;
+ }
} else {
par[0] = ((par[0] & 0x1F) + 1) | par_low;
}
memcpy(buf + 16, ks_list, 8);
memcpy(buf + 24, mf_nr_ar, 4);
- cmd_send(CMD_ACK,isOK,0,0,buf,28);
+ cmd_send(CMD_ACK, isOK, 0, 0, buf, 28);
// Thats it...
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0};
uint8_t ar_nr_collected = 0;
- // free eventually allocated BigBuf memory but keep Emulator Memory
- BigBuf_free_keep_EM();
-
- // clear trace
- clear_trace();
- set_tracing(TRUE);
-
// Authenticate response - nonce
uint32_t nonce = bytes_to_num(rAUTH_NT, 4);
rUIDBCC2[4] = rUIDBCC2[0] ^ rUIDBCC2[1] ^ rUIDBCC2[2] ^ rUIDBCC2[3];
}
- // We need to listen to the high-frequency, peak-detected path.
- iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
-
-
if (MF_DBGLEVEL >= 1) {
if (!_7BUID) {
Dbprintf("4B UID: %02x%02x%02x%02x",
}
}
+ // We need to listen to the high-frequency, peak-detected path.
+ iso14443a_setup(FPGA_HF_ISO14443A_TAGSIM_LISTEN);
+
+ // free eventually allocated BigBuf memory but keep Emulator Memory
+ BigBuf_free_keep_EM();
+
+ // clear trace
+ clear_trace();
+ set_tracing(TRUE);
+
+
bool finished = FALSE;
while (!BUTTON_PRESS() && !finished) {
WDT_HIT();
uint8_t receivedResponse[MAX_MIFARE_FRAME_SIZE];
uint8_t receivedResponsePar[MAX_MIFARE_PARITY_SIZE];
- // As we receive stuff, we copy it from receivedCmd or receivedResponse
- // into trace, along with its length and other annotations.
- //uint8_t *trace = (uint8_t *)BigBuf;
-
+ iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
+
// free eventually allocated BigBuf memory
BigBuf_free();
// allocate the DMA buffer, used to stream samples from the FPGA
bool ReaderIsActive = FALSE;
bool TagIsActive = FALSE;
- iso14443a_setup(FPGA_HF_ISO14443A_SNIFFER);
-
// Set up the demodulator for tag -> reader responses.
DemodInit(receivedResponse, receivedResponsePar);
0x00, 0x21, 0x85, 0x5e, 0xd7
};
+ FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+
clear_trace();
set_tracing(TRUE);
uint16_t len;
uint16_t cmdsRecvd = 0;
- FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-
// prepare the (only one) tag answer:
CodeIso14443bAsTag(response1, sizeof(response1));
uint8_t *resp1Code = BigBuf_malloc(ToSendMax);
//-----------------------------------------------------------------------------
void ReadSTMemoryIso14443b(uint32_t dwLast)
{
- clear_trace();
- set_tracing(TRUE);
-
uint8_t i = 0x00;
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR | FPGA_HF_READER_RX_XCORR_848_KHZ);
SpinDelay(200);
+ clear_trace();
+ set_tracing(TRUE);
+
// First command: wake up the tag using the INITIATE command
uint8_t cmd1[] = {0x06, 0x00, 0x97, 0x5b};
CodeAndTransmit14443bAsReader(cmd1, sizeof(cmd1));
LED_C_OFF();
LED_D_OFF();
+ if (init) Iso15693InitReader();
+
int answerLen=0;
uint8_t *answer = BigBuf_get_addr() + 3660;
if (recv != NULL) memset(answer, 0, 100);
- if (init) Iso15693InitReader();
-
if (!speed) {
// low speed (1 out of 256)
CodeIso15693AsReader256(send, sendlen);
LED_C_OFF();
LED_D_OFF();
- uint8_t *answer1 = BigBuf_get_addr() + 3660;
- uint8_t *answer2 = BigBuf_get_addr() + 3760;
- uint8_t *answer3 = BigBuf_get_addr() + 3860;
-
int answerLen1 = 0;
int answerLen2 = 0;
int answerLen3 = 0;
int elapsed = 0;
uint8_t TagUID[8] = {0x00};
+ FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+ uint8_t *answer1 = BigBuf_get_addr() + 3660;
+ uint8_t *answer2 = BigBuf_get_addr() + 3760;
+ uint8_t *answer3 = BigBuf_get_addr() + 3860;
// Blank arrays
memset(answer1, 0x00, 300);
- FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
-
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
// Setup SSC
FpgaSetupSsc();
// Start from off (no field generated)
- FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
- SpinDelay(200);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ SpinDelay(200);
// Give the tags time to energize
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
LED_C_OFF();
LED_D_OFF();
- uint8_t *buf = BigBuf_get_addr() + 3660;
-
int answerLen1 = 0;
int samples = 0;
int tsamples = 0;
int wait = 0;
int elapsed = 0;
- memset(buf, 0x00, 100);
-
FpgaDownloadAndGo(FPGA_BITSTREAM_HF);
+ uint8_t *buf = BigBuf_get_addr() + 3660;
+ memset(buf, 0x00, 100);
+
SetAdcMuxFor(GPIO_MUXSEL_HIPKD);
-
FpgaSetupSsc();
// Start from off (no field generated)
- FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
+ FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
SpinDelay(200);
LED_A_OFF();
struct Crypto1State *pcs;\r
pcs = &mpcs;\r
\r
- // clear trace\r
- clear_trace();\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
+ clear_trace();\r
+\r
LED_A_ON();\r
LED_B_OFF();\r
LED_C_OFF();\r
bool turnOffField = (arg0 == 1);\r
\r
LED_A_ON(); LED_B_OFF(); LED_C_OFF();\r
- clear_trace();\r
+\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
+ clear_trace();\r
+\r
if(!iso14443a_select_card(NULL, NULL, NULL)) {\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card");\r
OnError(0);\r
\r
LEDsoff();\r
LED_A_ON();\r
- clear_trace();\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
+ clear_trace();\r
+\r
int len = iso14443a_select_card(NULL, NULL, NULL);\r
if(!len) {\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%02X)",len);\r
struct Crypto1State *pcs;\r
pcs = &mpcs;\r
\r
- // clear trace\r
- clear_trace();\r
-\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
+ clear_trace();\r
+\r
LED_A_ON();\r
LED_B_OFF();\r
LED_C_OFF();\r
// datain = KEY bytes\r
void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain)\r
{\r
+ LEDsoff();\r
+ LED_A_ON();\r
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
// free eventually allocated BigBuf memory\r
BigBuf_free();\r
clear_trace();\r
return;\r
}\r
\r
- LEDsoff();\r
- LED_A_ON();\r
- iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
-\r
int len = iso14443a_select_card(NULL, NULL, NULL);\r
if (!len) {\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("Can't select card (RC:%d)",len);\r
struct Crypto1State *pcs;\r
pcs = &mpcs;\r
\r
- // clear trace\r
- clear_trace();\r
-\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
+ clear_trace();\r
+\r
LED_A_ON();\r
LED_B_OFF();\r
LED_C_OFF();\r
\r
LEDsoff();\r
LED_A_ON();\r
- clear_trace();\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
+ clear_trace();\r
+\r
if(!iso14443a_select_card(NULL, NULL, NULL)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");\r
OnError(0);\r
memcpy(pwd, datain, 16);\r
\r
LED_A_ON(); LED_B_OFF(); LED_C_OFF();\r
- clear_trace();\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
+ clear_trace();\r
+\r
if(!iso14443a_select_card(NULL, NULL, NULL)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Can't select card");\r
OnError(0);\r
uint32_t auth1_time, auth2_time;\r
static uint16_t delta_time;\r
\r
+ LED_A_ON();\r
+ LED_C_OFF();\r
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
// free eventually allocated BigBuf memory\r
BigBuf_free();\r
- // clear trace\r
+\r
clear_trace();\r
set_tracing(false);\r
\r
- iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
-\r
- LED_A_ON();\r
- LED_C_OFF();\r
-\r
-\r
// statistics on nonce distance\r
+ int16_t isOK = 0;\r
+ #define NESTED_MAX_TRIES 12\r
+ uint16_t unsuccessfull_tries = 0;\r
if (calibrate) { // for first call only. Otherwise reuse previous calibration\r
LED_B_ON();\r
WDT_HIT();\r
\r
for (rtr = 0; rtr < 17; rtr++) {\r
\r
+ // Test if the action was cancelled\r
+ if(BUTTON_PRESS()) {\r
+ isOK = -2;\r
+ break;\r
+ }\r
+\r
// prepare next select. No need to power down the card.\r
if(mifare_classic_halt(pcs, cuid)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Halt error");\r
delta_time = auth2_time - auth1_time + 32; // allow some slack for proper timing\r
}\r
if (MF_DBGLEVEL >= 3) Dbprintf("Nested: calibrating... ntdist=%d", i);\r
+ } else {\r
+ unsuccessfull_tries++;\r
+ if (unsuccessfull_tries > NESTED_MAX_TRIES) { // card isn't vulnerable to nested attack (random numbers are not predictable)\r
+ isOK = -3;\r
+ }\r
}\r
}\r
- \r
- if (rtr <= 1) return;\r
\r
davg = (davg + (rtr - 1)/2) / (rtr - 1);\r
\r
- if (MF_DBGLEVEL >= 3) Dbprintf("min=%d max=%d avg=%d, delta_time=%d", dmin, dmax, davg, delta_time);\r
+ if (MF_DBGLEVEL >= 3) Dbprintf("rtr=%d isOK=%d min=%d max=%d avg=%d, delta_time=%d", rtr, isOK, dmin, dmax, davg, delta_time);\r
\r
dmin = davg - 2;\r
dmax = davg + 2;\r
LED_C_ON();\r
\r
// get crypted nonces for target sector\r
- for(i=0; i < 2; i++) { // look for exactly two different nonces\r
+ for(i=0; i < 2 && !isOK; i++) { // look for exactly two different nonces\r
\r
target_nt[i] = 0;\r
while(target_nt[i] == 0) { // continue until we have an unambiguous nonce\r
memcpy(buf+16, &target_ks[1], 4);\r
\r
LED_B_ON();\r
- cmd_send(CMD_ACK, 0, 2, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));\r
+ cmd_send(CMD_ACK, isOK, 0, targetBlockNo + (targetKeyType * 0x100), buf, sizeof(buf));\r
LED_B_OFF();\r
\r
if (MF_DBGLEVEL >= 3) DbpString("NESTED FINISHED");\r
int OLD_MF_DBGLEVEL = MF_DBGLEVEL; \r
MF_DBGLEVEL = MF_DBG_NONE;\r
\r
- // clear trace\r
- clear_trace();\r
- set_tracing(TRUE);\r
-\r
- iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
-\r
LED_A_ON();\r
LED_B_OFF();\r
LED_C_OFF();\r
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
+ clear_trace();\r
+ set_tracing(TRUE);\r
\r
for (i = 0; i < keyCount; i++) {\r
if(mifare_classic_halt(pcs, cuid)) {\r
//-----------------------------------------------------------------------------\r
// Work with emulator memory\r
// \r
+// Note: we call FpgaDownloadAndGo(FPGA_BITSTREAM_HF) here although FPGA is not\r
+// involved in dealing with emulator memory. But if it is called later, it might\r
+// destroy the Emulator Memory.\r
//-----------------------------------------------------------------------------\r
+\r
void MifareEMemClr(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+ FpgaDownloadAndGo(FPGA_BITSTREAM_HF);\r
emlClearMem();\r
}\r
\r
void MifareEMemSet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+ FpgaDownloadAndGo(FPGA_BITSTREAM_HF);\r
emlSetMem(datain, arg0, arg1); // data, block num, blocks count\r
}\r
\r
void MifareEMemGet(uint32_t arg0, uint32_t arg1, uint32_t arg2, uint8_t *datain){\r
+ FpgaDownloadAndGo(FPGA_BITSTREAM_HF);\r
byte_t buf[USB_CMD_DATA_SIZE];\r
emlGetMem(buf, arg0, arg1); // data, block num, blocks count (max 4)\r
\r
byte_t dataoutbuf2[16];\r
uint8_t uid[10];\r
\r
- // clear trace\r
- clear_trace();\r
- set_tracing(false);\r
- \r
- iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
-\r
LED_A_ON();\r
LED_B_OFF();\r
LED_C_OFF();\r
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+ \r
+ clear_trace();\r
+ set_tracing(false);\r
\r
bool isOK = true;\r
\r
LED_A_ON();\r
LED_B_OFF();\r
LED_C_OFF();\r
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
clear_trace();\r
set_tracing(TRUE);\r
- iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
}\r
\r
while (true) {\r
LED_A_ON();\r
LED_B_OFF();\r
LED_C_OFF();\r
- \r
+ iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+\r
clear_trace();\r
set_tracing(TRUE);\r
- iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
}\r
\r
while (true) {\r
cmd_send(CMD_ACK,isOK,0,0,0,0);\r
}\r
\r
- //\r
+//\r
// DESFIRE\r
//\r
\r
uint8_t uid[10] = {0x00};\r
uint32_t cuid;\r
\r
- clear_trace();\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
+ clear_trace();\r
\r
int len = iso14443a_select_card(uid, NULL, &cuid);\r
if(!len) {\r
uint32_t uid = 0;\r
uint32_t nt = 0, nr = 0;\r
uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
- uint8_t isOK = 0;\r
+ int16_t isOK = 0;\r
uint8_t keyBlock[8] = {0};\r
\r
UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
// message\r
printf("-------------------------------------------------------------------------\n");\r
printf("Executing command. Expected execution time: 25sec on average :-)\n");\r
- printf("Press the key on the proxmark3 device to abort both proxmark3 and client.\n");\r
+ printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");\r
printf("-------------------------------------------------------------------------\n");\r
\r
\r
}\r
\r
UsbCommand resp;\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {\r
- isOK = resp.arg[0] & 0xff;\r
+ if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {\r
+ isOK = resp.arg[0];\r
uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4);\r
nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4);\r
par_list = bytes_to_num(resp.d.asBytes + 8, 8);\r
ks_list = bytes_to_num(resp.d.asBytes + 16, 8);\r
nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
printf("\n\n");\r
- if (!isOK) PrintAndLog("Proxmark can't get statistic info. Execution aborted.\n");\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
+ case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
+ default: ;\r
+ }\r
break;\r
}\r
} \r
\r
if (cmdp == 'o') {\r
PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');\r
- if (mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true)) {\r
- PrintAndLog("Nested error.");\r
+ int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);\r
+ if (isOK) {\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+ case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+ default : PrintAndLog("Unknown Error.\n");\r
+ }\r
return 2;\r
}\r
key64 = bytes_to_num(keyBlock, 6);\r
for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { \r
if (e_sector[sectorNo].foundKey[trgKeyType]) continue;\r
PrintAndLog("-----------------------------------------------");\r
- if(mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate)) {\r
- PrintAndLog("Nested error.\n");\r
+ int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);\r
+ if(isOK) {\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+ case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+ default : PrintAndLog("Unknown Error.\n");\r
+ }\r
free(e_sector);\r
- return 2; }\r
- else {\r
+ return 2;\r
+ } else {\r
calibrate = false;\r
}\r
\r
\r
int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t * resultKey, bool calibrate) \r
{\r
- uint16_t i, len;\r
+ uint16_t i;\r
uint32_t uid;\r
UsbCommand resp;\r
\r
struct Crypto1State *p1, *p2, *p3, *p4;\r
\r
// flush queue\r
- WaitForResponseTimeout(CMD_ACK,NULL,100);\r
+ WaitForResponseTimeout(CMD_ACK, NULL, 100);\r
\r
UsbCommand c = {CMD_MIFARE_NESTED, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, calibrate}};\r
memcpy(c.d.asBytes, key, 6);\r
SendCommand(&c);\r
\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- len = resp.arg[1];\r
- if (len == 2) { \r
- memcpy(&uid, resp.d.asBytes, 4);\r
- PrintAndLog("uid:%08x len=%d trgbl=%d trgkey=%x", uid, len, (uint16_t)resp.arg[2] & 0xff, (uint16_t)resp.arg[2] >> 8);\r
- \r
- for (i = 0; i < 2; i++) {\r
- statelists[i].blockNo = resp.arg[2] & 0xff;\r
- statelists[i].keyType = (resp.arg[2] >> 8) & 0xff;\r
- statelists[i].uid = uid;\r
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {\r
+ return -1;\r
+ }\r
\r
- memcpy(&statelists[i].nt, (void *)(resp.d.asBytes + 4 + i * 8 + 0), 4);\r
- memcpy(&statelists[i].ks1, (void *)(resp.d.asBytes + 4 + i * 8 + 4), 4);\r
- }\r
- }\r
- else {\r
- PrintAndLog("Got 0 keys from proxmark."); \r
- return 1;\r
- }\r
+ if (resp.arg[0]) {\r
+ return resp.arg[0]; // error during nested\r
+ }\r
+ \r
+ memcpy(&uid, resp.d.asBytes, 4);\r
+ PrintAndLog("uid:%08x trgbl=%d trgkey=%x", uid, (uint16_t)resp.arg[2] & 0xff, (uint16_t)resp.arg[2] >> 8);\r
+ \r
+ for (i = 0; i < 2; i++) {\r
+ statelists[i].blockNo = resp.arg[2] & 0xff;\r
+ statelists[i].keyType = (resp.arg[2] >> 8) & 0xff;\r
+ statelists[i].uid = uid;\r
+ memcpy(&statelists[i].nt, (void *)(resp.d.asBytes + 4 + i * 8 + 0), 4);\r
+ memcpy(&statelists[i].ks1, (void *)(resp.d.asBytes + 4 + i * 8 + 4), 4);\r
}\r
\r
// calc keys\r
projects / proxmark3-svn / commitdiff