//-----------------------------------------------------------------------------\r
\r
#include "cmdhfmf.h"\r
-#include "cmdhfmfhard.h"\r
-#include "nonce2key/nonce2key.h"\r
\r
static int CmdHelp(const char *Cmd);\r
int usage_hf14_mifare(void){\r
- PrintAndLog("Usage: hf mf mifare [h] <block number>");\r
+ PrintAndLog("Usage: hf mf mifare [h] <block number> <A|B>");\r
PrintAndLog("options:");\r
- PrintAndLog(" h this help");\r
- PrintAndLog(" <block number> (Optional) target other key A than block 0.");\r
+ PrintAndLog(" h this help");\r
+ PrintAndLog(" <block number> (Optional) target other block");\r
+ PrintAndLog(" <A|B> (optional) target key type");\r
PrintAndLog("samples:");\r
PrintAndLog(" hf mf mifare");\r
PrintAndLog(" hf mf mifare 16");\r
+ PrintAndLog(" hf mf mifare 16 B");\r
return 0;\r
}\r
int usage_hf14_mf1ksim(void){\r
- PrintAndLog("Usage: hf mf sim [h] u <uid (8,14,20 hex symbols)> n <numreads> i x");\r
+ PrintAndLog("Usage: hf mf sim [h] u <uid> n <numreads> [i] [x] [e] [v]");\r
PrintAndLog("options:");\r
PrintAndLog(" h this help");\r
PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID 4b from emulator memory will be used");\r
PrintAndLog(" n (Optional) Automatically exit simulation after <numreads> blocks have been read by reader. 0 = infinite");\r
PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted");\r
- PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)");\r
+ PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a reader");\r
+ PrintAndLog(" e (Optional) Fill simulator keys from found keys");\r
+ PrintAndLog(" v (Optional) Verbose");\r
PrintAndLog("samples:");\r
PrintAndLog(" hf mf sim u 0a0a0a0a");\r
PrintAndLog(" hf mf sim u 11223344556677");\r
PrintAndLog(" hf mf sim u 112233445566778899AA"); \r
+ PrintAndLog(" hf mf sim u 11223344 i x"); \r
return 0;\r
}\r
int usage_hf14_dbg(void){\r
PrintAndLog("Usage: hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d] [<key (12 hex symbols)>] [<dic (*.dic)>]");\r
PrintAndLog("options:");\r
PrintAndLog(" h this help"); \r
- PrintAndLog(" * all sectors");\r
- PrintAndLog(" card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");\r
+ PrintAndLog(" * all sectors based on card memory, other values then below defaults to 1k");\r
+ PrintAndLog(" 0 - MINI(320 bytes)");\r
+ PrintAndLog(" 1 - 1K");\r
+ PrintAndLog(" 2 - 2K");\r
+ PrintAndLog(" 4 - 4K");\r
PrintAndLog(" d write keys to binary file");\r
PrintAndLog(" t write keys to emulator memory\n");\r
PrintAndLog(" ");\r
PrintAndLog("samples:");\r
- PrintAndLog(" hf mf chk 0 A 1234567890ab keys.dic");\r
- PrintAndLog(" hf mf chk *1 ? t");\r
- PrintAndLog(" hf mf chk *1 ? d");\r
+ PrintAndLog(" hf mf chk 0 A 1234567890ab keys.dic -- target block 0, Key A");\r
+ PrintAndLog(" hf mf chk *1 ? t -- target all blocks, all keys, 1K, write to emul");\r
+ PrintAndLog(" hf mf chk *1 ? d -- target all blocks, all keys, 1K, write to file");\r
+ return 0;\r
+}\r
+int usage_hf14_keybrute(void){\r
+ PrintAndLog("J_Run's 2nd phase of multiple sector nested authentication key recovery");\r
+ PrintAndLog("You have a known 4 last bytes of a key recovered with mf_nonce_brute tool.");\r
+ PrintAndLog("First 2 bytes of key will be bruteforced");\r
+ PrintAndLog("");\r
+ PrintAndLog("Usage: hf mf keybrute [h] <block number> <A|B> <key>");\r
+ PrintAndLog("options:");\r
+ PrintAndLog(" h this help");\r
+ PrintAndLog(" <block number> target block number");\r
+ PrintAndLog(" <A|B> target key type");\r
+ PrintAndLog(" <key> candidate key from mf_nonce_brute tool");\r
+ PrintAndLog("samples:");\r
+ PrintAndLog(" hf mf keybrute 1 A 000011223344");\r
return 0;\r
}\r
\r
uint64_t par_list = 0, ks_list = 0, r_key = 0;\r
int16_t isOK = 0;\r
int tmpchar; \r
- uint8_t blockNo = 0;\r
+ uint8_t blockNo = 0, keytype = MIFARE_AUTH_KEYA;\r
\r
char cmdp = param_getchar(Cmd, 0); \r
if ( cmdp == 'H' || cmdp == 'h') return usage_hf14_mifare();\r
\r
- blockNo = param_get8(Cmd, 0);\r
- UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, 0}};\r
+ blockNo = param_get8(Cmd, 0); \r
+ \r
+ cmdp = param_getchar(Cmd, 1);\r
+ if (cmdp == 'B' || cmdp == 'b')\r
+ keytype = MIFARE_AUTH_KEYB;\r
+ \r
+ UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, keytype}};\r
\r
// message\r
printf("-------------------------------------------------------------------------\n");\r
}\r
} \r
printf("\n");\r
+ // error\r
+ if (isOK != 1) return 1;\r
\r
- // par == 0\r
- if (isOK == -1 && par_list == 0) {\r
- if (!nonce2key_ex(uid, nt, nr, ks_list, &r_key) ){\r
- PrintAndLog("Found valid key: %012"llx" \n", r_key);\r
+ if (par_list == 0 && ks_list != 0) {\r
+ // this special attack when parities is zero, uses checkkeys. Which now with block/keytype option also needs. \r
+ // but it uses 0|1 instead of 0x60|0x61...\r
+ if (nonce2key_ex(blockNo, keytype - 0x60 , uid, nt, nr, ks_list, &r_key) ){\r
+ PrintAndLog("Trying again with a different reader nonce...");\r
+ c.arg[0] = false;\r
+ goto start;\r
+ } else {\r
+ PrintAndLog("Found valid key: %012" PRIx64 " \n", r_key);\r
goto END;\r
}\r
}\r
- \r
- // error\r
- if (isOK != 1) return 1;\r
- \r
+\r
// execute original function from util nonce2key\r
if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {\r
isOK = 2;\r
c.arg[0] = false;\r
goto start;\r
} else {\r
- PrintAndLog("Found valid key: %012"llx" \n", r_key);\r
+ \r
+ // nonce2key found a candidate key. Lets verify it.\r
+ uint8_t keyblock[] = {0,0,0,0,0,0};\r
+ num_to_bytes(r_key, 6, keyblock);\r
+ uint64_t key64 = 0;\r
+ int res = mfCheckKeys(blockNo, keytype - 0x60 , false, 1, keyblock, &key64);\r
+ if ( res > 0 ) {\r
+ PrintAndLog("Candidate Key found (%012" PRIx64 ") - Test authentication failed. [%d] Restarting darkside attack", r_key, res); \r
+ goto start;\r
+ }\r
+ PrintAndLog("Found valid key: %012" PRIx64 " \n", r_key);\r
}\r
END:\r
t1 = clock() - t1;\r
uint8_t blockNo = 0;\r
uint8_t keyType = 0;\r
uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
- \r
- char cmdp = 0x00;\r
-\r
+ char cmdp = 0x00;\r
\r
if (strlen(Cmd)<3) {\r
PrintAndLog("Usage: hf mf rdbl <block number> <key A/B> <key (12 hex symbols)>");\r
size_t bytes_read;\r
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
bytes_read = fread( keyA[sectorNo], 1, 6, fin );\r
- if ( bytes_read == 0) {\r
+ if ( bytes_read != 6) {\r
PrintAndLog("File reading error.");\r
fclose(fin);\r
return 2;\r
// Read keys B from file\r
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {\r
bytes_read = fread( keyB[sectorNo], 1, 6, fin );\r
- if ( bytes_read == 0) {\r
+ if ( bytes_read != 6) {\r
PrintAndLog("File reading error.");\r
fclose(fin);\r
return 2;\r
}\r
\r
fclose(fin);\r
-\r
+ \r
PrintAndLog("|-----------------------------------------|");\r
PrintAndLog("|------ Reading sector access bits...-----|");\r
PrintAndLog("|-----------------------------------------|");\r
- \r
+ uint8_t tries = 0;\r
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
+ for (tries = 0; tries < 3; tries++) { \r
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};\r
memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
clearCommandBuffer();\r
rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1\r
rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2\r
rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer\r
- } else {\r
+ break;\r
+ } else if (tries == 2) { // on last try set defaults\r
PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);\r
rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;\r
rights[sectorNo][3] = 0x01;\r
rights[sectorNo][3] = 0x01;\r
}\r
}\r
+ }\r
\r
PrintAndLog("|-----------------------------------------|");\r
PrintAndLog("|----- Dumping all blocks to file... -----|");\r
for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {\r
for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {\r
bool received = false;\r
- \r
+ for (tries = 0; tries < 3; tries++) { \r
if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A. \r
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
} else if (rights[sectorNo][data_area] == 0x07) { // no key would work\r
isOK = false;\r
PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);\r
+ tries = 2;\r
} else { // key A would work\r
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};\r
memcpy(c.d.asBytes, keyA[sectorNo], 6);\r
clearCommandBuffer();\r
SendCommand(&c);\r
received = WaitForResponseTimeout(CMD_ACK,&resp,1500);\r
+ }\r
+ }\r
+ if (received) {\r
+ isOK = resp.arg[0] & 0xff;\r
+ if (isOK) break;\r
}\r
}\r
\r
size_t bytes_read;\r
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
bytes_read = fread( keyA[sectorNo], 1, 6, fkeys );\r
- if ( bytes_read == 0) {\r
+ if ( bytes_read != 6) {\r
PrintAndLog("File reading error (dumpkeys.bin).");\r
fclose(fkeys);\r
return 2;\r
\r
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {\r
bytes_read = fread( keyB[sectorNo], 1, 6, fkeys );\r
- if ( bytes_read == 0) {\r
+ if ( bytes_read != 6) {\r
PrintAndLog("File reading error (dumpkeys.bin).");\r
fclose(fkeys);\r
return 2;\r
UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};\r
memcpy(c.d.asBytes, key, 6); \r
bytes_read = fread(bldata, 1, 16, fdump);\r
- if ( bytes_read == 0) {\r
+ if ( bytes_read != 16) {\r
PrintAndLog("File reading error (dumpdata.bin).");\r
fclose(fdump);\r
+ fdump = NULL; \r
return 2;\r
}\r
\r
switch (isOK) {\r
case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
- case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break;\r
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random number generator is not predictable).\n"); break;\r
case -4 : PrintAndLog("No valid key found"); break;\r
case -5 : \r
key64 = bytes_to_num(keyBlock, 6);\r
trgBlockNo, \r
trgKeyType?'B':'A', \r
trgkey[0], trgkey[1], trgkey[2], trgkey[3], trgkey[4], trgkey[5],\r
- know_target_key?"":" (not set)",\r
- nonce_file_write?"write":nonce_file_read?"read":"none",\r
- slow?"Yes":"No",\r
+ know_target_key ? "" : " (not set)",\r
+ nonce_file_write ? "write": nonce_file_read ? "read" : "none",\r
+ slow ? "Yes" : "No",\r
tests);\r
\r
- int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key?trgkey:NULL, nonce_file_read, nonce_file_write, slow, tests);\r
+ uint64_t foundkey = 0;\r
+ int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key ? trgkey : NULL, nonce_file_read, nonce_file_write, slow, tests, &foundkey);\r
\r
if (isOK) {\r
switch (isOK) {\r
}\r
memset(keyBlock + 6 * keycnt, 0, 6);\r
num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);\r
- PrintAndLog("check key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
+ PrintAndLog("check key[%2d] %012" PRIx64, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));\r
keycnt++;\r
memset(buf, 0, sizeof(buf));\r
}\r
if (e_sector[i].foundKey[trgKeyType]) continue;\r
\r
for (uint32_t c = 0; c < keycnt; c += max_keys) {\r
- \r
+ printf(".");\r
+ fflush(stdout); \r
uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;\r
\r
res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64);\r
e_sector[i].foundKey[trgKeyType] = TRUE;\r
break;\r
}\r
- printf(".");\r
- fflush(stdout);\r
}\r
b < 127 ? ( b +=4 ) : ( b += 16 ); \r
}\r
return 0;\r
}\r
\r
+sector *k_sector = NULL;\r
+uint8_t k_sectorsCount = 16;\r
+static void emptySectorTable(){\r
+\r
+ // initialize storage for found keys\r
+ if (k_sector == NULL)\r
+ k_sector = calloc(k_sectorsCount, sizeof(sector));\r
+ if (k_sector == NULL) \r
+ return;\r
+ \r
+ // empty e_sector\r
+ for(int i = 0; i < k_sectorsCount; ++i){\r
+ k_sector[i].Key[0] = 0xffffffffffff;\r
+ k_sector[i].Key[1] = 0xffffffffffff;\r
+ k_sector[i].foundKey[0] = FALSE;\r
+ k_sector[i].foundKey[1] = FALSE;\r
+ }\r
+}\r
+void showSectorTable(){\r
+ if (k_sector != NULL) {\r
+ printKeyTable(k_sectorsCount, k_sector);\r
+ free(k_sector);\r
+ k_sector = NULL;\r
+ }\r
+}\r
+void readerAttack(nonces_t data, bool setEmulatorMem, bool verbose) {\r
+\r
+ uint64_t key = 0; \r
+ bool success = FALSE;\r
+ \r
+ if (k_sector == NULL)\r
+ emptySectorTable();\r
+\r
+ success = tryMfk32_moebius(data, &key, verbose);\r
+ if (success) {\r
+ uint8_t sector = data.sector;\r
+ uint8_t keytype = data.keytype;\r
+\r
+ PrintAndLog("Reader is trying authenticate with: Key %s, sector %02d: [%012" PRIx64 "]"\r
+ , keytype ? "B" : "A"\r
+ , sector\r
+ , key\r
+ );\r
+\r
+ k_sector[sector].Key[keytype] = key;\r
+ k_sector[sector].foundKey[keytype] = TRUE;\r
+\r
+ //set emulator memory for keys\r
+ if (setEmulatorMem) {\r
+ uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};\r
+ num_to_bytes( k_sector[sector].Key[0], 6, memBlock);\r
+ num_to_bytes( k_sector[sector].Key[1], 6, memBlock+10);\r
+ //iceman, guessing this will not work so well for 4K tags.\r
+ PrintAndLog("Setting Emulator Memory Block %02d: [%s]"\r
+ , (sector*4) + 3\r
+ , sprint_hex( memBlock, sizeof(memBlock))\r
+ );\r
+ mfEmlSetMem( memBlock, (sector*4) + 3, 1);\r
+ }\r
+ }\r
+}\r
+\r
int CmdHF14AMf1kSim(const char *Cmd) {\r
+\r
uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\r
uint8_t exitAfterNReads = 0;\r
uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);\r
int uidlen = 0;\r
- uint8_t pnr = 0;\r
- uint8_t cmdp = param_getchar(Cmd, 0);\r
-\r
- if (cmdp == 'h' || cmdp == 'H') return usage_hf14_mf1ksim();\r
-\r
- cmdp = param_getchar(Cmd, pnr);\r
- if (cmdp == 'u' || cmdp == 'U') {\r
- param_gethex_ex(Cmd, pnr+1, uid, &uidlen);\r
- switch(uidlen){\r
- case 20: flags = FLAG_10B_UID_IN_DATA; break;\r
- case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
- case 8: flags = FLAG_4B_UID_IN_DATA; break;\r
- default: return usage_hf14_mf1ksim();\r
+ uint8_t cmdp = 0;\r
+ bool errors = FALSE;\r
+ bool verbose = FALSE;\r
+ bool setEmulatorMem = FALSE;\r
+ nonces_t data[1];\r
+ \r
+ while(param_getchar(Cmd, cmdp) != 0x00) {\r
+ switch(param_getchar(Cmd, cmdp)) {\r
+ case 'e':\r
+ case 'E':\r
+ setEmulatorMem = TRUE;\r
+ cmdp++;\r
+ break;\r
+ case 'h':\r
+ case 'H':\r
+ return usage_hf14_mf1ksim();\r
+ case 'i':\r
+ case 'I':\r
+ flags |= FLAG_INTERACTIVE;\r
+ cmdp++;\r
+ break;\r
+ case 'n':\r
+ case 'N':\r
+ exitAfterNReads = param_get8(Cmd, cmdp+1);\r
+ cmdp += 2;\r
+ break;\r
+ case 'u':\r
+ case 'U':\r
+ param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);\r
+ switch(uidlen) {\r
+ case 20: flags = FLAG_10B_UID_IN_DATA; break;\r
+ case 14: flags = FLAG_7B_UID_IN_DATA; break;\r
+ case 8: flags = FLAG_4B_UID_IN_DATA; break;\r
+ default: return usage_hf14_mf1ksim();\r
+ }\r
+ cmdp += 2;\r
+ break;\r
+ case 'v':\r
+ case 'V':\r
+ verbose = TRUE;\r
+ cmdp++;\r
+ break;\r
+ case 'x':\r
+ case 'X':\r
+ flags |= FLAG_NR_AR_ATTACK;\r
+ cmdp++;\r
+ break;\r
+ default:\r
+ PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
+ errors = TRUE;\r
+ break;\r
}\r
- pnr +=2;\r
- }\r
-\r
- cmdp = param_getchar(Cmd, pnr); \r
- if (cmdp == 'n' || cmdp == 'N') {\r
- exitAfterNReads = param_get8(Cmd, pnr+1);\r
- pnr += 2;\r
- }\r
-\r
- cmdp = param_getchar(Cmd, pnr); \r
- if (cmdp == 'i' || cmdp == 'I' ) {\r
- flags |= FLAG_INTERACTIVE;\r
- pnr++;\r
- }\r
-\r
- cmdp = param_getchar(Cmd, pnr); \r
- if (cmdp == 'x' || cmdp == 'X') {\r
- flags |= FLAG_NR_AR_ATTACK;\r
+ if(errors) break;\r
}\r
+ //Validations\r
+ if(errors) return usage_hf14_mf1ksim();\r
\r
PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) "\r
, (uidlen == 0 ) ? "N/A" : sprint_hex(uid, uidlen>>1)\r
memcpy(c.d.asBytes, uid, sizeof(uid));\r
clearCommandBuffer();\r
SendCommand(&c);\r
+ UsbCommand resp; \r
\r
- if(flags & FLAG_INTERACTIVE) { \r
- uint8_t data[32];\r
- uint64_t key;\r
- UsbCommand resp; \r
+ if(flags & FLAG_INTERACTIVE) {\r
PrintAndLog("Press pm3-button or send another cmd to abort simulation");\r
+\r
while( !ukbhit() ){\r
if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;\r
-\r
if ( !(flags & FLAG_NR_AR_ATTACK) ) break;\r
if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;\r
\r
- memset(data, 0x00, sizeof(data)); \r
- int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];\r
-\r
- memcpy(data, resp.d.asBytes, len); \r
- key = 0;\r
- bool found = tryMfk32(data, &key);\r
- found ^= tryMfk32_moebius(data, &key);\r
- if ( found ) break;\r
+ memcpy(data, resp.d.asBytes, sizeof(data));\r
+ readerAttack(data[0], setEmulatorMem, verbose);\r
}\r
+ showSectorTable();\r
}\r
return 0;\r
}\r
\r
if (res == 1) { // there is (more) data to be transferred\r
if (pckNum == 0) { // first packet, (re)allocate necessary buffer\r
- if (traceLen > bufsize) {\r
+ if (traceLen > bufsize || buf == NULL) {\r
uint8_t *p;\r
if (buf == NULL) // not yet allocated\r
p = malloc(traceLen);\r
int CmdHF14AMfDbg(const char *Cmd) {\r
\r
char ctmp = param_getchar(Cmd, 0);\r
- if (strlen(Cmd) < 1 || ctmp == 'h'|| ctmp == 'H') return usage_hf14_dbg();\r
+ if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_hf14_dbg();\r
\r
uint8_t dbgMode = param_get8ex(Cmd, 0, 0, 10);\r
if (dbgMode > 4) return usage_hf14_dbg();\r
return 0;\r
}\r
\r
+int CmdHF14AMfKeyBrute(const char *Cmd) {\r
+\r
+ uint8_t blockNo = 0, keytype = 0;\r
+ uint8_t key[6] = {0, 0, 0, 0, 0, 0};\r
+ uint64_t foundkey = 0;\r
+ \r
+ char cmdp = param_getchar(Cmd, 0); \r
+ if ( cmdp == 'H' || cmdp == 'h') return usage_hf14_keybrute();\r
+ \r
+ // block number\r
+ blockNo = param_get8(Cmd, 0); \r
+ \r
+ // keytype\r
+ cmdp = param_getchar(Cmd, 1);\r
+ if (cmdp == 'B' || cmdp == 'b') keytype = 1;\r
+ \r
+ // key\r
+ if (param_gethex(Cmd, 2, key, 12)) return usage_hf14_keybrute();\r
+ \r
+ clock_t t1 = clock();\r
+ time_t start, end;\r
+ time(&start);\r
+ \r
+ if (mfKeyBrute( blockNo, keytype, key, &foundkey))\r
+ PrintAndLog("Found valid key: %012" PRIx64 " \n", foundkey);\r
+ else\r
+ PrintAndLog("Key not found");\r
+ \r
+ t1 = clock() - t1;\r
+ time(&end);\r
+ unsigned long elapsed_time = difftime(end, start); \r
+ if ( t1 > 0 )\r
+ PrintAndLog("\nTime in keybrute: %.0f ticks %u seconds\n", (float)t1, elapsed_time);\r
+ \r
+ return 0; \r
+}\r
+\r
void printKeyTable( uint8_t sectorscnt, sector *e_sector ){\r
PrintAndLog("|---|----------------|---|----------------|---|");\r
PrintAndLog("|sec|key A |res|key B |res|");\r
PrintAndLog("|---|----------------|---|----------------|---|");\r
for (uint8_t i = 0; i < sectorscnt; ++i) {\r
- PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i,\r
+ PrintAndLog("|%03d| %012" PRIx64 " | %d | %012" PRIx64 " | %d |", i,\r
e_sector[i].Key[0], e_sector[i].foundKey[0], \r
e_sector[i].Key[1], e_sector[i].foundKey[1]\r
);\r
}\r
\r
// EMULATOR COMMANDS\r
-\r
int CmdHF14AMfEGet(const char *Cmd)\r
{\r
uint8_t blockNo = 0;\r
\r
blockNo = param_get8(Cmd, 0);\r
\r
- PrintAndLog(" ");\r
+ PrintAndLog("");\r
if (!mfEmlGetMem(data, blockNo, 1)) {\r
PrintAndLog("data[%3d]:%s", blockNo, sprint_hex(data, 16));\r
} else {\r
{\r
uint8_t memBlock[16];\r
uint8_t blockNo = 0;\r
-\r
memset(memBlock, 0x00, sizeof(memBlock));\r
\r
if (strlen(Cmd) < 3 || param_getchar(Cmd, 0) == 'h') {\r
}\r
keyA = bytes_to_num(data, 6);\r
keyB = bytes_to_num(data + 10, 6);\r
- PrintAndLog("|%03d| %012"llx" | %012"llx" |", i, keyA, keyB);\r
+ PrintAndLog("|%03d| %012" PRIx64 " | %012" PRIx64 " |", i, keyA, keyB);\r
}\r
PrintAndLog("|---|----------------|----------------|");\r
\r
{"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
{"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
{"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
- {"chk", CmdHF14AMfChk, 0, "Test block keys"},\r
- {"mifare", CmdHF14AMifare, 0, "Read parity error messages."},\r
- {"nested", CmdHF14AMfNested, 0, "Test nested authentication"},\r
+ {"chk", CmdHF14AMfChk, 0, "Check keys"},\r
+ {"mifare", CmdHF14AMifare, 0, "Darkside attack. read parity error messages."},\r
+ {"nested", CmdHF14AMfNested, 0, "Nested attack. Test nested authentication"},\r
{"hardnested", CmdHF14AMfNestedHard, 0, "Nested attack for hardened Mifare cards"},\r
+ {"keybrute", CmdHF14AMfKeyBrute, 0, "J_Run's 2nd phase of multiple sector nested authentication key recovery"},\r
{"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},\r
{"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},\r
{"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"},\r