- if (isOK) {\r
- switch (isOK) {\r
- case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
- case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
- case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
- default : PrintAndLog("Unknown Error.\n");\r
- }\r
- return 2;\r
- }\r
- key64 = bytes_to_num(keyBlock, 6);\r
- if (key64) {\r
- PrintAndLog("Found valid key:%012"llx, key64);\r
-\r
- // transfer key to the emulator\r
- if (transferToEml) {\r
- uint8_t sectortrailer;\r
- if (trgBlockNo < 32*4) { // 4 block sector\r
- sectortrailer = (trgBlockNo & 0x03) + 3;\r
- } else { // 16 block sector\r
- sectortrailer = (trgBlockNo & 0x0f) + 15;\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+ case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+ case -4 : PrintAndLog("No valid key found"); break;\r
+ case -5 : \r
+ key64 = bytes_to_num(keyBlock, 6);\r
+\r
+ // transfer key to the emulator\r
+ if (transferToEml) {\r
+ uint8_t sectortrailer;\r
+ if (trgBlockNo < 32*4) { // 4 block sector\r
+ sectortrailer = (trgBlockNo & 0x03) + 3;\r
+ } else { // 16 block sector\r
+ sectortrailer = (trgBlockNo & 0x0f) + 15;\r
+ }\r
+ mfEmlGetMem(keyBlock, sectortrailer, 1);\r
+ \r
+ if (!trgKeyType)\r
+ num_to_bytes(key64, 6, keyBlock);\r
+ else\r
+ num_to_bytes(key64, 6, &keyBlock[10]);\r
+ mfEmlSetMem(keyBlock, sectortrailer, 1); \r
- num_to_bytes(0x4d3a99c351dd, 6, (uint8_t*)(keyBlock + 6 * 6));\r
- num_to_bytes(0x1a982c7e459a, 6, (uint8_t*)(keyBlock + 7 * 6));\r
- num_to_bytes(0xd3f7d3f7d3f7, 6, (uint8_t*)(keyBlock + 8 * 6));\r
- num_to_bytes(0x714c5c886e97, 6, (uint8_t*)(keyBlock + 9 * 6));\r
- num_to_bytes(0x587ee5f9350f, 6, (uint8_t*)(keyBlock + 10 * 6));\r
- num_to_bytes(0xa0478cc39091, 6, (uint8_t*)(keyBlock + 11 * 6));\r
- num_to_bytes(0x533cb6c723f6, 6, (uint8_t*)(keyBlock + 12 * 6));\r
- num_to_bytes(0x8fd0a4f256e9, 6, (uint8_t*)(keyBlock + 13 * 6));\r
- iterations++;\r
-\r
- key64 = bytes_to_num(keyBlock, 6);\r
- if (key64) {\r
- PrintAndLog("Found valid key:%012"llx, key64);\r
- e_sector[sectorNo].foundKey[trgKeyType] = 1;\r
- e_sector[sectorNo].Key[trgKeyType] = key64;\r
+ int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);\r
+ switch (isOK) {\r
+ case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;\r
+ case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;\r
+ case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;\r
+ case -4 : //key not found\r
+ calibrate = false;\r
+ iterations++;\r
+ continue; \r
+ case -5 :\r
+ calibrate = false;\r
+ iterations++;\r
+ e_sector[sectorNo].foundKey[trgKeyType] = 1;\r
+ e_sector[sectorNo].Key[trgKeyType] = bytes_to_num(keyBlock, 6);\r
+ continue;\r
+ \r
+ default : PrintAndLog("Unknown Error.\n");\r
- PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i,\r
- e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);\r
+ // KEY A but not KEY B\r
+ if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) {\r
+ \r
+ uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);\r
+ \r
+ PrintAndLog("Reading block %d", sectrail);\r
+ \r
+ UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}};\r
+ num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A\r
+ clearCommandBuffer();\r
+ SendCommand(&c);\r
+\r
+ UsbCommand resp;\r
+ if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue;\r
+ \r
+ uint8_t isOK = resp.arg[0] & 0xff;\r
+ if (!isOK) continue;\r
+\r
+ uint8_t *data = resp.d.asBytes;\r
+ key64 = bytes_to_num(data+10, 6);\r
+ if (key64) {\r
+ PrintAndLog("Data:%s", sprint_hex(data+10, 6));\r
+ e_sector[i].foundKey[1] = 1;\r
+ e_sector[i].Key[1] = key64;\r
+ }\r
+ }\r
- PrintAndLog("--sector:%2d, block:%3d, key type:%C, key count:%2d ", i, b, t?'B':'A', keycnt);\r
- uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;\r
- for (uint32_t c = 0; c < keycnt; c+=max_keys) {\r
- uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;\r
- res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);\r
- if (res != 1) {\r
- if (!res) {\r
- PrintAndLog("Found valid key:[%012"llx"]",key64);\r
- num_to_bytes(key64, 6, foundKey[t][i]);\r
- validKey[t][i] = true;\r
- } \r
- } else {\r
- PrintAndLog("Command execute timeout");\r
+ \r
+ // skip already found keys.\r
+ if (e_sector[i].foundKey[trgKeyType]) continue;\r
+ \r
+ uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt;\r
+ \r
+ for (uint32_t c = 0; c < keycnt; c += max_keys) {\r
+ \r
+ uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;\r
+ \r
+ res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64);\r
+ if (!res) {\r
+ PrintAndLog("Sector:%3d Block:%3d, key type: %C -- Found key [%012"llx"]", i, b, trgKeyType ? 'B':'A', key64);\r
+ \r
+ e_sector[i].Key[trgKeyType] = key64;\r
+ e_sector[i].foundKey[trgKeyType] = TRUE;\r
+ break;\r
+ } else { \r
+ e_sector[i].Key[trgKeyType] = 0xffffffffffff;\r
+ e_sector[i].foundKey[trgKeyType] = FALSE;\r
- b<127?(b+=4):(b+=16); \r
+ b < 127 ? ( b +=4 ) : ( b += 16 ); \r
+ }\r
+ }\r
+ // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag?\r
+ PrintAndLog("testing to read B...");\r
+ for (i = 0; i < SectorsCnt; i++) {\r
+ // KEY A but not KEY B\r
+ if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) {\r
+ \r
+ uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);\r
+ \r
+ PrintAndLog("Reading block %d", sectrail);\r
+ \r
+ UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}};\r
+ num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A\r
+ clearCommandBuffer();\r
+ SendCommand(&c);\r
+\r
+ UsbCommand resp;\r
+ if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue;\r
+ \r
+ uint8_t isOK = resp.arg[0] & 0xff;\r
+ if (!isOK) continue;\r
+\r
+ uint8_t *data = resp.d.asBytes;\r
+ key64 = bytes_to_num(data+10, 6);\r
+ if (key64) {\r
+ PrintAndLog("Data:%s", sprint_hex(data+10, 6));\r
+ e_sector[i].foundKey[1] = 1;\r
+ e_sector[i].Key[1] = key64;\r
+ }\r
- uint8_t block[16];\r
- for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {\r
- if (validKey[0][sectorNo] || validKey[1][sectorNo]) {\r
- mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);\r
- for (uint16_t t = 0; t < 2; t++) {\r
- if (validKey[t][sectorNo]) {\r
- memcpy(block + t*10, foundKey[t][sectorNo], 6);\r
- }\r
- }\r
- mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);\r
- }\r
+ uint8_t block[16] = {0x00};\r
+ for (uint8_t i = 0; i < SectorsCnt; ++i ) {\r
+ mfEmlGetMem(block, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);\r
+ if (e_sector[i].foundKey[0])\r
+ num_to_bytes(e_sector[i].Key[0], 6, block);\r
+ if (e_sector[i].foundKey[1])\r
+ num_to_bytes(e_sector[i].Key[1], 6, block+10);\r
+ mfEmlSetMem(block, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);\r
- while(!ukbhit() ){\r
- if ( WaitForResponseTimeout(CMD_ACK,&resp,1500) ) {\r
- if ( (resp.arg[0] & 0xffff) == CMD_SIMULATE_MIFARE_CARD ){\r
- memset(data, 0x00, sizeof(data));\r
- memset(key, 0x00, sizeof(key));\r
- int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];\r
- \r
- memcpy(data, resp.d.asBytes, len);\r
- \r
- uint64_t corr_uid = 0;\r
- if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {\r
- corr_uid = (data[3] << 24) | (data[2] << 16) | (data[1] << 8) | data[0];\r
- }\r
- else {\r
- corr_uid |= (uint64_t)data[2] << 48; \r
- corr_uid |= (uint64_t)data[1] << 40; \r
- corr_uid |= (uint64_t)data[0] << 32;\r
- corr_uid |= data[7] << 24;\r
- corr_uid |= data[6] << 16;\r
- corr_uid |= data[5] << 8;\r
- corr_uid |= data[4];\r
- }\r
+ PrintAndLog("Press pm3-button or send another cmd to abort simulation");\r
+\r
+ while( !ukbhit() ){\r
+ if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;\r
+\r
+ if ( !(flags & FLAG_NR_AR_ATTACK) ) break;\r
+ \r
+ if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;\r
+\r
+ memset(data, 0x00, sizeof(data));\r
+ memset(key, 0x00, sizeof(key));\r
+ int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];\r
+ \r
+ memcpy(data, resp.d.asBytes, len);\r
+ \r
+ uint64_t corr_uid = 0;\r
+ \r
+ // this IF? what was I thinking of?\r
+ if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {\r
+ corr_uid = ((uint64_t)(data[3] << 24)) | (data[2] << 16) | (data[1] << 8) | data[0];\r
-static command_t CommandTable[] =\r
-{\r
- {"help", CmdHelp, 1, "This help"},\r
- {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},\r
- {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},\r
- {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},\r
- {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
- {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
- {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
- {"chk", CmdHF14AMfChk, 0, "Test block keys"},\r
- {"mifare", CmdHF14AMifare, 0, "Read parity error messages."},\r
- {"nested", CmdHF14AMfNested, 0, "Test nested authentication"},\r
+static command_t CommandTable[] = {\r
+ {"help", CmdHelp, 1, "This help"},\r
+ {"dbg", CmdHF14AMfDbg, 0, "Set default debug mode"},\r
+ {"rdbl", CmdHF14AMfRdBl, 0, "Read MIFARE classic block"},\r
+ {"rdsc", CmdHF14AMfRdSc, 0, "Read MIFARE classic sector"},\r
+ {"dump", CmdHF14AMfDump, 0, "Dump MIFARE classic tag to binary file"},\r
+ {"restore", CmdHF14AMfRestore, 0, "Restore MIFARE classic binary file to BLANK tag"},\r
+ {"wrbl", CmdHF14AMfWrBl, 0, "Write MIFARE classic block"},\r
+ {"chk", CmdHF14AMfChk, 0, "Test block keys"},\r
+ {"mifare", CmdHF14AMifare, 0, "Read parity error messages."},\r
+ {"nested", CmdHF14AMfNested, 0, "Test nested authentication"},\r
- {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},\r
- {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},\r
- {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"},\r
- {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},\r
- {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},\r
- {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},\r
- {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},\r
- {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},\r
- {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},\r
- {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},\r
- {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},\r
- {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},\r
- {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
- {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
- {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
- {"decrypt", CmdHf14MfDecryptBytes, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
- {NULL, NULL, 0, NULL}\r
+ {"sniff", CmdHF14AMfSniff, 0, "Sniff card-reader communication"},\r
+ {"sim", CmdHF14AMf1kSim, 0, "Simulate MIFARE card"},\r
+ {"eclr", CmdHF14AMfEClear, 0, "Clear simulator memory block"},\r
+ {"eget", CmdHF14AMfEGet, 0, "Get simulator memory block"},\r
+ {"eset", CmdHF14AMfESet, 0, "Set simulator memory block"},\r
+ {"eload", CmdHF14AMfELoad, 0, "Load from file emul dump"},\r
+ {"esave", CmdHF14AMfESave, 0, "Save to file emul dump"},\r
+ {"ecfill", CmdHF14AMfECFill, 0, "Fill simulator memory with help of keys from simulator"},\r
+ {"ekeyprn", CmdHF14AMfEKeyPrn, 0, "Print keys from simulator memory"},\r
+ {"csetuid", CmdHF14AMfCSetUID, 0, "Set UID for magic Chinese card"},\r
+ {"csetblk", CmdHF14AMfCSetBlk, 0, "Write block - Magic Chinese card"},\r
+ {"cgetblk", CmdHF14AMfCGetBlk, 0, "Read block - Magic Chinese card"},\r
+ {"cgetsc", CmdHF14AMfCGetSc, 0, "Read sector - Magic Chinese card"},\r
+ {"cload", CmdHF14AMfCLoad, 0, "Load dump into magic Chinese card"},\r
+ {"csave", CmdHF14AMfCSave, 0, "Save dump from magic Chinese card into file or emulator"},\r
+ {"decrypt", CmdHf14MfDecryptBytes, 1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},\r
+ {NULL, NULL, 0, NULL}\r