// Hagen Fritsch - June 2010\r
// Midnitesnake - Dec 2013\r
// Andy Davies - Apr 2014\r
-// Iceman - May 2014\r
+// Iceman - May 2014,2015,2016\r
//\r
// This code is licensed to you under the terms of the GNU GPL, version 2 or,\r
// at your option, any later version. See the LICENSE.txt file for the text of\r
break;\r
}\r
\r
- // ----------------------------- crypto1 destroy\r
crypto1_destroy(pcs);\r
\r
if (MF_DBGLEVEL >= 2) DbpString("READ BLOCK FINISHED");\r
if (MF_DBGLEVEL >= 1) Dbprintf("Halt error");\r
}\r
\r
- // ----------------------------- crypto1 destroy\r
- crypto1_destroy(pcs);\r
- \r
if (MF_DBGLEVEL >= 2) DbpString("READ SECTOR FINISHED");\r
\r
+ crypto1_destroy(pcs);\r
+\r
LED_B_ON();\r
cmd_send(CMD_ACK,isOK,0,0,dataoutbuf,16*NumBlocksPerSector(sectorNo));\r
LED_B_OFF();\r
\r
- // Thats it...\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
+ set_tracing(FALSE);\r
}\r
\r
// arg0 = blockNo (start)\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
// free eventually allocated BigBuf memory\r
- BigBuf_free();\r
+ BigBuf_free(); BigBuf_Clear_ext(false);\r
clear_trace();\r
set_tracing(true);\r
\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
BigBuf_free();\r
+ set_tracing(FALSE);\r
}\r
\r
//-----------------------------------------------------------------------------\r
cmd_send(CMD_ACK,isOK,0,0,0,0);\r
LED_B_OFF();\r
\r
-\r
- // Thats it...\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
+ set_tracing(FALSE);\r
}\r
\r
/* // Command not needed but left for future testing \r
cmd_send(CMD_ACK,1,0,0,0,0);\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
+ set_tracing(FALSE);\r
}\r
\r
void MifareUSetPwd(uint8_t arg0, uint8_t *datain){\r
cmd_send(CMD_ACK,1,0,0,0,0);\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
+ set_tracing(FALSE);\r
}\r
\r
// Return 1 if the nonce is invalid else return 0\r
// Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on \r
// Computer and Communications Security, 2015\r
//-----------------------------------------------------------------------------\r
+#define AUTHENTICATION_TIMEOUT 1000 //848 // card times out 1ms after wrong authentication (according to NXP documentation)\r
+#define PRE_AUTHENTICATION_LEADTIME 400 // some (non standard) cards need a pause after select before they are ready for first authentication \r
+\r
void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, uint8_t *datain)\r
{\r
uint64_t ui64Key = 0;\r
bool slow = flags & 0x0002;\r
bool field_off = flags & 0x0004;\r
\r
- #define AUTHENTICATION_TIMEOUT 848 // card times out 1ms after wrong authentication (according to NXP documentation)\r
- #define PRE_AUTHENTICATION_LEADTIME 400 // some (non standard) cards need a pause after select before they are ready for first authentication \r
- \r
LED_A_ON();\r
LED_C_OFF();\r
\r
memcpy(buf+i+8, &nt_par_enc, 1);\r
i += 9;\r
}\r
-\r
// wait for the card to become ready again\r
- while(GetCountSspClk() < timeout);\r
- \r
+ while(GetCountSspClk() < timeout); \r
}\r
\r
LED_C_OFF();\r
if (field_off) {\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
+ set_tracing(FALSE);\r
}\r
}\r
\r
uint8_t receivedAnswer[MAX_MIFARE_FRAME_SIZE] = {0x00};\r
\r
uint32_t auth1_time, auth2_time;\r
- static uint16_t delta_time;\r
+ static uint16_t delta_time = 0;\r
\r
LED_A_ON();\r
LED_C_OFF();\r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
// free eventually allocated BigBuf memory\r
- BigBuf_free();\r
-\r
+ BigBuf_free(); BigBuf_Clear_ext(false);\r
+ \r
if (calibrate) clear_trace();\r
set_tracing(true);\r
\r
rtr--;\r
continue;\r
};\r
+ auth2_time = (delta_time) ? auth1_time + delta_time : 0;\r
\r
- if (delta_time) {\r
- auth2_time = auth1_time + delta_time;\r
- } else {\r
- auth2_time = 0;\r
- }\r
if(mifare_classic_authex(pcs, cuid, blockNo, keyType, ui64Key, AUTH_NESTED, &nt2, &auth2_time)) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error");\r
rtr--;\r
\r
// nested authentication\r
auth2_time = auth1_time + delta_time;\r
+\r
len = mifare_sendcmd_short(pcs, AUTH_NESTED, 0x60 + (targetKeyType & 0x01), targetBlockNo, receivedAnswer, par, &auth2_time);\r
if (len != 4) {\r
if (MF_DBGLEVEL >= 1) Dbprintf("Nested: Auth2 error len=%d", len);\r
if (MF_DBGLEVEL >= 3) Dbprintf("Nonce#%d: Testing nt1=%08x nt2enc=%08x nt2par=%02x", i+1, nt1, nt2, par[0]);\r
\r
// Parity validity check\r
- for (j = 0; j < 4; j++) {\r
- par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));\r
- }\r
+// for (j = 0; j < 4; j++) {\r
+// par_array[j] = (oddparity8(receivedAnswer[j]) != ((par[0] >> (7-j)) & 0x01));\r
+// }\r
+ par_array[0] = (oddparity8(receivedAnswer[0]) != ((par[0] >> (7-0)) & 0x01));\r
+ par_array[1] = (oddparity8(receivedAnswer[1]) != ((par[0] >> (7-1)) & 0x01));\r
+ par_array[2] = (oddparity8(receivedAnswer[2]) != ((par[0] >> (7-2)) & 0x01));\r
+ par_array[3] = (oddparity8(receivedAnswer[3]) != ((par[0] >> (7-3)) & 0x01));\r
\r
ncount = 0;\r
nttest = prng_successor(nt1, dmin - 1);\r
\r
LED_C_OFF();\r
\r
- // ----------------------------- crypto1 destroy\r
crypto1_destroy(pcs);\r
\r
- byte_t buf[4 + 4 * 4];\r
+ byte_t buf[4 + 4 * 4] = {0};\r
memcpy(buf, &cuid, 4);\r
memcpy(buf+4, &target_nt[0], 4);\r
memcpy(buf+8, &target_ks[0], 4);\r
// MIFARE check keys. key count up to 85. \r
// \r
//-----------------------------------------------------------------------------\r
-void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain)\r
-{\r
- // params\r
+void MifareChkKeys(uint16_t arg0, uint8_t arg1, uint8_t arg2, uint8_t *datain) {\r
uint8_t blockNo = arg0 & 0xff;\r
uint8_t keyType = (arg0 >> 8) & 0xff;\r
bool clearTrace = arg1;\r
uint8_t keyCount = arg2;\r
uint64_t ui64Key = 0;\r
\r
- // variables\r
+ bool have_uid = FALSE;\r
+ uint8_t cascade_levels = 0;\r
+ uint32_t timeout = 0;\r
+ \r
int i;\r
byte_t isOK = 0;\r
uint8_t uid[10] = {0x00};\r
struct Crypto1State *pcs;\r
pcs = &mpcs;\r
\r
- // clear debug level\r
+ // save old debuglevel, and tempory turn off dbg printing. speedissues.\r
int OLD_MF_DBGLEVEL = MF_DBGLEVEL; \r
MF_DBGLEVEL = MF_DBG_NONE;\r
\r
+ LEDsoff();\r
LED_A_ON();\r
- LED_B_OFF();\r
- LED_C_OFF();\r
+ \r
iso14443a_setup(FPGA_HF_ISO14443A_READER_LISTEN);\r
\r
if (clearTrace) \r
clear_trace();\r
\r
set_tracing(TRUE);\r
-\r
+ \r
for (i = 0; i < keyCount; ++i) {\r
- if (mifare_classic_halt(pcs, cuid))\r
- if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Halt error");\r
\r
- if (!iso14443a_select_card(uid, NULL, &cuid, true, 0)) {\r
- if (OLD_MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card");\r
- break;\r
- }\r
+ //mifare_classic_halt(pcs, cuid);\r
\r
+ // this part is from Piwi's faster nonce collecting part in Hardnested.\r
+ if (!have_uid) { // need a full select cycle to get the uid first\r
+ iso14a_card_select_t card_info; \r
+ if(!iso14443a_select_card(uid, &card_info, &cuid, true, 0)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card (ALL)");\r
+ break;\r
+ }\r
+ switch (card_info.uidlen) {\r
+ case 4 : cascade_levels = 1; break;\r
+ case 7 : cascade_levels = 2; break;\r
+ case 10: cascade_levels = 3; break;\r
+ default: break;\r
+ }\r
+ have_uid = TRUE; \r
+ } else { // no need for anticollision. We can directly select the card\r
+ if(!iso14443a_select_card(uid, NULL, NULL, false, cascade_levels)) {\r
+ if (MF_DBGLEVEL >= 1) Dbprintf("ChkKeys: Can't select card (UID)");\r
+ continue;\r
+ }\r
+ }\r
+ \r
ui64Key = bytes_to_num(datain + i * 6, 6);\r
- if (mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST))\r
- continue;\r
\r
+ if (mifare_classic_auth(pcs, cuid, blockNo, keyType, ui64Key, AUTH_FIRST)) {\r
+\r
+ uint8_t dummy_answer = 0;\r
+ ReaderTransmit(&dummy_answer, 1, NULL);\r
+ timeout = GetCountSspClk() + AUTHENTICATION_TIMEOUT;\r
+ \r
+ // wait for the card to become ready again\r
+ while(GetCountSspClk() < timeout);\r
+ \r
+ continue;\r
+ }\r
isOK = 1;\r
break;\r
}\r
- crypto1_destroy(pcs);\r
\r
LED_B_ON();\r
- cmd_send(CMD_ACK,isOK,0,0,datain + i * 6,6);\r
+ cmd_send(CMD_ACK, isOK, 0, 0, datain + i * 6, 6);\r
+\r
+ // restore debug level\r
+ MF_DBGLEVEL = OLD_MF_DBGLEVEL; \r
+ \r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
set_tracing(FALSE);\r
- \r
- // restore debug level\r
- MF_DBGLEVEL = OLD_MF_DBGLEVEL; \r
+ crypto1_destroy(pcs);\r
}\r
\r
//-----------------------------------------------------------------------------\r
\r
// wipe tag, fill it with zeros\r
if (workFlags & MAGIC_WIPE){\r
- ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+ ReaderTransmitBitsPar(wupC1, 7, NULL, NULL);\r
if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");\r
errormsg = MAGIC_WIPE;\r
\r
// write block\r
if (workFlags & MAGIC_WUPC) {\r
- ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+ ReaderTransmitBitsPar(wupC1, 7, NULL, NULL);\r
if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");\r
errormsg = MAGIC_WUPC;\r
//loop doesn't loop just breaks out if error or done\r
while (true) {\r
if (workFlags & MAGIC_WUPC) {\r
- ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+ ReaderTransmitBitsPar(wupC1, 7, NULL, NULL);\r
if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
if (MF_DBGLEVEL >= MF_DBG_ERROR) Dbprintf("wupC1 error");\r
errormsg = MAGIC_WUPC;\r
memcpy(data, receivedAnswer, sizeof(data));\r
\r
// send HALT\r
- if (workFlags & MAGIC_HALT) {\r
+ if (workFlags & MAGIC_HALT)\r
mifare_classic_halt_ex(NULL);\r
- break;\r
- }\r
+\r
isOK = true;\r
break;\r
}\r
uint8_t receivedAnswer[1] = {0x00};\r
uint8_t receivedAnswerPar[1] = {0x00};\r
\r
- ReaderTransmitBitsPar(wupC1,7,0, NULL);\r
+ ReaderTransmitBitsPar(wupC1, 7, NULL, NULL);\r
if(!ReaderReceive(receivedAnswer, receivedAnswerPar) || (receivedAnswer[0] != 0x0a)) {\r
isOK = false;\r
}\r
cmd_send(CMD_ACK,0,reason,0,0,0);\r
OnSuccessMagic();\r
}\r
-\r
-void MifareCollectNonces(uint32_t arg0, uint32_t arg1){\r
-}\r
-\r
//\r
// DESFIRE\r
//\r
-\r
void Mifare_DES_Auth1(uint8_t arg0, uint8_t *datain){\r
-\r
byte_t dataout[12] = {0x00};\r
uint8_t uid[10] = {0x00};\r
uint32_t cuid = 0;\r
}\r
\r
if (MF_DBGLEVEL >= MF_DBG_EXTENDED) DbpString("AUTH 1 FINISHED");\r
- cmd_send(CMD_ACK,1,cuid,0,dataout, sizeof(dataout));\r
+ cmd_send(CMD_ACK, 1, cuid, 0, dataout, sizeof(dataout));\r
}\r
\r
void Mifare_DES_Auth2(uint32_t arg0, uint8_t *datain){\r
-\r
uint32_t cuid = arg0;\r
uint8_t key[16] = {0x00};\r
byte_t dataout[12] = {0x00};\r
cmd_send(CMD_ACK, isOK, 0, 0, dataout, sizeof(dataout));\r
FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);\r
LEDsoff();\r
+ set_tracing(FALSE);\r
}
\ No newline at end of file