X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/11117f6ab52be647a73fbdcce36dc397ce91eb45..refs/pull/262/head:/client/cmdhfmf.c?ds=inline
diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index cdac6476..7a6aaa3b 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -8,87 +8,46 @@
// High frequency MIFARE commands
//-----------------------------------------------------------------------------
-#include "cmdhfmf.h"
-#include "./nonce2key/nonce2key.h"
+#include <inttypes.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include "proxmark3.h"
+#include "cmdmain.h"
+#include "util.h"
+#include "ui.h"
+#include "mifarehost.h"
+#include "mifare.h"
+#include "mfkey.h"
+
+#define NESTED_SECTOR_RETRY 10 // how often we try mfested() until we give up
+
static int CmdHelp(const char *Cmd);
+
int CmdHF14AMifare(const char *Cmd)
{
- uint32_t uid = 0;
- uint32_t nt = 0, nr = 0;
- uint64_t par_list = 0, ks_list = 0, r_key = 0;
- int16_t isOK = 0;
-
- UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};
-
- // message
- printf("-------------------------------------------------------------------------\n");
- printf("Executing command. Expected execution time: 25sec on average :-)\n");
- printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");
- printf("-------------------------------------------------------------------------\n");
-
-
- start:
- clearCommandBuffer();
- SendCommand(&c);
-
- //flush queue
- while (ukbhit()) getchar();
-
- // wait cycle
- while (true) {
- printf(".");
- fflush(stdout);
- if (ukbhit()) {
- getchar();
- printf("\naborted via keyboard!\n");
- break;
- }
-
- UsbCommand resp;
- if (WaitForResponseTimeout(CMD_ACK, &resp, 1000)) {
- isOK = resp.arg[0];
- uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4);
- nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4);
- par_list = bytes_to_num(resp.d.asBytes + 8, 8);
- ks_list = bytes_to_num(resp.d.asBytes + 16, 8);
- nr = bytes_to_num(resp.d.asBytes + 24, 4);
- printf("\n\n");
- switch (isOK) {
- case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;
- case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break;
- case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break;
- case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");
- PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;
- default: ;
- }
- break;
- }
- }
+ int isOK = 0;
+ uint64_t key = 0;
- printf("\n");
-
- // error
- if (isOK != 1) return 1;
-
- // execute original function from util nonce2key
- if (nonce2key(uid, nt, nr, par_list, ks_list, &r_key)) {
- isOK = 2;
- PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);
- PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce...");
- c.arg[0] = false;
- goto start;
- } else {
- isOK = 0;
- printf("------------------------------------------------------------------\n");
- PrintAndLog("Found valid key:%012"llx" \n", r_key);
+ isOK = mfDarkside(&key);
+ switch (isOK) {
+ case -1 : PrintAndLog("Button pressed. Aborted."); return 1;
+ case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests)."); return 1;
+ case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable)."); return 1;
+ case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown");
+ PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour."); return 1;
+ case -5 : PrintAndLog("Aborted via keyboard."); return 1;
+ default : PrintAndLog("Found valid key:%012" PRIx64 "\n", key);
}
PrintAndLog("");
return 0;
}
+
int CmdHF14AMfWrBl(const char *Cmd)
{
uint8_t blockNo = 0;
@@ -302,7 +261,8 @@ int CmdHF14AMfDump(const char *Cmd)
// Read keys A from file
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
- if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {
+ size_t bytes_read = fread(keyA[sectorNo], 1, 6, fin);
+ if (bytes_read != 6) {
PrintAndLog("File reading error.");
fclose(fin);
return 2;
@@ -311,7 +271,8 @@ int CmdHF14AMfDump(const char *Cmd)
// Read keys B from file
for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
- if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {
+ size_t bytes_read = fread(keyB[sectorNo], 1, 6, fin);
+ if (bytes_read != 6) {
PrintAndLog("File reading error.");
fclose(fin);
return 2;
@@ -323,29 +284,32 @@ int CmdHF14AMfDump(const char *Cmd)
PrintAndLog("|-----------------------------------------|");
PrintAndLog("|------ Reading sector access bits...-----|");
PrintAndLog("|-----------------------------------------|");
-
+ uint8_t tries = 0;
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
- UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};
- memcpy(c.d.asBytes, keyA[sectorNo], 6);
- SendCommand(&c);
+ for (tries = 0; tries < 3; tries++) {
+ UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 0, 0}};
+ memcpy(c.d.asBytes, keyA[sectorNo], 6);
+ SendCommand(&c);
- if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
- uint8_t isOK = resp.arg[0] & 0xff;
- uint8_t *data = resp.d.asBytes;
- if (isOK){
- rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0
- rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1
- rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2
- rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer
+ if (WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
+ uint8_t isOK = resp.arg[0] & 0xff;
+ uint8_t *data = resp.d.asBytes;
+ if (isOK){
+ rights[sectorNo][0] = ((data[7] & 0x10)>>2) | ((data[8] & 0x1)<<1) | ((data[8] & 0x10)>>4); // C1C2C3 for data area 0
+ rights[sectorNo][1] = ((data[7] & 0x20)>>3) | ((data[8] & 0x2)<<0) | ((data[8] & 0x20)>>5); // C1C2C3 for data area 1
+ rights[sectorNo][2] = ((data[7] & 0x40)>>4) | ((data[8] & 0x4)>>1) | ((data[8] & 0x40)>>6); // C1C2C3 for data area 2
+ rights[sectorNo][3] = ((data[7] & 0x80)>>5) | ((data[8] & 0x8)>>2) | ((data[8] & 0x80)>>7); // C1C2C3 for sector trailer
+ break;
+ } else if (tries == 2) { // on last try set defaults
+ PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);
+ rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;
+ rights[sectorNo][3] = 0x01;
+ }
} else {
- PrintAndLog("Could not get access rights for sector %2d. Trying with defaults...", sectorNo);
+ PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);
rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;
rights[sectorNo][3] = 0x01;
}
- } else {
- PrintAndLog("Command execute timeout when trying to read access rights for sector %2d. Trying with defaults...", sectorNo);
- rights[sectorNo][0] = rights[sectorNo][1] = rights[sectorNo][2] = 0x00;
- rights[sectorNo][3] = 0x01;
}
}
@@ -357,27 +321,33 @@ int CmdHF14AMfDump(const char *Cmd)
for (sectorNo = 0; isOK && sectorNo < numSectors; sectorNo++) {
for (blockNo = 0; isOK && blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
bool received = false;
-
- if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A.
- UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
- memcpy(c.d.asBytes, keyA[sectorNo], 6);
- SendCommand(&c);
- received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
- } else { // data block. Check if it can be read with key A or key B
- uint8_t data_area = sectorNo<32?blockNo:blockNo/5;
- if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work
- UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};
- memcpy(c.d.asBytes, keyB[sectorNo], 6);
- SendCommand(&c);
- received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
- } else if (rights[sectorNo][data_area] == 0x07) { // no key would work
- isOK = false;
- PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);
- } else { // key A would work
+ for (tries = 0; tries < 3; tries++) {
+ if (blockNo == NumBlocksPerSector(sectorNo) - 1) { // sector trailer. At least the Access Conditions can always be read with key A.
UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
memcpy(c.d.asBytes, keyA[sectorNo], 6);
SendCommand(&c);
received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
+ } else { // data block. Check if it can be read with key A or key B
+ uint8_t data_area = sectorNo<32?blockNo:blockNo/5;
+ if ((rights[sectorNo][data_area] == 0x03) || (rights[sectorNo][data_area] == 0x05)) { // only key B would work
+ UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 1, 0}};
+ memcpy(c.d.asBytes, keyB[sectorNo], 6);
+ SendCommand(&c);
+ received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
+ } else if (rights[sectorNo][data_area] == 0x07) { // no key would work
+ isOK = false;
+ PrintAndLog("Access rights do not allow reading of sector %2d block %3d", sectorNo, blockNo);
+ tries = 2;
+ } else { // key A would work
+ UsbCommand c = {CMD_MIFARE_READBL, {FirstBlockOfSector(sectorNo) + blockNo, 0, 0}};
+ memcpy(c.d.asBytes, keyA[sectorNo], 6);
+ SendCommand(&c);
+ received = WaitForResponseTimeout(CMD_ACK,&resp,1500);
+ }
+ }
+ if (received) {
+ isOK = resp.arg[0] & 0xff;
+ if (isOK) break;
}
}
@@ -466,16 +436,17 @@ int CmdHF14AMfRestore(const char *Cmd)
}
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
- if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {
+ size_t bytes_read = fread(keyA[sectorNo], 1, 6, fkeys);
+ if (bytes_read != 6) {
PrintAndLog("File reading error (dumpkeys.bin).");
-
fclose(fkeys);
return 2;
}
}
for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
- if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {
+ size_t bytes_read = fread(keyB[sectorNo], 1, 6, fkeys);
+ if (bytes_read != 6) {
PrintAndLog("File reading error (dumpkeys.bin).");
fclose(fkeys);
return 2;
@@ -495,7 +466,8 @@ int CmdHF14AMfRestore(const char *Cmd)
UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};
memcpy(c.d.asBytes, key, 6);
- if (fread(bldata, 1, 16, fdump) == 0) {
+ size_t bytes_read = fread(bldata, 1, 16, fdump);
+ if (bytes_read != 16) {
PrintAndLog("File reading error (dumpdata.bin).");
fclose(fdump);
return 2;
@@ -535,10 +507,17 @@ int CmdHF14AMfRestore(const char *Cmd)
return 0;
}
+
+typedef struct {
+ uint64_t Key[2];
+ int foundKey[2];
+} sector_t;
+
+
int CmdHF14AMfNested(const char *Cmd)
{
int i, j, res, iterations;
- sector *e_sector = NULL;
+ sector_t *e_sector = NULL;
uint8_t blockNo = 0;
uint8_t keyType = 0;
uint8_t trgBlockNo = 0;
@@ -632,7 +611,7 @@ int CmdHF14AMfNested(const char *Cmd)
}
key64 = bytes_to_num(keyBlock, 6);
if (key64) {
- PrintAndLog("Found valid key:%012"llx, key64);
+ PrintAndLog("Found valid key:%012" PRIx64, key64);
// transfer key to the emulator
if (transferToEml) {
@@ -655,10 +634,10 @@ int CmdHF14AMfNested(const char *Cmd)
}
}
else { // ------------------------------------ multiple sectors working
- clock_t time1;
- time1 = clock();
+ uint64_t msclock1;
+ msclock1 = msclock();
- e_sector = calloc(SectorsCnt, sizeof(sector));
+ e_sector = calloc(SectorsCnt, sizeof(sector_t));
if (e_sector == NULL) return 1;
//test current key and additional standard keys first
@@ -718,7 +697,7 @@ int CmdHF14AMfNested(const char *Cmd)
key64 = bytes_to_num(keyBlock, 6);
if (key64) {
- PrintAndLog("Found valid key:%012"llx, key64);
+ PrintAndLog("Found valid key:%012" PRIx64, key64);
e_sector[sectorNo].foundKey[trgKeyType] = 1;
e_sector[sectorNo].Key[trgKeyType] = key64;
}
@@ -726,7 +705,7 @@ int CmdHF14AMfNested(const char *Cmd)
}
}
- printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/CLOCKS_PER_SEC, ((float)clock() - time1)/iterations/CLOCKS_PER_SEC);
+ printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)(msclock() - msclock1))/1000.0, ((float)(msclock() - msclock1))/iterations/1000.0);
PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);
//print them
@@ -734,7 +713,7 @@ int CmdHF14AMfNested(const char *Cmd)
PrintAndLog("|sec|key A |res|key B |res|");
PrintAndLog("|---|----------------|---|----------------|---|");
for (i = 0; i < SectorsCnt; i++) {
- PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i,
+ PrintAndLog("|%03d| %012" PRIx64 " | %d | %012" PRIx64 " | %d |", i,
e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);
}
PrintAndLog("|---|----------------|---|----------------|---|");
@@ -919,13 +898,14 @@ int CmdHF14AMfChk(const char *Cmd)
if (!p) {
PrintAndLog("Cannot allocate memory for defKeys");
free(keyBlock);
+ fclose(f);
return 2;
}
keyBlock = p;
}
memset(keyBlock + 6 * keycnt, 0, 6);
num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);
- PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
+ PrintAndLog("chk custom key[%2d] %012" PRIx64 , keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
keycnt++;
memset(buf, 0, sizeof(buf));
}
@@ -969,7 +949,7 @@ int CmdHF14AMfChk(const char *Cmd)
res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);
if (res != 1) {
if (!res) {
- PrintAndLog("Found valid key:[%012"llx"]",key64);
+ PrintAndLog("Found valid key:[%012" PRIx64 "]",key64);
num_to_bytes(key64, 6, foundKey[t][i]);
validKey[t][i] = true;
}
@@ -1054,11 +1034,11 @@ void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack
}
}
}
- } else if (tryMfk32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {
+ } else if (mfkey32_moebius(ar_resp[i+ATTACK_KEY_COUNT], &key)) {
uint8_t sectorNum = ar_resp[i+ATTACK_KEY_COUNT].sector;
uint8_t keyType = ar_resp[i+ATTACK_KEY_COUNT].keytype;
- PrintAndLog("M-Found Key%s for sector %02d: [%012"llx"]"
+ PrintAndLog("M-Found Key%s for sector %02d: [%012" PRIx64 "]"
, keyType ? "B" : "A"
, sectorNum
, key
@@ -1447,7 +1427,7 @@ int CmdHF14AMfELoad(const char *Cmd)
len = param_getstr(Cmd,nameParamNo,filename);
- if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
fnameptr += len;
@@ -1546,7 +1526,7 @@ int CmdHF14AMfESave(const char *Cmd)
len = param_getstr(Cmd,nameParamNo,filename);
- if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
// user supplied filename?
if (len < 1) {
@@ -1670,7 +1650,7 @@ int CmdHF14AMfEKeyPrn(const char *Cmd)
}
keyA = bytes_to_num(data, 6);
keyB = bytes_to_num(data + 10, 6);
- PrintAndLog("|%03d| %012"llx" | %012"llx" |", i, keyA, keyB);
+ PrintAndLog("|%03d| %012" PRIx64 " | %012" PRIx64 " |", i, keyA, keyB);
}
PrintAndLog("|---|----------------|----------------|");
@@ -1751,7 +1731,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd)
{
uint8_t memBlock[16] = {0x00};
uint8_t blockNo = 0;
- bool wipeCard = FALSE;
+ bool wipeCard = false;
int res;
if (strlen(Cmd) < 1 || param_getchar(Cmd, 0) == 'h') {
@@ -1822,7 +1802,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
return 0;
} else {
len = strlen(Cmd);
- if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
memcpy(filename, Cmd, len);
fnameptr += len;
@@ -1863,6 +1843,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
if (mfCSetBlock(blockNum, buf8, NULL, 0, flags)) {
PrintAndLog("Can't set magic card block: %d", blockNum);
+ fclose(f);
return 3;
}
blockNum++;
@@ -1991,7 +1972,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
return 0;
} else {
len = strlen(Cmd);
- if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+ if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
if (len < 1) {
// get filename
@@ -2111,11 +2092,14 @@ int CmdHF14AMfSniff(const char *Cmd){
uint16_t traceLen = resp.arg[1];
len = resp.arg[2];
- if (res == 0) return 0; // we are done
+ if (res == 0) { // we are done
+ free(buf);
+ return 0;
+ }
if (res == 1) { // there is (more) data to be transferred
if (pckNum == 0) { // first packet, (re)allocate necessary buffer
- if (traceLen > bufsize) {
+ if (traceLen > bufsize || buf == NULL) {
uint8_t *p;
if (buf == NULL) { // not yet allocated
p = malloc(traceLen);