// High frequency MIFARE commands\r
//-----------------------------------------------------------------------------\r
\r
-#include "cmdhfmf.h"\r
-#include "./nonce2key/nonce2key.h"\r
+#include <inttypes.h>\r
+#include <string.h>\r
+#include <stdio.h>\r
+#include <stdlib.h>\r
+#include <ctype.h>\r
+#include "proxmark3.h"\r
+#include "cmdmain.h"\r
+#include "util.h"\r
+#include "ui.h"\r
+#include "mifarehost.h"\r
+#include "mifare.h"\r
+#include "mfkey.h"\r
+\r
+#define NESTED_SECTOR_RETRY 10 // how often we try mfested() until we give up\r
+\r
\r
static int CmdHelp(const char *Cmd);\r
\r
+\r
int CmdHF14AMifare(const char *Cmd)\r
{\r
- uint32_t uid = 0;\r
- uint32_t nt = 0, nr = 0;\r
- uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
- int16_t isOK = 0;\r
-\r
- UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
-\r
- // message\r
- printf("-------------------------------------------------------------------------\n");\r
- printf("Executing command. Expected execution time: 25sec on average :-)\n");\r
- printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");\r
- printf("-------------------------------------------------------------------------\n");\r
-\r
- \r
- start:\r
- clearCommandBuffer();\r
- SendCommand(&c);\r
- \r
- //flush queue\r
- while (ukbhit()) getchar();\r
-\r
- // wait cycle\r
- while (true) {\r
- printf(".");\r
- fflush(stdout);\r
- if (ukbhit()) {\r
- getchar();\r
- printf("\naborted via keyboard!\n");\r
- break;\r
- }\r
- \r
- UsbCommand resp;\r
- if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {\r
- isOK = resp.arg[0];\r
- uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4);\r
- nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4);\r
- par_list = bytes_to_num(resp.d.asBytes + 8, 8);\r
- ks_list = bytes_to_num(resp.d.asBytes + 16, 8);\r
- nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
- printf("\n\n");\r
- switch (isOK) {\r
- case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
- case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
- case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
- case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
- PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;\r
- default: ;\r
- }\r
- break;\r
- }\r
- } \r
+ int isOK = 0;\r
+ uint64_t key = 0;\r
\r
- printf("\n");\r
- \r
- // error\r
- if (isOK != 1) return 1;\r
- \r
- // execute original function from util nonce2key\r
- if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
- isOK = 2;\r
- PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt); \r
- PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");\r
- c.arg[0] = false;\r
- goto start;\r
- } else {\r
- isOK = 0;\r
- printf("------------------------------------------------------------------\n");\r
- PrintAndLog("Found valid key:%012"llx" \n", r_key);\r
+ isOK = mfDarkside(&key);\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Button pressed. Aborted."); return 1;\r
+ case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests)."); return 1;\r
+ case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable)."); return 1;\r
+ case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+ PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour."); return 1;\r
+ case -5 : PrintAndLog("Aborted via keyboard."); return 1;\r
+ default : PrintAndLog("Found valid key:%012" PRIx64 "\n", key);\r
}\r
\r
PrintAndLog("");\r
return 0;\r
}\r
\r
+\r
int CmdHF14AMfWrBl(const char *Cmd)\r
{\r
uint8_t blockNo = 0;\r
\r
// Read keys A from file\r
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
- if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {\r
+ size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);\r
+ if (bytes_read != 6) {\r
PrintAndLog("File reading error.");\r
fclose(fin);\r
return 2;\r
\r
// Read keys B from file\r
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
- if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {\r
+ size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);\r
+ if (bytes_read != 6) {\r
PrintAndLog("File reading error.");\r
fclose(fin);\r
return 2;\r
PrintAndLog("|-----------------------------------------|");\r
PrintAndLog("|------ Reading sector access bits...-----|");\r
PrintAndLog("|-----------------------------------------|");\r
- \r
+ uint8_t tries = 0;\r
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
- UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
- memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
- SendCommand(&c);\r
+ for (tries = 0; tries < 3; tries++) { \r
+ UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
+ memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
+ SendCommand(&c);\r
\r
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
- uint8_t isOK = resp.arg[0] & 0xff;\r
- uint8_t *data = resp.d.asBytes;\r
- if (isOK){\r
- rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0\r
- rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
- rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
- rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+ uint8_t isOK = resp.arg[0] & 0xff;\r
+ uint8_t *data = resp.d.asBytes;\r
+ if (isOK){\r
+ rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0\r
+ rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
+ rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
+ rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
+ break;\r
+ } else if (tries == 2) { // on last try set defaults\r
+ PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
+ rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
+ rights[sectorNo][3] = 0x01;\r
+ }\r
} else {\r
- PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
+ PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);\r
rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
rights[sectorNo][3] = 0x01;\r
}\r
- } else {\r
- PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);\r
- rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
- rights[sectorNo][3] = 0x01;\r
}\r
}\r
\r
for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
bool received = false;\r
- \r
- if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A. \r
- UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
- memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
- SendCommand(&c);\r
- received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
- } else { // data block. Check if it can be read with key A or key B\r
- uint8_t data_area = sectorNo<32?blockNo:blockNo/5;\r
- if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work\r
- UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
- memcpy(c.d.asBytes, keyB[sectorNo], 6);\r
- SendCommand(&c);\r
- received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
- } else if (rights[sectorNo][data_area] == 0x07) { // no key would work\r
- isOK = false;\r
- PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
- } else { // key A would work\r
+ for (tries = 0; tries < 3; tries++) { \r
+ if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A. \r
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
SendCommand(&c);\r
received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+ } else { // data block. Check if it can be read with key A or key B\r
+ uint8_t data_area = sectorNo<32?blockNo:blockNo/5;\r
+ if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work\r
+ UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
+ memcpy(c.d.asBytes, keyB[sectorNo], 6);\r
+ SendCommand(&c);\r
+ received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+ } else if (rights[sectorNo][data_area] == 0x07) { // no key would work\r
+ isOK = false;\r
+ PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
+ tries = 2;\r
+ } else { // key A would work\r
+ UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
+ memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
+ SendCommand(&c);\r
+ received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+ }\r
+ }\r
+ if (received) {\r
+ isOK = resp.arg[0] & 0xff;\r
+ if (isOK) break;\r
}\r
}\r
\r
}\r
\r
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
- if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {\r
+ size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);\r
+ if (bytes_read != 6) {\r
PrintAndLog("File reading error (dumpkeys.bin).");\r
-\r
fclose(fkeys);\r
return 2;\r
}\r
}\r
\r
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
- if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {\r
+ size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);\r
+ if (bytes_read != 6) {\r
PrintAndLog("File reading error (dumpkeys.bin).");\r
fclose(fkeys);\r
return 2;\r
UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};\r
memcpy(c.d.asBytes, key, 6);\r
\r
- if (fread(bldata, 1, 16, fdump) == 0) {\r
+ size_t bytes_read = fread(bldata, 1, 16, fdump);\r
+ if (bytes_read != 16) {\r
PrintAndLog("File reading error (dumpdata.bin).");\r
fclose(fdump);\r
return 2;\r
return 0;\r
}\r
\r
+\r
+typedef struct {\r
+ uint64_t Key[2];\r
+ int foundKey[2];\r
+} sector_t;\r
+\r
+\r
int CmdHF14AMfNested(const char *Cmd)\r
{\r
int i, j, res, iterations;\r
- sector *e_sector = NULL;\r
+ sector_t *e_sector = NULL;\r
uint8_t blockNo = 0;\r
uint8_t keyType = 0;\r
uint8_t trgBlockNo = 0;\r
}\r
key64 = bytes_to_num(keyBlock, 6);\r
if (key64) {\r
- PrintAndLog("Found valid key:%012"llx, key64);\r
+ PrintAndLog("Found valid key:%012" PRIx64, key64);\r
\r
// transfer key to the emulator\r
if (transferToEml) {\r
}\r
}\r
else { // ------------------------------------ multiple sectors working\r
- clock_t time1;\r
- time1 = clock();\r
+ uint64_t msclock1;\r
+ msclock1 = msclock();\r
\r
- e_sector = calloc(SectorsCnt, sizeof(sector));\r
+ e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
if (e_sector == NULL) return 1;\r
\r
//test current key and additional standard keys first\r
\r
key64 = bytes_to_num(keyBlock, 6);\r
if (key64) {\r
- PrintAndLog("Found valid key:%012"llx, key64);\r
+ PrintAndLog("Found valid key:%012" PRIx64, key64);\r
e_sector[sectorNo].foundKey[trgKeyType] = 1;\r
e_sector[sectorNo].Key[trgKeyType] = key64;\r
}\r
}\r
}\r
\r
- printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/CLOCKS_PER_SEC, ((float)clock() - time1)/iterations/CLOCKS_PER_SEC);\r
+ printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)(msclock() - msclock1))/1000.0, ((float)(msclock() - msclock1))/iterations/1000.0);\r
\r
PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);\r
//print them\r
PrintAndLog("|sec|key A |res|key B |res|");\r
PrintAndLog("|---|----------------|---|----------------|---|");\r
for (i = 0; i < SectorsCnt; i++) {\r
- PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i,\r
+ PrintAndLog("|%03d| %012" PRIx64 " | %d | %012" PRIx64 " | %d |", i,\r
e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
}\r
PrintAndLog("|---|----------------|---|----------------|---|");\r
if (!p) {\r
PrintAndLog("Cannot allocate memory for defKeys");\r
free(keyBlock);\r
+ fclose(f);\r
return 2;\r
}\r
keyBlock = p;\r
}\r
memset(keyBlock + 6 * keycnt, 0, 6);\r
num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
- PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
+ PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
keycnt++;\r
memset(buf, 0, sizeof(buf));\r
}\r
res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
if (res != 1) {\r
if (!res) {\r
- PrintAndLog("Found valid key:[%012"llx"]",key64);\r
+ PrintAndLog("Found valid key:[%012" PRIx64 "]",key64);\r
num_to_bytes(key64, 6, foundKey[t][i]);\r
validKey[t][i] = true;\r
} \r
return 0;\r
}\r
\r
-void readerAttack(nonces_t ar_resp[], bool setEmulatorMem) {\r
- #define ATTACK_KEY_COUNT 8\r
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {\r
+ #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()\r
uint64_t key = 0;\r
typedef struct {\r
uint64_t keyA;\r
- uint32_t security;\r
uint64_t keyB;\r
} st_t;\r
st_t sector_trailer[ATTACK_KEY_COUNT];\r
\r
for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
if (ar_resp[i].ar2 > 0) {\r
- //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
- if (mfkey32(ar_resp[i], &key)) {\r
- PrintAndLog("Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+ //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+ if (doStandardAttack && mfkey32(ar_resp[i], &key)) {\r
+ PrintAndLog(" Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
\r
for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
}\r
}\r
}\r
+ } else if (mfkey32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {\r
+ uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;\r
+ uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;\r
+\r
+ PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"\r
+ , keyType ? "B" : "A"\r
+ , sectorNum\r
+ , key\r
+ );\r
+\r
+ for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+ if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {\r
+ if (keyType==0) {\r
+ //keyA\r
+ sector_trailer[ii].keyA = key;\r
+ stSector[ii] = sectorNum;\r
+ key_cnt[ii]++;\r
+ break;\r
+ } else {\r
+ //keyB\r
+ sector_trailer[ii].keyB = key;\r
+ stSector[ii] = sectorNum;\r
+ key_cnt[ii]++;\r
+ break;\r
+ }\r
+ }\r
+ }\r
+ continue;\r
}\r
}\r
}\r
if (setEmulatorMem) {\r
for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
if (key_cnt[i]>0) {\r
- //PrintAndLog ("block %d, keyA:%04x%08x, keyb:%04x%08x",stSector[i]*4+3, (uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
uint8_t memBlock[16];\r
memset(memBlock, 0x00, sizeof(memBlock));\r
char cmd1[36];\r
}\r
}\r
}\r
- //moebius attack\r
+ /*\r
+ //un-comment to use as well moebius attack\r
for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
if (ar_resp[i].ar2 > 0) {\r
if (tryMfk32_moebius(ar_resp[i], &key)) {\r
PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
}\r
}\r
- }\r
+ }*/\r
}\r
\r
int usage_hf14_mf1ksim(void) {\r
- PrintAndLog("Usage: hf mf sim [h] u <uid (8,14 hex symbols)> n <numreads> i x");\r
+ PrintAndLog("Usage: hf mf sim h u <uid (8, 14, or 20 hex symbols)> n <numreads> i x");\r
PrintAndLog("options:");\r
PrintAndLog(" h this help");\r
- PrintAndLog(" u (Optional) UID 4,7 bytes. If not specified, the UID 4b from emulator memory will be used");\r
+ PrintAndLog(" u (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used");\r
PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
- PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory");\r
+ PrintAndLog(" e (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");\r
PrintAndLog(" f (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");\r
+ PrintAndLog(" r (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");\r
PrintAndLog("samples:");\r
PrintAndLog(" hf mf sim u 0a0a0a0a");\r
PrintAndLog(" hf mf sim u 11223344556677");\r
- PrintAndLog(" hf mf sim u 112233445566778899AA"); \r
+ PrintAndLog(" hf mf sim u 112233445566778899AA");\r
+ PrintAndLog(" hf mf sim f uids.txt");\r
+ PrintAndLog(" hf mf sim u 0a0a0a0a e");\r
+ \r
return 0;\r
}\r
\r
memset(filename, 0x00, sizeof(filename));\r
int len = 0;\r
char buf[64];\r
- uint8_t uidBuffer[64];\r
\r
uint8_t cmdp = 0;\r
bool errors = false;\r
case 'e':\r
case 'E':\r
setEmulatorMem = true;\r
+ //implies x and i\r
+ flags |= FLAG_INTERACTIVE;\r
+ flags |= FLAG_NR_AR_ATTACK;\r
cmdp++;\r
break;\r
case 'f':\r
return 0;\r
}\r
attackFromFile = true;\r
- cmdp+=2;\r
+ //implies x and i\r
+ flags |= FLAG_INTERACTIVE;\r
+ flags |= FLAG_NR_AR_ATTACK;\r
+ cmdp += 2;\r
break;\r
case 'h':\r
case 'H':\r
exitAfterNReads = param_get8(Cmd, pnr+1);\r
cmdp += 2;\r
break;\r
+ case 'r':\r
+ case 'R':\r
+ flags |= FLAG_RANDOM_NONCE;\r
+ cmdp++;\r
+ break;\r
case 'u':\r
case 'U':\r
param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);\r
case 8: flags = FLAG_4B_UID_IN_DATA; break;\r
default: return usage_hf14_mf1ksim();\r
}\r
- cmdp +=2;\r
+ cmdp += 2;\r
break;\r
case 'x':\r
case 'X':\r
//Validations\r
if(errors) return usage_hf14_mf1ksim();\r
\r
- // attack from file implies nr ar attack and interactive...\r
- if (!(flags & FLAG_NR_AR_ATTACK) && attackFromFile) flags |= FLAG_NR_AR_ATTACK | FLAG_INTERACTIVE;\r
- \r
//get uid from file\r
if (attackFromFile) {\r
int count = 0;\r
PrintAndLog("Loading file and simulating. Press keyboard to abort");\r
while(!feof(f) && !ukbhit()){\r
memset(buf, 0, sizeof(buf));\r
- memset(uidBuffer, 0, sizeof(uidBuffer));\r
+ memset(uid, 0, sizeof(uid));\r
\r
if (fgets(buf, sizeof(buf), f) == NULL) { \r
if (count > 0) break;\r
fclose(f);\r
return 2;\r
}\r
- if(strlen(buf) && feof(f)) break;\r
+ if(!strlen(buf) && feof(f)) break;\r
\r
- uidlen = strlen(buf);\r
+ uidlen = strlen(buf)-1;\r
switch(uidlen) {\r
- case 20: flags = FLAG_10B_UID_IN_DATA; break; //not complete\r
- case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
- case 8: flags = FLAG_4B_UID_IN_DATA; break;\r
+ case 20: flags |= FLAG_10B_UID_IN_DATA; break; //not complete\r
+ case 14: flags |= FLAG_7B_UID_IN_DATA; break;\r
+ case 8: flags |= FLAG_4B_UID_IN_DATA; break;\r
default: \r
- PrintAndLog("uid in file wrong length at %d",count);\r
+ PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);\r
fclose(f);\r
return 2;\r
}\r
\r
for (uint8_t i = 0; i < uidlen; i += 2) {\r
- sscanf(&buf[i], "%02x", (unsigned int *)&uidBuffer[i / 2]);\r
+ sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);\r
}\r
\r
PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",\r
//got a response\r
nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
- readerAttack(ar_resp, setEmulatorMem);\r
- if (resp.arg[1]) {\r
+ // We can skip the standard attack if we have RANDOM_NONCE set.\r
+ readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
+ if ((bool)resp.arg[1]) {\r
PrintAndLog("Device button pressed - quitting");\r
fclose(f);\r
return 4;\r
count++;\r
}\r
fclose(f);\r
- } else {\r
+ } else { //not from file\r
\r
PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",\r
flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
if (flags & FLAG_NR_AR_ATTACK) {\r
nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
- readerAttack(ar_resp, setEmulatorMem);\r
+ // We can skip the standard attack if we have RANDOM_NONCE set.\r
+ readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
}\r
}\r
}\r
\r
len = param_getstr(Cmd,nameParamNo,filename);\r
\r
- if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
\r
fnameptr += len;\r
\r
\r
len = param_getstr(Cmd,nameParamNo,filename);\r
\r
- if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
\r
// user supplied filename?\r
if (len < 1) {\r
}\r
keyA = bytes_to_num(data, 6);\r
keyB = bytes_to_num(data + 10, 6);\r
- PrintAndLog("|%03d| %012"llx" | %012"llx" |", i, keyA, keyB);\r
+ PrintAndLog("|%03d| %012" PRIx64 " | %012" PRIx64 " |", i, keyA, keyB);\r
}\r
PrintAndLog("|---|----------------|----------------|");\r
\r
{\r
uint8_t memBlock[16] = {0x00};\r
uint8_t blockNo = 0;\r
- bool wipeCard = FALSE;\r
+ bool wipeCard = false;\r
int res;\r
\r
if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
\r
memcpy(filename, Cmd, len);\r
fnameptr += len;\r
\r
if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
PrintAndLog("Can't set magic card block: %d", blockNum);\r
+ fclose(f);\r
return 3;\r
}\r
blockNum++;\r
return 0;\r
} else {\r
len = strlen(Cmd);\r
- if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
\r
if (len < 1) {\r
// get filename\r
uint16_t traceLen = resp.arg[1];\r
len = resp.arg[2];\r
\r
- if (res == 0) return 0; // we are done\r
+ if (res == 0) { // we are done\r
+ free(buf);\r
+ return 0;\r
+ }\r
\r
if (res == 1) { // there is (more) data to be transferred\r
if (pckNum == 0) { // first packet, (re)allocate necessary buffer\r
- if (traceLen > bufsize) {\r
+ if (traceLen > bufsize || buf == NULL) {\r
uint8_t *p;\r
if (buf == NULL) { // not yet allocated\r
p = malloc(traceLen);\r
projects / proxmark3-svn / blobdiff