]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdhfmf.c
projects / proxmark3-svn / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix USB descriptors
[proxmark3-svn] / client / cmdhfmf.c
diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index df50441631fec0c1081d34405792c3ba5b954c2c..7a6aaa3b9a3cd367a517d2c1f7a2ea56d49ed392 100644 (file)
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -8,87 +8,46 @@
 // High frequency MIFARE commands\r
 //-----------------------------------------------------------------------------\r
 \r
 // High frequency MIFARE commands\r
 //-----------------------------------------------------------------------------\r
 \r
-#include "cmdhfmf.h"\r
-#include "./nonce2key/nonce2key.h"\r
+#include <inttypes.h>\r
+#include <string.h>\r
+#include <stdio.h>\r
+#include <stdlib.h>\r
+#include <ctype.h>\r
+#include "proxmark3.h"\r
+#include "cmdmain.h"\r
+#include "util.h"\r
+#include "ui.h"\r
+#include "mifarehost.h"\r
+#include "mifare.h"\r
+#include "mfkey.h"\r
+\r
+#define NESTED_SECTOR_RETRY     10                     // how often we try mfested() until we give up\r
+\r
 \r
 static int CmdHelp(const char *Cmd);\r
 \r
 \r
 static int CmdHelp(const char *Cmd);\r
 \r
+\r
 int CmdHF14AMifare(const char *Cmd)\r
 {\r
 int CmdHF14AMifare(const char *Cmd)\r
 {\r
-       uint32_t uid = 0;\r
-       uint32_t nt = 0, nr = 0;\r
-       uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
-       int16_t isOK = 0;\r
-\r
-       UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};\r
-\r
-       // message\r
-       printf("-------------------------------------------------------------------------\n");\r
-       printf("Executing command. Expected execution time: 25sec on average  :-)\n");\r
-       printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");\r
-       printf("-------------------------------------------------------------------------\n");\r
-\r
-       \r
- start:\r
-    clearCommandBuffer();\r
-    SendCommand(&c);\r
-       \r
-       //flush queue\r
-       while (ukbhit())        getchar();\r
-\r
-       // wait cycle\r
-       while (true) {\r
-        printf(".");\r
-               fflush(stdout);\r
-               if (ukbhit()) {\r
-                       getchar();\r
-                       printf("\naborted via keyboard!\n");\r
-                       break;\r
-               }\r
-               \r
-               UsbCommand resp;\r
-               if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {\r
-                       isOK  = resp.arg[0];\r
-                       uid = (uint32_t)bytes_to_num(resp.d.asBytes +  0, 4);\r
-                       nt =  (uint32_t)bytes_to_num(resp.d.asBytes +  4, 4);\r
-                       par_list = bytes_to_num(resp.d.asBytes +  8, 8);\r
-                       ks_list = bytes_to_num(resp.d.asBytes +  16, 8);\r
-                       nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
-                       printf("\n\n");\r
-                       switch (isOK) {\r
-                               case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
-                               case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;\r
-                               case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;\r
-                               case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
-                                                       PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;\r
-                               default: ;\r
-                       }\r
-                       break;\r
-               }\r
-       }       \r
+       int isOK = 0;\r
+       uint64_t key = 0;\r
 \r
 \r
-       printf("\n");\r
-       \r
-       // error\r
-       if (isOK != 1) return 1;\r
-       \r
-       // execute original function from util nonce2key\r
-       if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
-               isOK = 2;\r
-               PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);    \r
-               PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");\r
-               c.arg[0] = false;\r
-               goto start;\r
-       } else {\r
-               isOK = 0;\r
-               printf("------------------------------------------------------------------\n");\r
-               PrintAndLog("Found valid key:%012"llx" \n", r_key);\r
+       isOK = mfDarkside(&key);\r
+       switch (isOK) {\r
+               case -1 : PrintAndLog("Button pressed. Aborted."); return 1;\r
+               case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests)."); return 1;\r
+               case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable)."); return 1;\r
+               case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");\r
+                                       PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour."); return 1;\r
+               case -5 : PrintAndLog("Aborted via keyboard.");  return 1;\r
+               default : PrintAndLog("Found valid key:%012" PRIx64 "\n", key);\r
        }\r
        \r
        PrintAndLog("");\r
        return 0;\r
 }\r
 \r
        }\r
        \r
        PrintAndLog("");\r
        return 0;\r
 }\r
 \r
+\r
 int CmdHF14AMfWrBl(const char *Cmd)\r
 {\r
        uint8_t blockNo = 0;\r
 int CmdHF14AMfWrBl(const char *Cmd)\r
 {\r
        uint8_t blockNo = 0;\r
@@ -302,7 +261,8 @@ int CmdHF14AMfDump(const char *Cmd)
        \r
        // Read keys A from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
        \r
        // Read keys A from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
-               if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {\r
+               size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
@@ -311,7 +271,8 @@ int CmdHF14AMfDump(const char *Cmd)
        \r
        // Read keys B from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
        \r
        // Read keys B from file\r
        for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
-               if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {\r
+               size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
                        PrintAndLog("File reading error.");\r
                        fclose(fin);\r
                        return 2;\r
@@ -323,29 +284,32 @@ int CmdHF14AMfDump(const char *Cmd)
        PrintAndLog("|-----------------------------------------|");\r
        PrintAndLog("|------ Reading sector access bits...-----|");\r
        PrintAndLog("|-----------------------------------------|");\r
        PrintAndLog("|-----------------------------------------|");\r
        PrintAndLog("|------ Reading sector access bits...-----|");\r
        PrintAndLog("|-----------------------------------------|");\r
-       \r
+       uint8_t tries = 0;\r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
-               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
-               memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
-               SendCommand(&c);\r
+               for (tries = 0; tries < 3; tries++) {           \r
+                       UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
+                       memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
+                       SendCommand(&c);\r
 \r
 \r
-               if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
-                       uint8_t isOK  = resp.arg[0] & 0xff;\r
-                       uint8_t *data  = resp.d.asBytes;\r
-                       if (isOK){\r
-                               rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0\r
-                               rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
-                               rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
-                               rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
+                       if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               uint8_t isOK  = resp.arg[0] & 0xff;\r
+                               uint8_t *data  = resp.d.asBytes;\r
+                               if (isOK){\r
+                                       rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0\r
+                                       rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
+                                       rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
+                                       rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
+                                       break;\r
+                               } else if (tries == 2) { // on last try set defaults\r
+                                       PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
+                                       rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
+                                       rights[sectorNo][3] = 0x01;\r
+                               }\r
                        } else {\r
                        } else {\r
-                               PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
+                               PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);\r
                                rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
                                rights[sectorNo][3] = 0x01;\r
                        }\r
                                rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
                                rights[sectorNo][3] = 0x01;\r
                        }\r
-               } else {\r
-                       PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);\r
-                       rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
-                       rights[sectorNo][3] = 0x01;\r
                }\r
        }\r
        \r
                }\r
        }\r
        \r
@@ -357,27 +321,33 @@ int CmdHF14AMfDump(const char *Cmd)
        for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
                for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
                        bool received = false;\r
        for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
                for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
                        bool received = false;\r
-                       \r
-                       if (blockNo == NumBlocksPerSector(sectorNo) - 1) {              // sector trailer. At least the Access Conditions can always be read with key A. \r
-                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
-                               memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
-                               SendCommand(&c);\r
-                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
-                       } else {                                                                                                // data block. Check if it can be read with key A or key B\r
-                               uint8_t data_area = sectorNo<32?blockNo:blockNo/5;\r
-                               if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) {   // only key B would work\r
-                                       UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
-                                       memcpy(c.d.asBytes, keyB[sectorNo], 6);\r
-                                       SendCommand(&c);\r
-                                       received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
-                               } else if (rights[sectorNo][data_area] == 0x07) {                                                                               // no key would work\r
-                                       isOK = false;\r
-                                       PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
-                               } else {                                                                                                                                                                // key A would work\r
+                       for (tries = 0; tries < 3; tries++) {                   \r
+                               if (blockNo == NumBlocksPerSector(sectorNo) - 1) {              // sector trailer. At least the Access Conditions can always be read with key A. \r
                                        UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
                                        memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
                                        SendCommand(&c);\r
                                        received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
                                        UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
                                        memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
                                        SendCommand(&c);\r
                                        received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                               } else {                                                                                                // data block. Check if it can be read with key A or key B\r
+                                       uint8_t data_area = sectorNo<32?blockNo:blockNo/5;\r
+                                       if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) {   // only key B would work\r
+                                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};\r
+                                               memcpy(c.d.asBytes, keyB[sectorNo], 6);\r
+                                               SendCommand(&c);\r
+                                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                                       } else if (rights[sectorNo][data_area] == 0x07) {                                                                               // no key would work\r
+                                               isOK = false;\r
+                                               PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
+                                               tries = 2;\r
+                                       } else {                                                                                                                                                                // key A would work\r
+                                               UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
+                                               memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
+                                               SendCommand(&c);\r
+                                               received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+                                       }\r
+                               }\r
+                               if (received) {\r
+                                       isOK  = resp.arg[0] & 0xff;\r
+                                       if (isOK) break;\r
                                }\r
                        }\r
 \r
                                }\r
                        }\r
 \r
@@ -466,16 +436,17 @@ int CmdHF14AMfRestore(const char *Cmd)
        }\r
        \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
        }\r
        \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
-               if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {\r
+               size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
-\r
                        fclose(fkeys);\r
                        return 2;\r
                }\r
        }\r
 \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
                        fclose(fkeys);\r
                        return 2;\r
                }\r
        }\r
 \r
        for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
-               if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {\r
+               size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);\r
+               if (bytes_read != 6) {\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
                        fclose(fkeys);\r
                        return 2;\r
                        PrintAndLog("File reading error (dumpkeys.bin).");\r
                        fclose(fkeys);\r
                        return 2;\r
@@ -495,7 +466,8 @@ int CmdHF14AMfRestore(const char *Cmd)
                        UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};\r
                        memcpy(c.d.asBytes, key, 6);\r
                        \r
                        UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};\r
                        memcpy(c.d.asBytes, key, 6);\r
                        \r
-                       if (fread(bldata, 1, 16, fdump) == 0) {\r
+                       size_t bytes_read = fread(bldata, 1, 16, fdump);\r
+                       if (bytes_read != 16) {\r
                                PrintAndLog("File reading error (dumpdata.bin).");\r
                                fclose(fdump);\r
                                return 2;\r
                                PrintAndLog("File reading error (dumpdata.bin).");\r
                                fclose(fdump);\r
                                return 2;\r
@@ -535,10 +507,17 @@ int CmdHF14AMfRestore(const char *Cmd)
        return 0;\r
 }\r
 \r
        return 0;\r
 }\r
 \r
+\r
+typedef struct {\r
+       uint64_t Key[2];\r
+       int foundKey[2];\r
+} sector_t;\r
+\r
+\r
 int CmdHF14AMfNested(const char *Cmd)\r
 {\r
        int i, j, res, iterations;\r
 int CmdHF14AMfNested(const char *Cmd)\r
 {\r
        int i, j, res, iterations;\r
-       sector *e_sector = NULL;\r
+       sector_t *e_sector = NULL;\r
        uint8_t blockNo = 0;\r
        uint8_t keyType = 0;\r
        uint8_t trgBlockNo = 0;\r
        uint8_t blockNo = 0;\r
        uint8_t keyType = 0;\r
        uint8_t trgBlockNo = 0;\r
@@ -632,7 +611,7 @@ int CmdHF14AMfNested(const char *Cmd)
                }\r
                key64 = bytes_to_num(keyBlock, 6);\r
                if (key64) {\r
                }\r
                key64 = bytes_to_num(keyBlock, 6);\r
                if (key64) {\r
-                       PrintAndLog("Found valid key:%012"llx, key64);\r
+                       PrintAndLog("Found valid key:%012" PRIx64, key64);\r
 \r
                        // transfer key to the emulator\r
                        if (transferToEml) {\r
 \r
                        // transfer key to the emulator\r
                        if (transferToEml) {\r
@@ -655,10 +634,10 @@ int CmdHF14AMfNested(const char *Cmd)
                }\r
        }\r
        else { // ------------------------------------  multiple sectors working\r
                }\r
        }\r
        else { // ------------------------------------  multiple sectors working\r
-               clock_t time1;\r
-               time1 = clock();\r
+               uint64_t msclock1;\r
+               msclock1 = msclock();\r
 \r
 \r
-               e_sector = calloc(SectorsCnt, sizeof(sector));\r
+               e_sector = calloc(SectorsCnt, sizeof(sector_t));\r
                if (e_sector == NULL) return 1;\r
                \r
                //test current key and additional standard keys first\r
                if (e_sector == NULL) return 1;\r
                \r
                //test current key and additional standard keys first\r
@@ -718,7 +697,7 @@ int CmdHF14AMfNested(const char *Cmd)
 \r
                                        key64 = bytes_to_num(keyBlock, 6);\r
                                        if (key64) {\r
 \r
                                        key64 = bytes_to_num(keyBlock, 6);\r
                                        if (key64) {\r
-                                               PrintAndLog("Found valid key:%012"llx, key64);\r
+                                               PrintAndLog("Found valid key:%012" PRIx64, key64);\r
                                                e_sector[sectorNo].foundKey[trgKeyType] = 1;\r
                                                e_sector[sectorNo].Key[trgKeyType] = key64;\r
                                        }\r
                                                e_sector[sectorNo].foundKey[trgKeyType] = 1;\r
                                                e_sector[sectorNo].Key[trgKeyType] = key64;\r
                                        }\r
@@ -726,7 +705,7 @@ int CmdHF14AMfNested(const char *Cmd)
                        }\r
                }\r
 \r
                        }\r
                }\r
 \r
-               printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/CLOCKS_PER_SEC, ((float)clock() - time1)/iterations/CLOCKS_PER_SEC);\r
+               printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)(msclock() - msclock1))/1000.0, ((float)(msclock() - msclock1))/iterations/1000.0);\r
                \r
                PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);\r
                //print them\r
                \r
                PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);\r
                //print them\r
@@ -734,7 +713,7 @@ int CmdHF14AMfNested(const char *Cmd)
                PrintAndLog("|sec|key A           |res|key B           |res|");\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
                for (i = 0; i < SectorsCnt; i++) {\r
                PrintAndLog("|sec|key A           |res|key B           |res|");\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
                for (i = 0; i < SectorsCnt; i++) {\r
-                       PrintAndLog("|%03d|  %012"llx"  | %d |  %012"llx"  | %d |", i,\r
+                       PrintAndLog("|%03d|  %012" PRIx64 "  | %d |  %012" PRIx64 "  | %d |", i,\r
                                e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
                }\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
                                e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
                }\r
                PrintAndLog("|---|----------------|---|----------------|---|");\r
@@ -919,13 +898,14 @@ int CmdHF14AMfChk(const char *Cmd)
                                                if (!p) {\r
                                                        PrintAndLog("Cannot allocate memory for defKeys");\r
                                                        free(keyBlock);\r
                                                if (!p) {\r
                                                        PrintAndLog("Cannot allocate memory for defKeys");\r
                                                        free(keyBlock);\r
+                                                       fclose(f);\r
                                                        return 2;\r
                                                }\r
                                                keyBlock = p;\r
                                        }\r
                                        memset(keyBlock + 6 * keycnt, 0, 6);\r
                                        num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
                                                        return 2;\r
                                                }\r
                                                keyBlock = p;\r
                                        }\r
                                        memset(keyBlock + 6 * keycnt, 0, 6);\r
                                        num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
-                                       PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
+                                       PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
                                        keycnt++;\r
                                        memset(buf, 0, sizeof(buf));\r
                                }\r
                                        keycnt++;\r
                                        memset(buf, 0, sizeof(buf));\r
                                }\r
@@ -969,7 +949,7 @@ int CmdHF14AMfChk(const char *Cmd)
                                res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
                                if (res != 1) {\r
                                        if (!res) {\r
                                res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
                                if (res != 1) {\r
                                        if (!res) {\r
-                                               PrintAndLog("Found valid key:[%012"llx"]",key64);\r
+                                               PrintAndLog("Found valid key:[%012" PRIx64 "]",key64);\r
                                                num_to_bytes(key64, 6, foundKey[t][i]);\r
                                                validKey[t][i] = true;\r
                                        } \r
                                                num_to_bytes(key64, 6, foundKey[t][i]);\r
                                                validKey[t][i] = true;\r
                                        } \r
@@ -1016,130 +996,309 @@ int CmdHF14AMfChk(const char *Cmd)
        return 0;\r
 }\r
 \r
        return 0;\r
 }\r
 \r
-int CmdHF14AMf1kSim(const char *Cmd)\r
-{\r
-       uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};\r
-       uint8_t exitAfterNReads = 0;\r
-       uint8_t flags = 0;\r
-\r
-       uint8_t cmdp = param_getchar(Cmd, 0);\r
-       \r
-       if (cmdp == 'h' || cmdp == 'H') {\r
-               PrintAndLog("Usage:  hf mf sim  u <uid (8 hex symbols)> n <numreads> i x");\r
-               PrintAndLog("           h    this help");\r
-               PrintAndLog("           u    (Optional) UID. If not specified, the UID from emulator memory will be used");\r
-               PrintAndLog("           n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
-               PrintAndLog("           i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
-               PrintAndLog("           x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
-               PrintAndLog("");\r
-               PrintAndLog("           sample: hf mf sim u 0a0a0a0a ");\r
-               return 0;\r
-       }\r
-       uint8_t pnr = 0;\r
-       if (param_getchar(Cmd, pnr) == 'u') {\r
-               if(param_gethex(Cmd, pnr+1, uid, 8) == 0)\r
-               {\r
-                       flags |= FLAG_4B_UID_IN_DATA; // UID from packet\r
-               } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) {\r
-                       flags |= FLAG_7B_UID_IN_DATA;// UID from packet\r
-               } else {\r
-                       PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols");\r
-                       return 1;\r
+void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {\r
+       #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()\r
+       uint64_t key = 0;\r
+       typedef struct {\r
+                       uint64_t keyA;\r
+                       uint64_t keyB;\r
+       } st_t;\r
+       st_t sector_trailer[ATTACK_KEY_COUNT];\r
+       memset(sector_trailer, 0x00, sizeof(sector_trailer));\r
+\r
+       uint8_t stSector[ATTACK_KEY_COUNT];\r
+       memset(stSector, 0x00, sizeof(stSector));\r
+       uint8_t key_cnt[ATTACK_KEY_COUNT];\r
+       memset(key_cnt, 0x00, sizeof(key_cnt));\r
+\r
+       for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+               if (ar_resp[i].ar2 > 0) {\r
+                       //PrintAndLog("DEBUG: Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
+                       if (doStandardAttack && mfkey32(ar_resp[i], &key)) {\r
+                               PrintAndLog("  Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+\r
+                               for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+                                       if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
+                                               if (ar_resp[i].keytype==0) {\r
+                                                       //keyA\r
+                                                       sector_trailer[ii].keyA = key;\r
+                                                       stSector[ii] = ar_resp[i].sector;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               } else {\r
+                                                       //keyB\r
+                                                       sector_trailer[ii].keyB = key;\r
+                                                       stSector[ii] = ar_resp[i].sector;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               }\r
+                                       }\r
+                               }\r
+                       } else if (mfkey32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {\r
+                               uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;\r
+                               uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;\r
+\r
+                               PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"\r
+                                       , keyType ? "B" : "A"\r
+                                       , sectorNum\r
+                                       , key\r
+                               );\r
+\r
+                               for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
+                                       if (key_cnt[ii]==0 || stSector[ii]==sectorNum) {\r
+                                               if (keyType==0) {\r
+                                                       //keyA\r
+                                                       sector_trailer[ii].keyA = key;\r
+                                                       stSector[ii] = sectorNum;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               } else {\r
+                                                       //keyB\r
+                                                       sector_trailer[ii].keyB = key;\r
+                                                       stSector[ii] = sectorNum;\r
+                                                       key_cnt[ii]++;\r
+                                                       break;\r
+                                               }\r
+                                       }\r
+                               }\r
+                               continue;\r
+                       }\r
                }\r
                }\r
-               pnr +=2;\r
-       }\r
-       if (param_getchar(Cmd, pnr) == 'n') {\r
-               exitAfterNReads = param_get8(Cmd,pnr+1);\r
-               pnr += 2;\r
        }\r
        }\r
-       if (param_getchar(Cmd, pnr) == 'i' ) {\r
-               //Using a flag to signal interactiveness, least significant bit\r
-               flags |= FLAG_INTERACTIVE;\r
-               pnr++;\r
+       //set emulator memory for keys\r
+       if (setEmulatorMem) {\r
+               for (uint8_t i = 0; i<ATTACK_KEY_COUNT; i++) {\r
+                       if (key_cnt[i]>0) {\r
+                               uint8_t memBlock[16];\r
+                               memset(memBlock, 0x00, sizeof(memBlock));\r
+                               char cmd1[36];\r
+                               memset(cmd1,0x00,sizeof(cmd1));\r
+                               snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
+                               PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);\r
+                               if (param_gethex(cmd1, 0, memBlock, 32)) {\r
+                                       PrintAndLog("block data must include 32 HEX symbols");\r
+                                       return;\r
+                               }\r
+                               \r
+                               UsbCommand c = {CMD_MIFARE_EML_MEMSET, {(stSector[i]*4+3), 1, 0}};\r
+                               memcpy(c.d.asBytes, memBlock, 16);\r
+                               clearCommandBuffer();\r
+                               SendCommand(&c);                        \r
+                       }\r
+               }\r
        }\r
        }\r
+       /*\r
+       //un-comment to use as well moebius attack\r
+       for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
+               if (ar_resp[i].ar2 > 0) {\r
+                       if (tryMfk32_moebius(ar_resp[i], &key)) {\r
+                               PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+                       }\r
+               }\r
+       }*/\r
+}\r
 \r
 \r
-       if (param_getchar(Cmd, pnr) == 'x' ) {\r
-               //Using a flag to signal interactiveness, least significant bit\r
-               flags |= FLAG_NR_AR_ATTACK;\r
+int usage_hf14_mf1ksim(void) {\r
+       PrintAndLog("Usage:  hf mf sim h u <uid (8, 14, or 20 hex symbols)> n <numreads> i x");\r
+       PrintAndLog("options:");\r
+       PrintAndLog("      h    this help");\r
+       PrintAndLog("      u    (Optional) UID 4,7 or 10 bytes. If not specified, the UID 4B from emulator memory will be used");\r
+       PrintAndLog("      n    (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
+       PrintAndLog("      i    (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
+       PrintAndLog("      x    (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
+       PrintAndLog("      e    (Optional) set keys found from 'reader attack' to emulator memory (implies x and i)");\r
+       PrintAndLog("      f    (Optional) get UIDs to use for 'reader attack' from file 'f <filename.txt>' (implies x and i)");\r
+       PrintAndLog("      r    (Optional) Generate random nonces instead of sequential nonces. Standard reader attack won't work with this option, only moebius attack works.");\r
+       PrintAndLog("samples:");\r
+       PrintAndLog("           hf mf sim u 0a0a0a0a");\r
+       PrintAndLog("           hf mf sim u 11223344556677");\r
+       PrintAndLog("           hf mf sim u 112233445566778899AA");\r
+       PrintAndLog("           hf mf sim f uids.txt");\r
+       PrintAndLog("           hf mf sim u 0a0a0a0a e");\r
+               \r
+       return 0;\r
+}\r
+\r
+int CmdHF14AMf1kSim(const char *Cmd) {\r
+       UsbCommand resp;\r
+       uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
+       uint8_t exitAfterNReads = 0;\r
+       uint8_t flags = 0;\r
+       int uidlen = 0;\r
+       uint8_t pnr = 0;\r
+       bool setEmulatorMem = false;\r
+       bool attackFromFile = false;\r
+       FILE *f;\r
+       char filename[FILE_PATH_SIZE];\r
+       memset(filename, 0x00, sizeof(filename));\r
+       int len = 0;\r
+       char buf[64];\r
+\r
+       uint8_t cmdp = 0;\r
+       bool errors = false;\r
+\r
+       while(param_getchar(Cmd, cmdp) != 0x00) {\r
+               switch(param_getchar(Cmd, cmdp)) {\r
+               case 'e':\r
+               case 'E':\r
+                       setEmulatorMem = true;\r
+                       //implies x and i\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp++;\r
+                       break;\r
+               case 'f':\r
+               case 'F':\r
+                       len = param_getstr(Cmd, cmdp+1, filename);\r
+                       if (len < 1) {\r
+                               PrintAndLog("error no filename found");\r
+                               return 0;\r
+                       }\r
+                       attackFromFile = true;\r
+                       //implies x and i\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'h':\r
+               case 'H':\r
+                       return usage_hf14_mf1ksim();\r
+               case 'i':\r
+               case 'I':\r
+                       flags |= FLAG_INTERACTIVE;\r
+                       cmdp++;\r
+                       break;\r
+               case 'n':\r
+               case 'N':\r
+                       exitAfterNReads = param_get8(Cmd, pnr+1);\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'r':\r
+               case 'R':\r
+                       flags |= FLAG_RANDOM_NONCE;\r
+                       cmdp++;\r
+                       break;\r
+               case 'u':\r
+               case 'U':\r
+                       param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);\r
+                       switch(uidlen) {\r
+                               case 20: flags = FLAG_10B_UID_IN_DATA;  break; //not complete\r
+                               case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
+                               case  8: flags = FLAG_4B_UID_IN_DATA; break;\r
+                               default: return usage_hf14_mf1ksim();\r
+                       }\r
+                       cmdp += 2;\r
+                       break;\r
+               case 'x':\r
+               case 'X':\r
+                       flags |= FLAG_NR_AR_ATTACK;\r
+                       cmdp++;\r
+                       break;\r
+               default:\r
+                       PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+                       errors = true;\r
+                       break;\r
+               }\r
+               if(errors) break;\r
        }\r
        }\r
-       PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ",\r
-                               flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
-                                                                                         flags & FLAG_7B_UID_IN_DATA   ? sprint_hex(uid,7): "N/A"\r
-                               , exitAfterNReads, flags,flags);\r
+       //Validations\r
+       if(errors) return usage_hf14_mf1ksim();\r
 \r
 \r
+       //get uid from file\r
+       if (attackFromFile) {\r
+               int count = 0;\r
+               // open file\r
+               f = fopen(filename, "r");\r
+               if (f == NULL) {\r
+                       PrintAndLog("File %s not found or locked", filename);\r
+                       return 1;\r
+               }\r
+               PrintAndLog("Loading file and simulating. Press keyboard to abort");\r
+               while(!feof(f) && !ukbhit()){\r
+                       memset(buf, 0, sizeof(buf));\r
+                       memset(uid, 0, sizeof(uid));\r
 \r
 \r
-       UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
-       memcpy(c.d.asBytes, uid, sizeof(uid));\r
-       SendCommand(&c);\r
+                       if (fgets(buf, sizeof(buf), f) == NULL) {                       \r
+                               if (count > 0) break;\r
+                               \r
+                               PrintAndLog("File reading error.");\r
+                               fclose(f);\r
+                               return 2;\r
+                       }\r
+                       if(!strlen(buf) && feof(f)) break;\r
+\r
+                       uidlen = strlen(buf)-1;\r
+                       switch(uidlen) {\r
+                               case 20: flags |= FLAG_10B_UID_IN_DATA; break; //not complete\r
+                               case 14: flags |= FLAG_7B_UID_IN_DATA; break;\r
+                               case  8: flags |= FLAG_4B_UID_IN_DATA; break;\r
+                               default: \r
+                                       PrintAndLog("uid in file wrong length at %d (length: %d) [%s]",count, uidlen, buf);\r
+                                       fclose(f);\r
+                                       return 2;\r
+                       }\r
 \r
 \r
-       if(flags & FLAG_INTERACTIVE)\r
-       {\r
-               UsbCommand resp;\r
-               PrintAndLog("Press pm3-button to abort simulation");\r
-               while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
-                       //We're waiting only 1.5 s at a time, otherwise we get the\r
-                       // annoying message about "Waiting for a response... "\r
-               }\r
-               //got a response\r
-               if (flags & FLAG_NR_AR_ATTACK) {\r
-                       typedef struct {\r
-                         uint32_t cuid;\r
-                         uint8_t  sector;\r
-                         uint8_t  keytype;\r
-                         uint32_t nonce;\r
-                         uint32_t ar;\r
-                         uint32_t nr;\r
-                         uint32_t nonce2;\r
-                         uint32_t ar2;\r
-                         uint32_t nr2;\r
-                       } nonces_t;\r
-                       nonces_t ar_resp[4];\r
-                       //uint32_t ar_responses[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};\r
-                       uint64_t key = 0;\r
-                       //uint64_t keyB = 0;\r
-                       //uint8_t arnr_len = 8;\r
-                       memcpy (ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+                       for (uint8_t i = 0; i < uidlen; i += 2) {\r
+                               sscanf(&buf[i], "%02x", (unsigned int *)&uid[i / 2]);\r
+                       }\r
                        \r
                        \r
-                       for (uint8_t i = 0; i<4; i++) {\r
-                               if (ar_resp[i].ar2 > 0) {\r
-                                       key = mfkey32(ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
-                                       if (key>0) {\r
-                                               PrintAndLog("\nFound Key%s for sector %d: [%04x%08x]", (i<2) ? "A" : "B", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
-                                               //set emulator memory for key\r
-                                       }       \r
-                               }\r
+                       PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) - press button to abort",\r
+                                       flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
+                                               flags & FLAG_7B_UID_IN_DATA     ? sprint_hex(uid,7): \r
+                                                       flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"\r
+                                       , exitAfterNReads, flags, flags);\r
+\r
+                       UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
+                       memcpy(c.d.asBytes, uid, sizeof(uid));\r
+                       clearCommandBuffer();\r
+                       SendCommand(&c);\r
+\r
+                       while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               //We're waiting only 1.5 s at a time, otherwise we get the\r
+                               // annoying message about "Waiting for a response... "\r
                        }\r
                        }\r
-                       /*\r
-                       if (ar_resp[1] && ar_responses[2] && ar_responses[3] && ar_responses[6] && ar_responses[7]) {\r
-                               keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]);\r
-                               if (keyA>0) {\r
-                                       PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
-                                       //set emulator memory for key\r
-                               } else {\r
-                                       keyA = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2],ar_responses[3],ar_responses[6],ar_responses[7]);                        \r
-                                       if (keyA>0) {\r
-                                               PrintAndLog("\nFound KeyA: [%04x%08x]\n\n", (uint32_t) (keyA>>32), (uint32_t) (keyA &0xFFFFFFFF));\r
-                                               //set emulator memory for key\r
-                                       }\r
-                               }\r
-                       } else {\r
-                               PrintAndLog("keyA response error: %d %d %d %d %d",ar_responses[1] , ar_responses[2] , ar_responses[3] , ar_responses[6] , ar_responses[7]);\r
+                       //got a response\r
+                       nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+                       memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+                       // We can skip the standard attack if we have RANDOM_NONCE set.\r
+                       readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
+                       if ((bool)resp.arg[1]) {\r
+                               PrintAndLog("Device button pressed - quitting");\r
+                               fclose(f);\r
+                               return 4;\r
                        }\r
                        }\r
-                       if (ar_responses[1] && ar_responses[2+arnr_len] && ar_responses[3+arnr_len] && ar_responses[6+arnr_len] && ar_responses[7+arnr_len]) {\r
-                               keyB = mfkey32(ar_responses[0],ar_responses[1],ar_responses[2+arnr_len],ar_responses[3+arnr_len],ar_responses[6+arnr_len],ar_responses[7+arnr_len]);\r
-                               if (keyB>0) {\r
-                                       PrintAndLog("\nFound KeyB: [%04x%08x]\n\n", (uint32_t) (keyB>>32), (uint32_t) (keyB & 0xFFFFFFFF));\r
-                                       //set emulator memory for key\r
-                               }\r
+                       count++;\r
+               }\r
+               fclose(f);\r
+       } else { //not from file\r
+\r
+               PrintAndLog("mf 1k sim uid: %s, numreads:%d, flags:%d (0x%02x) ",\r
+                               flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):\r
+                                       flags & FLAG_7B_UID_IN_DATA     ? sprint_hex(uid,7): \r
+                                               flags & FLAG_10B_UID_IN_DATA ? sprint_hex(uid,10): "N/A"\r
+                               , exitAfterNReads, flags, flags);\r
+\r
+               UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};\r
+               memcpy(c.d.asBytes, uid, sizeof(uid));\r
+               clearCommandBuffer();\r
+               SendCommand(&c);\r
+\r
+               if(flags & FLAG_INTERACTIVE) {\r
+                       PrintAndLog("Press pm3-button to abort simulation");\r
+                       while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {\r
+                               //We're waiting only 1.5 s at a time, otherwise we get the\r
+                               // annoying message about "Waiting for a response... "\r
                        }\r
                        }\r
-                       if (keyA || keyB) {\r
-                               //TODO retry sim with new keys in emulator memory? (somehow flag to check that to see if new key has successful auth now?)\r
-                               //      to validate key is correct\r
+                       //got a response\r
+                       if (flags & FLAG_NR_AR_ATTACK) {\r
+                               nonces_t ar_resp[ATTACK_KEY_COUNT*2];\r
+                               memcpy(ar_resp, resp.d.asBytes, sizeof(ar_resp));\r
+                               // We can skip the standard attack if we have RANDOM_NONCE set.\r
+                               readerAttack(ar_resp, setEmulatorMem, !(flags & FLAG_RANDOM_NONCE));\r
                        }\r
                        }\r
-                       */\r
                }\r
        }\r
                }\r
        }\r
-       \r
+\r
        return 0;\r
 }\r
 \r
        return 0;\r
 }\r
 \r
@@ -1268,7 +1427,7 @@ int CmdHF14AMfELoad(const char *Cmd)
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
-       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+       if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
 \r
        fnameptr += len;\r
 \r
 \r
        fnameptr += len;\r
 \r
@@ -1367,7 +1526,7 @@ int CmdHF14AMfESave(const char *Cmd)
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
 \r
        len = param_getstr(Cmd,nameParamNo,filename);\r
        \r
-       if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+       if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
        \r
        // user supplied filename?\r
        if (len < 1) {\r
        \r
        // user supplied filename?\r
        if (len < 1) {\r
@@ -1491,7 +1650,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
                }\r
                keyA = bytes_to_num(data, 6);\r
                keyB = bytes_to_num(data + 10, 6);\r
                }\r
                keyA = bytes_to_num(data, 6);\r
                keyB = bytes_to_num(data + 10, 6);\r
-               PrintAndLog("|%03d|  %012"llx"  |  %012"llx"  |", i, keyA, keyB);\r
+               PrintAndLog("|%03d|  %012" PRIx64 "  |  %012" PRIx64 "  |", i, keyA, keyB);\r
        }\r
        PrintAndLog("|---|----------------|----------------|");\r
        \r
        }\r
        PrintAndLog("|---|----------------|----------------|");\r
        \r
@@ -1572,7 +1731,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
 {\r
        uint8_t memBlock[16] = {0x00};\r
        uint8_t blockNo = 0;\r
 {\r
        uint8_t memBlock[16] = {0x00};\r
        uint8_t blockNo = 0;\r
-       bool wipeCard = FALSE;\r
+       bool wipeCard = false;\r
        int res;\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
        int res;\r
 \r
        if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {\r
@@ -1643,7 +1802,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+               if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
 \r
                memcpy(filename, Cmd, len);\r
                fnameptr += len;\r
 \r
                memcpy(filename, Cmd, len);\r
                fnameptr += len;\r
@@ -1684,6 +1843,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 \r
                        if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                PrintAndLog("Can't set magic card block: %d", blockNum);\r
 \r
                        if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {\r
                                PrintAndLog("Can't set magic card block: %d", blockNum);\r
+                               fclose(f);\r
                                return 3;\r
                        }\r
                        blockNum++;\r
                                return 3;\r
                        }\r
                        blockNum++;\r
@@ -1812,7 +1972,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
                return 0;\r
        } else {\r
                len = strlen(Cmd);\r
-               if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;\r
+               if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;\r
        \r
                if (len < 1) {\r
                        // get filename\r
        \r
                if (len < 1) {\r
                        // get filename\r
@@ -1932,11 +2092,14 @@ int CmdHF14AMfSniff(const char *Cmd){
                        uint16_t traceLen = resp.arg[1];\r
                        len = resp.arg[2];\r
 \r
                        uint16_t traceLen = resp.arg[1];\r
                        len = resp.arg[2];\r
 \r
-                       if (res == 0) return 0;                                         // we are done\r
+                       if (res == 0) {                                                         // we are done\r
+                               free(buf);\r
+                               return 0;\r
+                       }\r
 \r
                        if (res == 1) {                                                         // there is (more) data to be transferred\r
                                if (pckNum == 0) {                                              // first packet, (re)allocate necessary buffer\r
 \r
                        if (res == 1) {                                                         // there is (more) data to be transferred\r
                                if (pckNum == 0) {                                              // first packet, (re)allocate necessary buffer\r
-                                       if (traceLen > bufsize) {\r
+                                       if (traceLen > bufsize || buf == NULL) {\r
                                                uint8_t *p;\r
                                                if (buf == NULL) {                              // not yet allocated\r
                                                        p = malloc(traceLen);\r
                                                uint8_t *p;\r
                                                if (buf == NULL) {                              // not yet allocated\r
                                                        p = malloc(traceLen);\r
Proxmark3 GIT tracking
Impressum, Datenschutz