]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - armsrc/iso14443a.c
ADD: @marshmellow42 's 14b fixes.
[proxmark3-svn] / armsrc / iso14443a.c
index e1943b2654eea613892db908e836991b8c381c5a..027703ec40497499482021d0ae6d4441dc46baf0 100644 (file)
@@ -673,6 +673,7 @@ void RAMFUNC SniffIso14443a(uint8_t param) {
                                        }
                                        /* And ready to receive another command. */
                                        UartReset();
+                                       //UartInit(receivedCmd, receivedCmdPar);
                                        /* And also reset the demod code, which might have been */
                                        /* false-triggered by the commands from the reader. */
                                        DemodReset();
@@ -912,7 +913,9 @@ bool prepare_tag_modulation(tag_response_info_t* response_info, size_t max_buffe
 // Coded responses need one byte per bit to transfer (data, parity, start, stop, correction) 
 // 28 * 8 data bits, 28 * 1 parity bits, 7 start bits, 7 stop bits, 7 correction bits
 // -> need 273 bytes buffer
-#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 273
+// 44 * 8 data bits, 44 * 1 parity bits, 9 start bits, 9 stop bits, 9 correction bits --370
+// 47 * 8 data bits, 47 * 1 parity bits, 10 start bits, 10 stop bits, 10 correction bits 
+#define ALLOCATED_TAG_MODULATION_BUFFER_SIZE 453 
 
 bool prepare_allocated_tag_modulation(tag_response_info_t* response_info) {
   // Retrieve and store the current buffer index
@@ -945,7 +948,10 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
        uint8_t ar_nr_collected = 0;
        
        uint8_t sak;
-
+                                       
+       // PACK response to PWD AUTH for EV1/NTAG
+       uint8_t response8[4];
+       
        // The first response contains the ATQA (note: bytes are transmitted in reverse order).
        uint8_t response1[2];
        
@@ -958,7 +964,7 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
                } break;
                case 2: { // MIFARE Ultralight
                        // Says: I am a stupid memory tag, no crypto
-                       response1[0] = 0x04;
+                       response1[0] = 0x44;
                        response1[1] = 0x00;
                        sak = 0x00;
                } break;
@@ -986,6 +992,16 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
                        response1[1] = 0x00;
                        sak = 0x09;
                } break;
+               case 7: { // NTAG?
+                       // Says: I am a NTAG, 
+                       response1[0] = 0x44;
+                       response1[1] = 0x00;
+                       sak = 0x00;
+                       // PACK
+                       response8[0] = 0x80;
+                       response8[1] = 0x80;
+                       ComputeCrc14443(CRC_14443_A, response8, 2, &response8[2], &response8[3]);
+               } break;                
                default: {
                        Dbprintf("Error: unkown tagtype (%d)",tagType);
                        return;
@@ -1007,7 +1023,7 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
                response2a[0] = data[3];
                response2a[1] = data[4];
                response2a[2] = data[5];
-               response2a[3] = data[7];
+               response2a[3] = data[6]; //??
                response2a[4] = response2a[0] ^ response2a[1] ^ response2a[2] ^ response2a[3];
 
                // Configure the ATQA and SAK accordingly
@@ -1034,7 +1050,7 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
        response3a[0] = sak & 0xFB;
        ComputeCrc14443(CRC_14443_A, response3a, 1, &response3a[1], &response3a[2]);
 
-       uint8_t response5[] = { 0x00, 0x00, 0x00, 0x00 }; // Very random tag nonce
+       uint8_t response5[] = { 0x01, 0x01, 0x01, 0x01 }; // Very random tag nonce
        uint8_t response6[] = { 0x04, 0x58, 0x80, 0x02, 0x00, 0x00 }; // dummy ATS (pseudo-ATR), answer to RATS: 
        // Format byte = 0x58: FSCI=0x08 (FSC=256), TA(1) and TC(1) present, 
        // TA(1) = 0x80: different divisors not supported, DR = 1, DS = 1
@@ -1042,7 +1058,14 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
        // TC(1) = 0x02: CID supported, NAD not supported
        ComputeCrc14443(CRC_14443_A, response6, 4, &response6[4], &response6[5]);
 
-       #define TAG_RESPONSE_COUNT 7
+       // Prepare GET_VERSION (different for EV-1 / NTAG)
+       //uint8_t response7_EV1[] = {0x00, 0x04, 0x03, 0x01, 0x01, 0x00, 0x0b, 0x03, 0xfd, 0xf7};  //EV1 48bytes VERSION.
+       uint8_t response7_NTAG[] = {0x00, 0x04, 0x04, 0x02, 0x01, 0x00, 0x11, 0x03, 0x01, 0x9e}; //NTAG 215
+       
+       // Prepare CHK_TEARING
+       uint8_t response9[] =  {0xBD,0x90,0x3f};
+       
+       #define TAG_RESPONSE_COUNT 10
        tag_response_info_t responses[TAG_RESPONSE_COUNT] = {
                { .response = response1,  .response_n = sizeof(response1)  },  // Answer to request - respond with card type
                { .response = response2,  .response_n = sizeof(response2)  },  // Anticollision cascade1 - respond with uid
@@ -1051,6 +1074,9 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
                { .response = response3a, .response_n = sizeof(response3a) },  // Acknowledge select - cascade 2
                { .response = response5,  .response_n = sizeof(response5)  },  // Authentication answer (random nonce)
                { .response = response6,  .response_n = sizeof(response6)  },  // dummy ATS (pseudo-ATR), answer to RATS
+               { .response = response7_NTAG,  .response_n = sizeof(response7_NTAG)  },  // EV1/NTAG GET_VERSION response
+               { .response = response8,   .response_n = sizeof(response8) },  // EV1/NTAG PACK response
+               { .response = response9,   .response_n = sizeof(response9) }  // EV1/NTAG CHK_TEAR response
        };
 
        // Allocate 512 bytes for the dynamic modulation, created when the reader queries for it
@@ -1126,10 +1152,74 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
                } else if(receivedCmd[1] == 0x70 && receivedCmd[0] == 0x95) {   // Received a SELECT (cascade 2)
                        p_response = &responses[4]; order = 30;
                } else if(receivedCmd[0] == 0x30) {     // Received a (plain) READ
-                       EmSendCmdEx(data+(4*receivedCmd[1]),16,false);
-                       // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
-                       // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
+                       uint8_t block = receivedCmd[1];
+                       if ( tagType == 7 ) {
+                               uint8_t start = 4 * block;
+                               
+                               if ( block < 4 ) {
+                                   //NTAG 215
+                                       uint8_t blockdata[50] = {
+                                       data[0],data[1],data[2], 0x88 ^ data[0] ^ data[1] ^ data[2],
+                                       data[3],data[4],data[5],data[6],
+                                       data[3] ^ data[4] ^ data[5] ^ data[6],0x48,0x0f,0xe0,
+                                       0xe1,0x10,0x12,0x00,
+                                       0x03,0x00,0xfe,0x00, 
+                                       0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+                                       0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+                                       0x00,0x00,0x00,0x00,
+                                       0x00,0x00};
+                                       AppendCrc14443a(blockdata+start, 16);
+                                       EmSendCmdEx( blockdata+start, MAX_MIFARE_FRAME_SIZE, false);
+                               } else {        
+                                       uint8_t emdata[MAX_MIFARE_FRAME_SIZE];
+                                       emlGetMemBt( emdata, start, 16);
+                                       AppendCrc14443a(emdata, 16);
+                                       EmSendCmdEx(emdata, sizeof(emdata), false);                             
+                               }
+                               p_response = NULL;
+                               
+                       } else {                        
+                               EmSendCmdEx(data+(4*block),16,false);
+                               // Dbprintf("Read request from reader: %x %x",receivedCmd[0],receivedCmd[1]);
+                               // We already responded, do not send anything with the EmSendCmd14443aRaw() that is called below
+                               p_response = NULL;
+                       }
+               } else if(receivedCmd[0] == 0x3A) {     // Received a FAST READ (ranged read) -- just returns all zeros.
+                               
+                               uint8_t emdata[MAX_FRAME_SIZE];
+                               int start =  receivedCmd[1] * 4;
+                               int len   = (receivedCmd[2] - receivedCmd[1] + 1) * 4;
+                               emlGetMemBt( emdata, start, len);
+                               AppendCrc14443a(emdata, len);
+                               EmSendCmdEx(emdata, len+2, false);                              
+                               p_response = NULL;
+                               
+               } else if(receivedCmd[0] == 0x3C && tagType == 7) {     // Received a READ SIGNATURE -- 
+                               // ECC data,  taken from a NTAG215 amiibo token. might work. LEN: 32, + 2 crc
+                               uint8_t data[] = {0x56,0x06,0xa6,0x4f,0x43,0x32,0x53,0x6f,
+                                                                 0x43,0xda,0x45,0xd6,0x61,0x38,0xaa,0x1e,
+                                                                 0xcf,0xd3,0x61,0x36,0xca,0x5f,0xbb,0x05,
+                                                                 0xce,0x21,0x24,0x5b,0xa6,0x7a,0x79,0x07,
+                                                                 0x00,0x00};
+                               AppendCrc14443a(data, sizeof(data)-2);
+                               EmSendCmdEx(data,sizeof(data),false);
+                               p_response = NULL;                                      
+               } else if(receivedCmd[0] == 0x39 && tagType == 7) {     // Received a READ COUNTER -- 
+                               uint8_t data[] =  {0x00,0x00,0x00,0x14,0xa5};
+                               EmSendCmdEx(data,sizeof(data),false);                           
+                               p_response = NULL;
+               } else if(receivedCmd[0] == 0xA5 && tagType == 7) {     // Received a INC COUNTER -- 
+                       // number of counter
+                       //uint8_t counter = receivedCmd[1];
+                       //uint32_t val = bytes_to_num(receivedCmd+2,4);
+                       
+                       // send ACK
+                       uint8_t ack[] = {0x0a};
+                       EmSendCmdEx(ack,sizeof(ack),false);
                        p_response = NULL;
+                       
+               } else if(receivedCmd[0] == 0x3E && tagType == 7) {     // Received a CHECK_TEARING_EVENT -- 
+                               p_response = &responses[9];                             
                } else if(receivedCmd[0] == 0x50) {     // Received a HALT
 
                        if (tracing) {
@@ -1137,7 +1227,12 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
                        }
                        p_response = NULL;
                } else if(receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61) {   // Received an authentication request
-                       p_response = &responses[5]; order = 7;
+                                       
+                       if ( tagType == 7 ) {   // IF NTAG /EV1  0x60 == GET_VERSION, not a authentication request.
+                               p_response = &responses[7];
+                       } else {
+                               p_response = &responses[5]; order = 7;
+                       }
                } else if(receivedCmd[0] == 0xE0) {     // Received a RATS request
                        if (tagType == 1 || tagType == 2) {     // RATS not supported
                                EmSend4bit(CARD_NACK_NA);
@@ -1186,10 +1281,21 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
                                        cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,len,0,&ar_nr_responses,len);
                                        ar_nr_collected = 0;
                                        memset(ar_nr_responses, 0x00, len);
-                                       Dbprintf("ICE");
                                }
                        }
-               } else {
+               } else if (receivedCmd[0] == 0x1a ) // ULC authentication
+               {
+                       
+               }
+               else if (receivedCmd[0] == 0x1b) // NTAG / EV-1 authentication
+               {
+                       if ( tagType == 7 ) {
+                               p_response =  &responses[8]; // PACK response
+                               uint32_t pwd = bytes_to_num(receivedCmd+1,4);
+                               Dbprintf("Auth attempt: %08x", pwd);    
+                       }
+               }
+               else {
                        // Check for ISO 14443A-4 compliant commands, look at left nibble
                        switch (receivedCmd[0]) {
 
@@ -1293,10 +1399,12 @@ void SimulateIso14443aTag(int tagType, int flags, int uid_2nd, byte_t* data)
        }
 
        FpgaWriteConfWord(FPGA_MAJOR_MODE_OFF);
-       
-       Dbprintf("%x %x %x", happened, happened2, cmdsRecvd);
-       LED_A_OFF();
        BigBuf_free_keep_EM();
+       LED_A_OFF();
+       
+       Dbprintf("-[ Wake ups after halt [%d]", happened);
+       Dbprintf("-[ Messages after halt [%d]", happened2);
+       Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd);
 }
 
 
@@ -1577,9 +1685,7 @@ static int EmSendCmd14443aRaw(uint8_t *resp, uint16_t respLen, bool correctionNe
                        FpgaSendQueueDelay = (uint8_t)AT91C_BASE_SSC->SSC_RHR;
                }
        
-               if(BUTTON_PRESS()) {
-                       break;
-               }
+               if(BUTTON_PRESS()) break;
        }
 
        // Ensure that the FPGA Delay Queue is empty before we switch to TAGSIM_LISTEN again:
@@ -2311,7 +2417,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        uint8_t cardWRBL = 0;
        uint8_t cardAUTHSC = 0;
        uint8_t cardAUTHKEY = 0xff;  // no authentication
-       uint32_t cardRr = 0;
+//     uint32_t cardRr = 0;
        uint32_t cuid = 0;
        //uint32_t rn_enc = 0;
        uint32_t ans = 0;
@@ -2329,16 +2435,17 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        uint8_t rATQA[] = {0x04, 0x00}; // Mifare classic 1k 4BUID
        uint8_t rUIDBCC1[] = {0xde, 0xad, 0xbe, 0xaf, 0x62};
        uint8_t rUIDBCC2[] = {0xde, 0xad, 0xbe, 0xaf, 0x62}; // !!!
-       uint8_t rSAK[] = {0x08, 0xb6, 0xdd};
+       //uint8_t rSAK[] = {0x08, 0xb6, 0xdd}; // Mifare Classic
+       uint8_t rSAK[] = {0x09, 0x3f, 0xcc };  // Mifare Mini 
        uint8_t rSAK1[] = {0x04, 0xda, 0x17};
 
-       uint8_t rAUTH_NT[] = {0x01, 0x02, 0x03, 0x04};
+       uint8_t rAUTH_NT[] = {0x01, 0x01, 0x01, 0x01};
        uint8_t rAUTH_AT[] = {0x00, 0x00, 0x00, 0x00};
                
        //Here, we collect UID,NT,AR,NR,UID2,NT2,AR2,NR2
        // This can be used in a reader-only attack.
        // (it can also be retrieved via 'hf 14a list', but hey...
-       uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0};
+       uint32_t ar_nr_responses[] = {0,0,0,0,0,0,0,0,0,0};
        uint8_t ar_nr_collected = 0;
 
        // free eventually allocated BigBuf memory but keep Emulator Memory
@@ -2377,6 +2484,11 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                }
        }
 
+       // save uid.
+       ar_nr_responses[0*5]   = bytes_to_num(rUIDBCC1+1, 3);
+       if ( _7BUID )
+               ar_nr_responses[0*5+1] = bytes_to_num(rUIDBCC2, 4);
+
        /*
         * Regardless of what method was used to set the UID, set fifth byte and modify
         * the ATQA for 4 or 7-byte UID
@@ -2419,7 +2531,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                if(cardSTATE == MFEMUL_NOFIELD) continue;
 
                //Now, get data
-
                res = EmGetCmd(receivedCmd, &len, receivedCmd_par);
                if (res == 2) { //Field is off!
                        cardSTATE = MFEMUL_NOFIELD;
@@ -2490,39 +2601,42 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                uint32_t nr = bytes_to_num(&receivedCmd[4], 4);
 
                                //Collect AR/NR
-                               if(ar_nr_collected < 2 && cardAUTHSC == 2){
+                               //if(ar_nr_collected < 2 && cardAUTHSC == 2){
+                               if(ar_nr_collected < 2){
                                        if(ar_nr_responses[2] != ar)
                                        {// Avoid duplicates... probably not necessary, ar should vary. 
-                                               ar_nr_responses[ar_nr_collected*4] = cuid;
-                                               ar_nr_responses[ar_nr_collected*4+1] = nonce;
-                                               ar_nr_responses[ar_nr_collected*4+2] = ar;
-                                               ar_nr_responses[ar_nr_collected*4+3] = nr;
+                                               //ar_nr_responses[ar_nr_collected*5]   = 0;
+                                               //ar_nr_responses[ar_nr_collected*5+1] = 0;
+                                               ar_nr_responses[ar_nr_collected*5+2] = nonce;
+                                               ar_nr_responses[ar_nr_collected*5+3] = nr;
+                                               ar_nr_responses[ar_nr_collected*5+4] = ar;
                                                ar_nr_collected++;
                                        }                                               
                                        // Interactive mode flag, means we need to send ACK
                                        if(flags & FLAG_INTERACTIVE && ar_nr_collected == 2)
                                        {
                                                finished = true;
-                               }
+                                       }
                                }
 
                                // --- crypto
-                               crypto1_word(pcs, ar , 1);
-                               cardRr = nr ^ crypto1_word(pcs, 0, 0);
-
-                               // test if auth OK
-                               if (cardRr != prng_successor(nonce, 64)){
-                                       if (MF_DBGLEVEL >= 2) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
-                                                       cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
-                                                       cardRr, prng_successor(nonce, 64));
+                               //crypto1_word(pcs, ar , 1);
+                               //cardRr = nr ^ crypto1_word(pcs, 0, 0);
+
+                               //test if auth OK
+                               //if (cardRr != prng_successor(nonce, 64)){
+                                       
+                                       //if (MF_DBGLEVEL >= 4) Dbprintf("AUTH FAILED for sector %d with key %c. cardRr=%08x, succ=%08x",
+                                       //      cardAUTHSC, cardAUTHKEY == 0 ? 'A' : 'B',
+                                       //              cardRr, prng_successor(nonce, 64));
                                        // Shouldn't we respond anything here?
                                        // Right now, we don't nack or anything, which causes the
                                        // reader to do a WUPA after a while. /Martin
                                        // -- which is the correct response. /piwi
-                                       cardSTATE_TO_IDLE();
-                                       LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
-                                       break;
-                               }
+                                       //cardSTATE_TO_IDLE();
+                                       //LogTrace(Uart.output, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
+                                       //break;
+                               //}
 
                                ans = prng_successor(nonce, 96) ^ crypto1_word(pcs, 0, 0);
 
@@ -2630,13 +2744,13 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                                || receivedCmd[0] == 0xB0) { // transfer
                                        if (receivedCmd[1] >= 16 * 4) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
                                                break;
                                        }
 
                                        if (receivedCmd[1] / 4 != cardAUTHSC) {
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
-                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate (0x%02) on block (0x%02x) not authenticated for (0x%02x), nacking",receivedCmd[0],receivedCmd[1],cardAUTHSC);
                                                break;
                                        }
                                }
@@ -2668,7 +2782,7 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                if (receivedCmd[0] == 0xC0 || receivedCmd[0] == 0xC1 || receivedCmd[0] == 0xC2) {
                                        if (MF_DBGLEVEL >= 4) Dbprintf("RECV 0x%02x inc(0xC1)/dec(0xC0)/restore(0xC2) block %d (%02x)",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
                                        if (emlCheckValBl(receivedCmd[1])) {
-                                               if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
+                                               if (MF_DBGLEVEL >= 4) Dbprintf("Reader tried to operate on block, but emlCheckValBl failed, nacking");
                                                EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
                                                break;
                                        }
@@ -2770,35 +2884,37 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        if(flags & FLAG_INTERACTIVE)// Interactive mode flag, means we need to send ACK
        {
                //May just aswell send the collected ar_nr in the response aswell
-               cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,1,0,&ar_nr_responses,ar_nr_collected*4*4);
+               uint8_t len = ar_nr_collected*5*4;
+               cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
        }
 
        if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1 )
        {
                if(ar_nr_collected > 1 ) {
                        Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
-                       Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
-                                       ar_nr_responses[0], // UID
-                                       ar_nr_responses[1], // NT
-                                       ar_nr_responses[2], // AR1
-                                       ar_nr_responses[3], // NR1
-                                       ar_nr_responses[6], // AR2
-                                       ar_nr_responses[7]  // NR2
+                       Dbprintf("../tools/mfkey/mfkey32 %06x%08x %08x %08x %08x %08x %08x",
+                                       ar_nr_responses[0], // UID1
+                                       ar_nr_responses[1], // UID2
+                                       ar_nr_responses[2], // NT
+                                       ar_nr_responses[3], // AR1
+                                       ar_nr_responses[4], // NR1
+                                       ar_nr_responses[8], // AR2
+                                       ar_nr_responses[9]  // NR2
                                        );
                } else {
                        Dbprintf("Failed to obtain two AR/NR pairs!");
                        if(ar_nr_collected > 0 ) {
-                               Dbprintf("Only got these: UID=%08x, nonce=%08x, AR1=%08x, NR1=%08x",
-                                               ar_nr_responses[0], // UID
-                                               ar_nr_responses[1], // NT
-                                               ar_nr_responses[2], // AR1
-                                               ar_nr_responses[3]  // NR1
+                               Dbprintf("Only got these: UID=%07x%08x, nonce=%08x, AR1=%08x, NR1=%08x",
+                                               ar_nr_responses[0], // UID1
+                                               ar_nr_responses[1], // UID2
+                                               ar_nr_responses[2], // NT
+                                               ar_nr_responses[3], // AR1
+                                               ar_nr_responses[4]  // NR1
                                                );
                        }
                }
        }
-       if (MF_DBGLEVEL >= 1)   Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ",    tracing, BigBuf_get_traceLen());
-       
+       if (MF_DBGLEVEL >= 1)   Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
 }
 
 
@@ -2919,7 +3035,8 @@ void RAMFUNC SniffMifare(uint8_t param) {
                                        if (MfSniffLogic(receivedCmd, Uart.len, Uart.parity, Uart.bitCount, TRUE)) break;
 
                                        /* And ready to receive another command. */
-                                       UartInit(receivedCmd, receivedCmdPar);
+                                       //UartInit(receivedCmd, receivedCmdPar);
+                                       UartReset();
                                        
                                        /* And also reset the demod code */
                                        DemodReset();
Impressum, Datenschutz