// mifare commands\r
//-----------------------------------------------------------------------------\r
\r
-#include <stdio.h>\r
-#include <stdlib.h> \r
-#include <string.h>\r
-#include <pthread.h>\r
#include "mifarehost.h"\r
-#include "proxmark3.h"\r
-//#include "radixsort.h"\r
-#include <time.h>\r
\r
// MIFARE\r
-int compar_int(const void * a, const void * b) {\r
+extern int compar_int(const void * a, const void * b) {\r
// didn't work: (the result is truncated to 32 bits)\r
//return (*(uint64_t*)b - *(uint64_t*)a);\r
\r
*/\r
}\r
\r
-typedef \r
- struct {\r
- union {\r
- struct Crypto1State *slhead;\r
- uint64_t *keyhead;\r
- } head;\r
- union {\r
- struct Crypto1State *sltail;\r
- uint64_t *keytail;\r
- } tail;\r
- uint32_t len;\r
- uint32_t uid;\r
- uint32_t blockNo;\r
- uint32_t keyType;\r
- uint32_t nt;\r
- uint32_t ks1;\r
- } StateList_t;\r
-\r
-\r
// wrapper function for multi-threaded lfsr_recovery32\r
void* nested_worker_thread(void *arg)\r
{\r
p4->even = 0; p4->odd = 0;\r
statelists[0].len = p3 - statelists[0].head.slhead;\r
statelists[1].len = p4 - statelists[1].head.slhead;\r
- statelists[0].tail.sltail=--p3;\r
- statelists[1].tail.sltail=--p4;\r
+ statelists[0].tail.sltail = --p3;\r
+ statelists[1].tail.sltail = --p4;\r
\r
// the statelists now contain possible keys. The key we are searching for must be in the\r
// intersection of both lists. Create the intersection:\r
free(statelists[1].head.slhead);\r
num_to_bytes(key64, 6, resultKey);\r
\r
- PrintAndLog("UID: %08x target block:%3u key type: %c -- Found key [%012"llx"]",\r
+ PrintAndLog("UID: %08x target block:%3u key type: %c -- Found key [%012" PRIx64 "]",\r
uid,\r
(uint16_t)resp.arg[2] & 0xff,\r
(resp.arg[2] >> 8) ? 'B' : 'A',\r
}\r
\r
int mfCheckKeys (uint8_t blockNo, uint8_t keyType, bool clear_trace, uint8_t keycnt, uint8_t * keyBlock, uint64_t * key){\r
- *key = 0;\r
- UsbCommand c = {CMD_MIFARE_CHKKEYS, { (blockNo | (keyType<<8)), clear_trace, keycnt}};\r
+#define STD_SEARCH 1\r
+#define EXT_SEARCH 2\r
+ *key = 0; \r
+ UsbCommand c = {CMD_MIFARE_CHKKEYS, { (blockNo | (keyType << 8)), ((EXT_SEARCH << 8) | clear_trace), keycnt}};\r
memcpy(c.d.asBytes, keyBlock, 6 * keycnt);\r
clearCommandBuffer();\r
SendCommand(&c);\r
*key = bytes_to_num(resp.d.asBytes, 6);\r
return 0;\r
}\r
+// PM3 imp of J-Run mf_key_brute (part 2)\r
+// ref: https://github.com/J-Run/mf_key_brute\r
+int mfKeyBrute(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint64_t *resultkey){\r
+\r
+ #define KEYS_IN_BLOCK 85\r
+ #define KEYBLOCK_SIZE 510\r
+ #define CANDIDATE_SIZE 0xFFFF * 6\r
+ uint8_t found = FALSE;\r
+ uint64_t key64 = 0;\r
+ uint8_t candidates[CANDIDATE_SIZE] = {0x00};\r
+ uint8_t keyBlock[KEYBLOCK_SIZE] = {0x00};\r
\r
-// EMULATOR\r
+ memset(candidates, 0, sizeof(candidates));\r
+ memset(keyBlock, 0, sizeof(keyBlock));\r
+ \r
+ // Generate all possible keys for the first two unknown bytes.\r
+ for (uint16_t i = 0; i < 0xFFFF; ++i) { \r
+ uint32_t j = i * 6; \r
+ candidates[0 + j] = i >> 8; \r
+ candidates[1 + j] = i;\r
+ candidates[2 + j] = key[2];\r
+ candidates[3 + j] = key[3];\r
+ candidates[4 + j] = key[4];\r
+ candidates[5 + j] = key[5];\r
+ }\r
+ uint32_t counter, i;\r
+ for ( i = 0, counter = 1; i < CANDIDATE_SIZE; i += KEYBLOCK_SIZE, ++counter){\r
\r
+ key64 = 0;\r
+ \r
+ // copy candidatekeys to test key block\r
+ memcpy(keyBlock, candidates + i, KEYBLOCK_SIZE);\r
+\r
+ // check a block of generated candidate keys.\r
+ if (!mfCheckKeys(blockNo, keyType, TRUE, KEYS_IN_BLOCK, keyBlock, &key64)) {\r
+ *resultkey = key64;\r
+ found = TRUE;\r
+ break;\r
+ }\r
+ \r
+ // progress \r
+ if ( counter % 20 == 0 )\r
+ PrintAndLog("tried : %s.. \t %u keys", sprint_hex(candidates + i, 6), counter * KEYS_IN_BLOCK );\r
+ }\r
+ return found;\r
+}\r
+\r
+// EMULATOR\r
int mfEmlGetMem(uint8_t *data, int blockNum, int blocksCount) {\r
UsbCommand c = {CMD_MIFARE_EML_MEMGET, {blockNum, blocksCount, 0}};\r
clearCommandBuffer();\r
SendCommand(&c);\r
UsbCommand resp;\r
- if (!WaitForResponseTimeout(CMD_ACK,&resp,1500)) return 1;\r
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500)) return 1;\r
memcpy(data, resp.d.asBytes, blocksCount * 16);\r
return 0;\r
}\r
memset(buf, 0, sizeof(buf));\r
if (fgets(buf, sizeof(buf), f) == NULL) {\r
PrintAndLog("No trace file found or reading error.");\r
- fclose(f);\r
+ if (f) {\r
+ fclose(f);\r
+ f = NULL;\r
+ }\r
return 2;\r
}\r
\r
if (strlen(buf) < 32){\r
if (feof(f)) break;\r
PrintAndLog("File content error. Block data must include 32 HEX symbols");\r
- fclose(f);\r
+ if (f) {\r
+ fclose(f);\r
+ f = NULL;\r
+ }\r
return 2;\r
}\r
for (i = 0; i < 32; i += 2)\r
\r
blockNum++;\r
}\r
- fclose(f);\r
+ if (f) {\r
+ fclose(f);\r
+ f = NULL;\r
+ }\r
return 0;\r
}\r
\r
fprintf(f,"\n");\r
}\r
fflush(f);\r
- fclose(f);\r
+ if (f) {\r
+ fclose(f);\r
+ f = NULL;\r
+ }\r
return 0;\r
}\r
\r
lfsr_rollback_word(revstate, nr_enc, 1);\r
lfsr_rollback_word(revstate, cuid ^ nt, 0);\r
crypto1_get_lfsr(revstate, &key);\r
- PrintAndLog("Found Key: [%012"llx"]", key);\r
+ PrintAndLog("Found Key: [%012" PRIx64 "]", key);\r
\r
//if ( tryMfk64(cuid, nt, nr_enc, ar_enc, at_enc, &key) )\r
AddLogUint64(logHexFileName, "Found Key: ", key); \r
\r
int tryDecryptWord(uint32_t nt, uint32_t ar_enc, uint32_t at_enc, uint8_t *data, int len){\r
PrintAndLog("\nEncrypted data: [%s]", sprint_hex(data, len) );\r
- struct Crypto1State *pcs = NULL;\r
+ struct Crypto1State *s;\r
ks2 = ar_enc ^ prng_successor(nt, 64);\r
ks3 = at_enc ^ prng_successor(nt, 96);\r
- pcs = lfsr_recovery64(ks2, ks3);\r
- mf_crypto1_decrypt(pcs, data, len, FALSE);\r
+ s = lfsr_recovery64(ks2, ks3);\r
+ mf_crypto1_decrypt(s, data, len, FALSE);\r
PrintAndLog("Decrypted data: [%s]", sprint_hex(data, len) );\r
- crypto1_destroy(pcs);\r
+ crypto1_destroy(s);\r
return 0;\r
}\r
projects / proxmark3-svn / blobdiff