- UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
- memcpy(c.d.asBytes, uid, sizeof(uid));\r
- clearCommandBuffer();\r
- SendCommand(&c);\r
-\r
- if(flags & FLAG_INTERACTIVE) {\r
- UsbCommand resp;\r
- PrintAndLog("Press pm3-button to abort simulation");\r
- while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- //We're waiting only 1.5 s at a time, otherwise we get the\r
- // annoying message about "Waiting for a response... "\r
- }\r
- //got a response\r
- if (flags & FLAG_NR_AR_ATTACK) {\r
- nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
- uint64_t key = 0;\r
- memcpy (ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
- typedef struct {\r
- uint64_t keyA;\r
- uint32_t security;\r
- uint64_t keyB;\r
- } st_t;\r
- st_t sector_trailer[ATTACK_KEY_COUNT];\r
- memset(sector_trailer, 0x00, sizeof(sector_trailer));\r
-\r
- uint8_t stSector[ATTACK_KEY_COUNT];\r
- memset(stSector, 0x00, sizeof(stSector));\r
- uint8_t key_cnt[ATTACK_KEY_COUNT];\r
- memset(key_cnt, 0x00, sizeof(key_cnt));\r
-\r
- for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
- if (ar_resp[i].ar2 > 0) {\r
- //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
- if (mfkey32(ar_resp[i], &key)) {\r
- PrintAndLog("Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
-\r
- for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
- if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
- if (ar_resp[i].keytype==0) {\r
- //keyA\r
- sector_trailer[ii].keyA = key;\r
- stSector[ii] = ar_resp[i].sector;\r
- key_cnt[ii]++;\r
- break;\r
- } else {\r
- //keyB\r
- sector_trailer[ii].keyB = key;\r
- stSector[ii] = ar_resp[i].sector;\r
- key_cnt[ii]++;\r
- break;\r
- }\r
- }\r
- }\r
- }\r
- }\r
- }\r
- //set emulator memory for keys\r
- if (setEmulatorMem) {\r
- for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
- if (key_cnt[i]>0) {\r
- //PrintAndLog ("block %d, keyA:%04x%08x, keyb:%04x%08x",stSector[i]*4+3, (uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
- uint8_t memBlock[16];\r
- memset(memBlock, 0x00, sizeof(memBlock));\r
- char cmd1[36];\r
- memset(cmd1,0x00,sizeof(cmd1));\r
- snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
- PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);\r
- if (param_gethex(cmd1, 0, memBlock, 32)) {\r
- PrintAndLog("block data must include 32 HEX symbols");\r
- return 1;\r
- }\r
- \r
- UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};\r
- memcpy(c.d.asBytes, memBlock, 16);\r
- clearCommandBuffer();\r
- SendCommand(&c); \r
- }\r
- }\r