From 46cd801c5ad5d5f60b2526b4a1e6700a2a008f7b Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Mon, 25 May 2015 13:10:55 +0200 Subject: [PATCH] FIX: dumptoemul.lua removed the extra linebreak in the end, making some load commands complain. MOV: moved the try32/try64 attacks (mfkey32/mfkey64) into the nonce2key.c file CHG: added @marshmellow42 changes to hf mfu dump layout. ADD: an extra call to BigBuf_free in readcard.. just to make sure that it doesn't leak memory. ADD: expermimental call to "try32" for "hf mf sim x". --- armsrc/iso14443a.c | 6 +- armsrc/mifarecmd.c | 3 +- client/cmdhf14a.c | 111 +++------------------------------- client/cmdhf14a.h | 3 +- client/cmdhfmf.c | 35 ++++++++--- client/cmdhfmfu.c | 46 ++++++-------- client/nonce2key/nonce2key.c | 96 +++++++++++++++++++++++++++++ client/nonce2key/nonce2key.h | 5 +- client/scripts/dumptoemul.lua | 3 +- 9 files changed, 160 insertions(+), 148 deletions(-) diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index e1943b26..8e547147 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1186,7 +1186,6 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data) cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len); ar_nr_collected = 0; memset(ar_nr_responses, 0x00, len); - Dbprintf("ICE"); } } } else { @@ -2490,7 +2489,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * uint32_t nr = bytes_to_num(&receivedCmd[4], 4); //Collect AR/NR - if(ar_nr_collected < 2 && cardAUTHSC == 2){ + //if(ar_nr_collected < 2 && cardAUTHSC == 2){ + if(ar_nr_collected < 2){ if(ar_nr_responses[2] != ar) {// Avoid duplicates... probably not necessary, ar should vary. ar_nr_responses[ar_nr_collected*4] = cuid; @@ -2503,7 +2503,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2) { finished = true; - } + } } // --- crypto diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index 7eb27abe..9c17ce3c 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -335,7 +335,8 @@ void MifareUReadCard(uint8_t arg0, uint16_t arg1, uint8_t arg2, uint8_t *datain) cmd_send(CMD_ACK, 1, countblocks, BigBuf_max_traceLen(),0 , 0); FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF); LEDsoff(); - + + BigBuf_free(); } //----------------------------------------------------------------------------- diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index 0527ad4d..8f53bebe 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -24,7 +24,7 @@ #include "cmdmain.h" #include "mifare.h" #include "cmdhfmfu.h" -#include "nonce2key/crapto1.h" +#include "nonce2key/nonce2key.h" #define llx PRIx64 @@ -531,125 +531,30 @@ int CmdHF14ASim(const char *Cmd) PrintAndLog("Press pm3-button to abort simulation"); UsbCommand c = {CMD_SIMULATE_TAG_ISO_14443a,{ tagtype, flags, 0 }}; + num_to_bytes(uid, 7, c.d.asBytes); SendCommand(&c); + uint8_t data[40]; + uint8_t key[6]; + while(!ukbhit()){ UsbCommand resp; WaitForResponseTimeout(CMD_ACK,&resp,1500); - PrintAndLog("Got %04X %02X", resp.arg[0], resp.arg[0]); + PrintAndLog("CMD_SIMULATE_MIFARE_CARD [%04X] -- %04X", CMD_SIMULATE_MIFARE_CARD, resp.arg[0]); if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){ - uint8_t data[40]; - uint8_t key[6]; + memset(data, 0x00, sizeof(data)); + memset(key, 0x00, sizeof(key)); int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1]; memcpy(data, resp.d.asBytes, len); tryMfk32(uid, data, key); //tryMfk64(uid, data, key); PrintAndLog("--"); - memset(data,0x00, 40); } } return 0; } -int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){ - - struct Crypto1State *s,*t; - uint64_t key; // recovered key - uint32_t uid; // serial number - uint32_t nt; // tag challenge - uint32_t nr0_enc; // first encrypted reader challenge - uint32_t ar0_enc; // first encrypted reader response - uint32_t nr1_enc; // second encrypted reader challenge - uint32_t ar1_enc; // second encrypted reader response - bool isSuccess = FALSE; - int counter = 0; - - uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4); - nt = *(uint32_t*)(data+8); - nr0_enc = *(uint32_t*)(data+12); - ar0_enc = *(uint32_t*)(data+16); - nr1_enc = *(uint32_t*)(data+32); - ar1_enc = *(uint32_t*)(data+36); - - // PrintAndLog("Recovering key for:"); - // PrintAndLog(" uid: %08x",uid); - // PrintAndLog(" nt: %08x",nt); - // PrintAndLog(" {nr_0}: %08x",nr0_enc); - // PrintAndLog(" {ar_0}: %08x",ar0_enc); - // PrintAndLog(" {nr_1}: %08x",nr1_enc); - // PrintAndLog(" {ar_1}: %08x",ar1_enc); - - s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0); - - for(t = s; t->odd | t->even; ++t) { - lfsr_rollback_word(t, 0, 0); - lfsr_rollback_word(t, nr0_enc, 1); - lfsr_rollback_word(t, uid ^ nt, 0); - crypto1_get_lfsr(t, &key); - crypto1_word(t, uid ^ nt, 0); - crypto1_word(t, nr1_enc, 1); - if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) { - PrintAndLog("Found Key: [%012"llx"]",key); - isSuccess = TRUE; - ++counter; - if (counter==10) - break; - } - } - free(s); - return isSuccess; -} - -int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){ - - struct Crypto1State *revstate; - uint64_t key; // recovered key - uint32_t uid; // serial number - uint32_t nt; // tag challenge - uint32_t nr_enc; // encrypted reader challenge - uint32_t ar_enc; // encrypted reader response - uint32_t at_enc; // encrypted tag response - uint32_t ks2; // keystream used to encrypt reader response - uint32_t ks3; // keystream used to encrypt tag response - - struct Crypto1State mpcs = {0, 0}; - struct Crypto1State *pcs; - pcs = &mpcs; - - - - uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4); - nt = *(uint32_t*)(data+8); - nr_enc = *(uint32_t*)(data+12); - ar_enc = *(uint32_t*)(data+16); - - crypto1_word(pcs, nr_enc , 1); - at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0); - - // printf("Recovering key for:\n"); - // printf(" uid: %08x\n",uid); - // printf(" nt: %08x\n",nt); - // printf(" {nr}: %08x\n",nr_enc); - // printf(" {ar}: %08x\n",ar_enc); - // printf(" {at}: %08x\n",at_enc); - - // Extract the keystream from the messages - ks2 = ar_enc ^ prng_successor(nt, 64); - ks3 = at_enc ^ prng_successor(nt, 96); - - revstate = lfsr_recovery64(ks2, ks3); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, 0, 0); - lfsr_rollback_word(revstate, nr_enc, 1); - lfsr_rollback_word(revstate, uid ^ nt, 0); - crypto1_get_lfsr(revstate, &key); - PrintAndLog("Found Key: [%012"llx"]",key); - crypto1_destroy(revstate); - crypto1_destroy(pcs); - return 0; -} - int CmdHF14ASniff(const char *Cmd) { int param = 0; diff --git a/client/cmdhf14a.h b/client/cmdhf14a.h index 67c6ec4e..17c40bac 100644 --- a/client/cmdhf14a.h +++ b/client/cmdhf14a.h @@ -21,6 +21,5 @@ int CmdHF14ASim(const char *Cmd); int CmdHF14ASniff(const char *Cmd); char* getTagInfo(uint8_t uid); -int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ); -int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ); + #endif diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index f486fc25..94c47072 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -9,6 +9,7 @@ //----------------------------------------------------------------------------- #include "cmdhfmf.h" +#include "nonce2key/nonce2key.h" static int CmdHelp(const char *Cmd); @@ -1063,15 +1064,29 @@ int CmdHF14AMf1kSim(const char *Cmd) SendCommand(&c); if(flags & FLAG_INTERACTIVE) - { - UsbCommand resp; + { + uint64_t corr_uid = bytes_to_num(uid, ( flags & FLAG_4B_UID_IN_DATA ) ? 4 : 7 ); + PrintAndLog("Press pm3-button to abort simulation"); - while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) { - //We're waiting only 1.5 s at a time, otherwise we get the - // annoying message about "Waiting for a response... " + + uint8_t data[40]; + uint8_t key[6]; + + while(!ukbhit()){ + UsbCommand resp; + WaitForResponseTimeout(CMD_ACK,&resp,1500); + PrintAndLog("CMD_SIMULATE_MIFARE_CARD [%04X] -- %04X", CMD_SIMULATE_MIFARE_CARD, resp.arg[0]); + if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){ + memset(data, 0x00, sizeof(data)); + memset(key, 0x00, sizeof(key)); + int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1]; + memcpy(data, resp.d.asBytes, len); + tryMfk32(corr_uid, data, key); + //tryMfk64(corr_uid, data, key); + PrintAndLog("--"); + } } } - return 0; } @@ -1200,7 +1215,7 @@ int CmdHF14AMfELoad(const char *Cmd) len = param_getstr(Cmd,nameParamNo,filename); - if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; fnameptr += len; @@ -1299,7 +1314,7 @@ int CmdHF14AMfESave(const char *Cmd) len = param_getstr(Cmd,nameParamNo,filename); - if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; // user supplied filename? if (len < 1) { @@ -1575,7 +1590,7 @@ int CmdHF14AMfCLoad(const char *Cmd) return 0; } else { len = strlen(Cmd); - if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; memcpy(filename, Cmd, len); fnameptr += len; @@ -1745,7 +1760,7 @@ int CmdHF14AMfCSave(const char *Cmd) { return 0; } else { len = strlen(Cmd); - if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; if (len < 1) { // get filename diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index c02dff83..0c116eb4 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -280,7 +280,7 @@ static int ul_print_default( uint8_t *data){ uid[6] = data[7]; PrintAndLog(" UID : %s ", sprint_hex(uid, 7)); - PrintAndLog(" UID[0] : %02X, Manufacturer: %s", uid[0], getTagInfo(uid[0]) ); + PrintAndLog(" UID[0] : %02X, %s", uid[0], getTagInfo(uid[0]) ); if ( uid[0] == 0x05 ) { uint8_t chip = (data[8] & 0xC7); // 11000111 mask, bit 3,4,5 RFU switch (chip){ @@ -855,7 +855,7 @@ int CmdHF14AMfUWrBl(const char *Cmd){ uint8_t blockdata[20] = {0x00}; uint8_t data[16] = {0x00}; uint8_t authenticationkey[16] = {0x00}; - uint8_t *authkeyptr = authenticationkey; + uint8_t *authKeyPtr = authenticationkey; // starting with getting tagtype TagTypeUL_t tagtype = GetHF14AMfU_Type(); @@ -896,7 +896,7 @@ int CmdHF14AMfUWrBl(const char *Cmd){ uint8_t maxblockno = 0; for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){ if (tagtype & UL_TYPES_ARRAY[idx]) - maxblockno = UL_MEMORY_ARRAY[idx]+1; + maxblockno = UL_MEMORY_ARRAY[idx]; } if (blockNo < 0) { @@ -904,7 +904,7 @@ int CmdHF14AMfUWrBl(const char *Cmd){ errors = true; } if (blockNo > maxblockno){ - PrintAndLog("block number to large. Max block is %u/0x%02X \n", maxblockno,maxblockno); + PrintAndLog("block number too large. Max block is %u/0x%02X \n", maxblockno,maxblockno); errors = true; } cmdp += 2; @@ -935,28 +935,25 @@ int CmdHF14AMfUWrBl(const char *Cmd){ if ( blockNo == -1 ) return usage_hf_mfu_wrbl(); // Swap endianness - if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8); - if (swapEndian && hasPwdKey) authkeyptr = SwapEndian64(authenticationkey, 4, 4); - + if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8); + if (swapEndian && hasPwdKey) authKeyPtr = SwapEndian64(authenticationkey, 4, 4); if ( blockNo <= 3) PrintAndLog("Special Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4)); else PrintAndLog("Block: %0d (0x%02X) [ %s]", blockNo, blockNo, sprint_hex(blockdata, 4)); - - //Send write Block UsbCommand c = {CMD_MIFAREU_WRITEBL, {blockNo}}; memcpy(c.d.asBytes,blockdata,4); if ( hasAuthKey ){ c.arg[1] = 1; - memcpy(c.d.asBytes+4,authkeyptr,16); + memcpy(c.d.asBytes+4,authKeyPtr,16); } else if ( hasPwdKey ) { c.arg[1] = 2; - memcpy(c.d.asBytes+4,authkeyptr,4); + memcpy(c.d.asBytes+4,authKeyPtr,4); } SendCommand(&c); @@ -984,7 +981,7 @@ int CmdHF14AMfURdBl(const char *Cmd){ uint8_t keylen = 0; uint8_t data[16] = {0x00}; uint8_t authenticationkey[16] = {0x00}; - uint8_t *authkeyptr = authenticationkey; + uint8_t *authKeyPtr = authenticationkey; // starting with getting tagtype TagTypeUL_t tagtype = GetHF14AMfU_Type(); @@ -1025,7 +1022,7 @@ int CmdHF14AMfURdBl(const char *Cmd){ uint8_t maxblockno = 0; for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++){ if (tagtype & UL_TYPES_ARRAY[idx]) - maxblockno = UL_MEMORY_ARRAY[idx]+1; + maxblockno = UL_MEMORY_ARRAY[idx]; } if (blockNo < 0) { @@ -1054,18 +1051,18 @@ int CmdHF14AMfURdBl(const char *Cmd){ if ( blockNo == -1 ) return usage_hf_mfu_rdbl(); // Swap endianness - if (swapEndian && hasAuthKey) authkeyptr = SwapEndian64(authenticationkey, 16, 8); - if (swapEndian && hasPwdKey) authkeyptr = SwapEndian64(authenticationkey, 4, 4); + if (swapEndian && hasAuthKey) authKeyPtr = SwapEndian64(authenticationkey, 16, 8); + if (swapEndian && hasPwdKey) authKeyPtr = SwapEndian64(authenticationkey, 4, 4); //Read Block UsbCommand c = {CMD_MIFAREU_READBL, {blockNo}}; if ( hasAuthKey ){ c.arg[1] = 1; - memcpy(c.d.asBytes,authkeyptr,16); + memcpy(c.d.asBytes,authKeyPtr,16); } else if ( hasPwdKey ) { c.arg[1] = 2; - memcpy(c.d.asBytes,authkeyptr,4); + memcpy(c.d.asBytes,authKeyPtr,4); } SendCommand(&c); @@ -1082,7 +1079,6 @@ int CmdHF14AMfURdBl(const char *Cmd){ } else { PrintAndLog("Command execute time-out"); } - return 0; } @@ -1156,8 +1152,6 @@ int usage_hf_mfu_wrbl(void) { // // Mifare Ultralight / Ultralight-C / Ultralight-EV1 // Read and Dump Card Contents, using auto detection of tag size. -// -// TODO: take a password to read UL-C / UL-EV1 tags. int CmdHF14AMfUDump(const char *Cmd){ FILE *fout; @@ -1246,10 +1240,10 @@ int CmdHF14AMfUDump(const char *Cmd){ TagTypeUL_t tagtype = GetHF14AMfU_Type(); if (tagtype == UL_ERROR) return -1; - if (!manualPages) + if (!manualPages) //get number of pages to read for (uint8_t idx = 0; idx < MAX_UL_TYPES; idx++) if (tagtype & UL_TYPES_ARRAY[idx]) - Pages = UL_MEMORY_ARRAY[idx]+1; + Pages = UL_MEMORY_ARRAY[idx]+1; //add one as maxblks starts at 0 ul_print_type(tagtype, 0); PrintAndLog("Reading tag memory..."); @@ -1320,8 +1314,8 @@ int CmdHF14AMfUDump(const char *Cmd){ } } - PrintAndLog("Block# Data lck Ascii"); - PrintAndLog("----------------------------------"); + PrintAndLog("Block# | Data |lck| Ascii"); + PrintAndLog("---------------------------------"); for (i = 0; i < Pages; ++i) { if ( i < 3 ) { PrintAndLog("%02d/0x%02X | %s | |", i, i,sprint_hex(data + i * 4, 4)); @@ -1373,7 +1367,7 @@ int CmdHF14AMfUDump(const char *Cmd){ } PrintAndLog("%02d/0x%02X | %s |%d| %.4s",i , i, sprint_hex(data + i * 4, 4), tmplockbit, data+i*4); } - PrintAndLog("----------------------------------"); + PrintAndLog("---------------------------------"); // user supplied filename? if (fileNlen < 1) { @@ -1769,7 +1763,7 @@ static command_t CommandTable[] = {"help", CmdHelp, 1, "This help"}, {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"}, {"info", CmdHF14AMfUInfo, 0, "Tag information"}, - {"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C tag to binary file"}, + {"dump", CmdHF14AMfUDump, 0, "Dump Ultralight / Ultralight-C / NTAG tag to binary file"}, {"rdbl", CmdHF14AMfURdBl, 0, "Read block"}, {"wrbl", CmdHF14AMfUWrBl, 0, "Write block"}, {"cauth", CmdHF14AMfucAuth, 0, "Authentication - Ultralight C"}, diff --git a/client/nonce2key/nonce2key.c b/client/nonce2key/nonce2key.c index 111f58cd..968e1a9d 100644 --- a/client/nonce2key/nonce2key.c +++ b/client/nonce2key/nonce2key.c @@ -149,3 +149,99 @@ int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_ return 1; } + +int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){ + + struct Crypto1State *s,*t; + uint64_t key; // recovered key + uint32_t uid; // serial number + uint32_t nt; // tag challenge + uint32_t nr0_enc; // first encrypted reader challenge + uint32_t ar0_enc; // first encrypted reader response + uint32_t nr1_enc; // second encrypted reader challenge + uint32_t ar1_enc; // second encrypted reader response + bool isSuccess = FALSE; + int counter = 0; + + uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4); + nt = *(uint32_t*)(data+8); + nr0_enc = *(uint32_t*)(data+12); + ar0_enc = *(uint32_t*)(data+16); + nr1_enc = *(uint32_t*)(data+32); + ar1_enc = *(uint32_t*)(data+36); + + // PrintAndLog("Recovering key for:"); + // PrintAndLog(" uid: %08x",uid); + // PrintAndLog(" nt: %08x",nt); + // PrintAndLog(" {nr_0}: %08x",nr0_enc); + // PrintAndLog(" {ar_0}: %08x",ar0_enc); + // PrintAndLog(" {nr_1}: %08x",nr1_enc); + // PrintAndLog(" {ar_1}: %08x",ar1_enc); + + s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0); + + for(t = s; t->odd | t->even; ++t) { + lfsr_rollback_word(t, 0, 0); + lfsr_rollback_word(t, nr0_enc, 1); + lfsr_rollback_word(t, uid ^ nt, 0); + crypto1_get_lfsr(t, &key); + crypto1_word(t, uid ^ nt, 0); + crypto1_word(t, nr1_enc, 1); + if (ar1_enc == (crypto1_word(t, 0, 0) ^ prng_successor(nt, 64))) { + PrintAndLog("Found Key: [%012"llx"]",key); + isSuccess = TRUE; + ++counter; + if (counter==10) + break; + } + } + free(s); + return isSuccess; +} + +int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ){ + + struct Crypto1State *revstate; + uint64_t key; // recovered key + uint32_t uid; // serial number + uint32_t nt; // tag challenge + uint32_t nr_enc; // encrypted reader challenge + uint32_t ar_enc; // encrypted reader response + uint32_t at_enc; // encrypted tag response + uint32_t ks2; // keystream used to encrypt reader response + uint32_t ks3; // keystream used to encrypt tag response + + struct Crypto1State mpcs = {0, 0}; + struct Crypto1State *pcs; + pcs = &mpcs; + + uid = myuid;//(uint32_t)bytes_to_num(data + 0, 4); + nt = *(uint32_t*)(data+8); + nr_enc = *(uint32_t*)(data+12); + ar_enc = *(uint32_t*)(data+16); + + crypto1_word(pcs, nr_enc , 1); + at_enc = prng_successor(nt, 96) ^ crypto1_word(pcs, 0, 0); + + // printf("Recovering key for:\n"); + // printf(" uid: %08x\n",uid); + // printf(" nt: %08x\n",nt); + // printf(" {nr}: %08x\n",nr_enc); + // printf(" {ar}: %08x\n",ar_enc); + // printf(" {at}: %08x\n",at_enc); + + // Extract the keystream from the messages + ks2 = ar_enc ^ prng_successor(nt, 64); + ks3 = at_enc ^ prng_successor(nt, 96); + + revstate = lfsr_recovery64(ks2, ks3); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, 0, 0); + lfsr_rollback_word(revstate, nr_enc, 1); + lfsr_rollback_word(revstate, uid ^ nt, 0); + crypto1_get_lfsr(revstate, &key); + PrintAndLog("Found Key: [%012"llx"]",key); + crypto1_destroy(revstate); + crypto1_destroy(pcs); + return 0; +} diff --git a/client/nonce2key/nonce2key.h b/client/nonce2key/nonce2key.h index e7d5f431..82c65b55 100644 --- a/client/nonce2key/nonce2key.h +++ b/client/nonce2key/nonce2key.h @@ -2,7 +2,7 @@ // Merlok - June 2011 // Roel - Dec 2009 // Unknown author -// +// icemane - may 2015 // This code is licensed to you under the terms of the GNU GPL, version 2 or, // at your option, any later version. See the LICENSE.txt file for the text of // the license. @@ -19,5 +19,6 @@ #include "common.h" int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t * key); - +int tryMfk32(uint64_t myuid, uint8_t *data, uint8_t *outputkey ); +int tryMfk64(uint64_t myuid, uint8_t *data, uint8_t *outputkey ); #endif diff --git a/client/scripts/dumptoemul.lua b/client/scripts/dumptoemul.lua index f9b71509..f8cc11d4 100644 --- a/client/scripts/dumptoemul.lua +++ b/client/scripts/dumptoemul.lua @@ -73,7 +73,8 @@ local function convert_to_emulform(hexdata) for i = 1, string.len(hexdata),32 do ascii = ascii ..string.sub(hexdata,i,i+31).."\n" end - return ascii + + return string.sub(ascii,1,-1) end local function main(args) -- 2.39.2