X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/222bdb1cb35867fbc61ca7c811245a81f5142c2e..170e7c9c51bf257c80887c5037ecfd33ea2c5164:/client/cmdhfmf.c

diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index 7cc07e96..ec542eb3 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -9,18 +9,18 @@
 //-----------------------------------------------------------------------------
 
 #include "cmdhfmf.h"
-#include "cmdhfmfhard.h"
-#include "nonce2key/nonce2key.h"
 
 static int CmdHelp(const char *Cmd);
 int usage_hf14_mifare(void){
-	PrintAndLog("Usage:  hf mf mifare [h] <block number>");
+	PrintAndLog("Usage:  hf mf mifare [h] <block number> <A|B>");
 	PrintAndLog("options:");
-	PrintAndLog("           h    this help");
-	PrintAndLog("           <block number>  (Optional) target other key A than block 0.");
+	PrintAndLog("      h               this help");
+	PrintAndLog("      <block number>  (Optional) target other block");
+	PrintAndLog("      <A|B>           (optional) target key type");
 	PrintAndLog("samples:");
 	PrintAndLog("           hf mf mifare");
 	PrintAndLog("           hf mf mifare 16");
+	PrintAndLog("           hf mf mifare 16 B");
 	return 0;
 }
 int usage_hf14_mf1ksim(void){
@@ -111,15 +111,18 @@ int usage_hf14_chk(void){
 	PrintAndLog("Usage:  hf mf chk <block number>|<*card memory> <key type (A/B/?)> [t|d] [<key (12 hex symbols)>] [<dic (*.dic)>]");
 	PrintAndLog("options:");
 	PrintAndLog("      h    this help");	
-	PrintAndLog("      *    all sectors");
-	PrintAndLog("      card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, <other> - 1K");
+	PrintAndLog("      *    all sectors based on card memory, other values then below defaults to 1k");
+	PrintAndLog("      			0 - MINI(320 bytes)");
+	PrintAndLog("      			1 - 1K");
+	PrintAndLog("      			2 - 2K");
+	PrintAndLog("      			4 - 4K");
 	PrintAndLog("      d    write keys to binary file");
 	PrintAndLog("      t    write keys to emulator memory\n");
 	PrintAndLog(" ");
 	PrintAndLog("samples:");
-	PrintAndLog("      hf mf chk 0 A 1234567890ab keys.dic");
-	PrintAndLog("      hf mf chk *1 ? t");
-	PrintAndLog("      hf mf chk *1 ? d");
+	PrintAndLog("      hf mf chk 0 A 1234567890ab keys.dic     -- target block 0, Key A");
+	PrintAndLog("      hf mf chk *1 ? t                        -- target all blocks, all keys, 1K, write to emul");
+	PrintAndLog("      hf mf chk *1 ? d                        -- target all blocks, all keys, 1K, write to file");
 	return 0;
 }
 
@@ -129,13 +132,18 @@ int CmdHF14AMifare(const char *Cmd) {
 	uint64_t par_list = 0, ks_list = 0, r_key = 0;
 	int16_t isOK = 0;
 	int tmpchar; 
-	uint8_t blockNo = 0;
+	uint8_t blockNo = 0, keytype = MIFARE_AUTH_KEYA;
 	
 	char cmdp = param_getchar(Cmd, 0);	
 	if ( cmdp == 'H' || cmdp == 'h') return usage_hf14_mifare();
 	
-	blockNo = param_get8(Cmd, 0);
-	UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, 0}};
+	blockNo = param_get8(Cmd, 0);	 
+	
+	cmdp = param_getchar(Cmd, 1);
+	if (cmdp == 'B' || cmdp == 'b')
+		keytype = MIFARE_AUTH_KEYB;
+	
+	UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, keytype}};
 
 	// message
 	printf("-------------------------------------------------------------------------\n");
@@ -1214,7 +1222,8 @@ int CmdHF14AMfChk(const char *Cmd) {
 			if (e_sector[i].foundKey[trgKeyType]) continue;
 						
 			for (uint32_t c = 0; c < keycnt; c += max_keys) {
-				
+				printf(".");
+				fflush(stdout);			
 				uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;
 				
 				res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64);
@@ -1223,8 +1232,6 @@ int CmdHF14AMfChk(const char *Cmd) {
 					e_sector[i].foundKey[trgKeyType] = TRUE;
 					break;
 				}
-				printf(".");
-				fflush(stdout);
 			}
 			b < 127 ? ( b +=4 ) : ( b += 16 );	
 		}
@@ -1313,45 +1320,121 @@ int CmdHF14AMfChk(const char *Cmd) {
 	PrintAndLog("");
 	return 0;
 }
+#define ATTACK_KEY_COUNT 8
+sector *k_sector = NULL;
+uint8_t k_sectorsCount = 16;
+void readerAttack(nonces_t data[], bool setEmulatorMem) {
 
-int CmdHF14AMf1kSim(const char *Cmd) {
-	uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
-	uint8_t exitAfterNReads = 0;
-	uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);
-	int uidlen = 0;
-	uint8_t pnr = 0;
-	uint8_t cmdp = param_getchar(Cmd, 0);
-
-	if (cmdp == 'h' || cmdp == 'H') return usage_hf14_mf1ksim();
-
-	cmdp = param_getchar(Cmd, pnr);
-	if (cmdp == 'u' || cmdp == 'U') {
-		param_gethex_ex(Cmd, pnr+1, uid, &uidlen);
-		switch(uidlen){
-			case 20: flags = FLAG_10B_UID_IN_DATA;	break;
-			case 14: flags = FLAG_7B_UID_IN_DATA; break;
-			case  8: flags = FLAG_4B_UID_IN_DATA; break;
-			default: return usage_hf14_mf1ksim();
-		}
-		pnr +=2;
-	}
+	// initialize storage for found keys
+	if (k_sector == NULL)
+		k_sector = calloc(k_sectorsCount, sizeof(sector));
+	if (k_sector == NULL) 
+		return;
 
-	cmdp = param_getchar(Cmd, pnr);	
-	if (cmdp == 'n' || cmdp == 'N') {
-		exitAfterNReads = param_get8(Cmd, pnr+1);
-		pnr += 2;
+	uint64_t key = 0;
+		
+	// empty e_sector
+	for(int i = 0; i < k_sectorsCount; ++i){
+		k_sector[i].Key[0] = 0xffffffffffff;
+		k_sector[i].Key[1] = 0xffffffffffff;
+		k_sector[i].foundKey[0] = FALSE;
+		k_sector[i].foundKey[1] = FALSE;
 	}
 
-	cmdp = param_getchar(Cmd, pnr);		
-	if (cmdp == 'i' || cmdp == 'I' ) {
-		flags |= FLAG_INTERACTIVE;
-		pnr++;
+	printf("enter reader attack\n");
+	for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) {
+		if (data[i].ar2 > 0) {
+			
+			if (tryMfk32(data[i], &key)) {
+				PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"
+					, (data[i].keytype) ? "B" : "A"
+					, data[i].sector
+					, key
+				);
+
+				k_sector[i].Key[data[i].keytype] = key;
+				k_sector[i].foundKey[data[i].keytype] = TRUE;
+				
+				//set emulator memory for keys
+				if (setEmulatorMem) {
+					uint8_t	memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};
+					num_to_bytes( k_sector[i].Key[0], 6, memBlock);
+					num_to_bytes( k_sector[i].Key[1], 6, memBlock+10);
+					mfEmlSetMem( memBlock, i*4 + 3, 1);
+					PrintAndLog("Setting Emulator Memory Block %02d: [%s]"
+						, i*4 + 3
+						, sprint_hex( memBlock, sizeof(memBlock))
+						);
+				}
+				break;
+			}
+			//moebius attack			
+			// if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key)) {
+				// PrintAndLog("M-Found Key%s for sector %02d: [%012"llx"]"
+					// ,(data[i+ATTACK_KEY_COUNT].keytype) ? "B" : "A"
+					// , data[i+ATTACK_KEY_COUNT].sector
+					// , key
+				// );
+			// }
+		}
 	}
+}
+
+int CmdHF14AMf1kSim(const char *Cmd) {
 
-	cmdp = param_getchar(Cmd, pnr);	
-	if (cmdp == 'x' || cmdp == 'X') {
-		flags |= FLAG_NR_AR_ATTACK;
+	uint8_t uid[10] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+	uint8_t exitAfterNReads = 0;
+	uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);
+	int uidlen = 0;	
+	bool setEmulatorMem = false;
+	uint8_t cmdp = 0;
+	bool errors = false;
+
+	while(param_getchar(Cmd, cmdp) != 0x00) {
+		switch(param_getchar(Cmd, cmdp)) {
+		case 'e':
+		case 'E':
+			setEmulatorMem = true;
+			cmdp++;
+			break;
+		case 'h':
+		case 'H':
+			return usage_hf14_mf1ksim();
+		case 'i':
+		case 'I':
+			flags |= FLAG_INTERACTIVE;
+			cmdp++;
+			break;
+		case 'n':
+		case 'N':
+			exitAfterNReads = param_get8(Cmd, cmdp+1);
+			cmdp += 2;
+			break;
+		case 'u':
+		case 'U':
+			param_gethex_ex(Cmd, cmdp+1, uid, &uidlen);
+			switch(uidlen) {
+				case 20: flags = FLAG_10B_UID_IN_DATA; break;
+				case 14: flags = FLAG_7B_UID_IN_DATA; break;
+				case  8: flags = FLAG_4B_UID_IN_DATA; break;
+				default: return usage_hf14_mf1ksim();
+			}
+			cmdp +=2;
+			break;
+		case 'x':
+		case 'X':
+			flags |= FLAG_NR_AR_ATTACK;
+			cmdp++;
+			break;
+		default:
+			PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
+			errors = true;
+			break;
+		}
+		if(errors) break;
 	}
+	//Validations
+	if(errors) return usage_hf14_mf1ksim();
 	
 	PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) "
 				, (uidlen == 0 ) ? "N/A" : sprint_hex(uid, uidlen>>1)
@@ -1365,24 +1448,24 @@ int CmdHF14AMf1kSim(const char *Cmd) {
 	SendCommand(&c);
 
 	if(flags & FLAG_INTERACTIVE) {		
-		uint8_t data[32];
-		uint64_t key;
-		UsbCommand resp;		
 		PrintAndLog("Press pm3-button or send another cmd to abort simulation");
+
+		nonces_t data[ATTACK_KEY_COUNT*2];
+		UsbCommand resp;		
+
 		while( !ukbhit() ){
 			if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
 
 			if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
 			if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
 
-			memset(data, 0x00, sizeof(data));	
-			int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
-
-			memcpy(data, resp.d.asBytes, len);			
-			key = 0;
-			bool found = tryMfk32(data, &key);
-			found ^= tryMfk32_moebius(data, &key);
-			if ( found ) break;
+			memcpy( data, resp.d.asBytes, sizeof(data) );			
+			readerAttack(data, setEmulatorMem);
+		}
+		
+		if (k_sector != NULL) {
+			printKeyTable(k_sectorsCount, k_sector );
+			free(k_sector);
 		}
 	}
 	return 0;
@@ -1546,7 +1629,7 @@ int CmdHF14AMfSniff(const char *Cmd){
 int CmdHF14AMfDbg(const char *Cmd) {
 
 	char ctmp = param_getchar(Cmd, 0);
-	if (strlen(Cmd) < 1  || ctmp == 'h'|| ctmp == 'H') return usage_hf14_dbg();
+	if (strlen(Cmd) < 1 || ctmp == 'h' || ctmp == 'H') return usage_hf14_dbg();
 	
 	uint8_t dbgMode = param_get8ex(Cmd, 0, 0, 10);
 	if (dbgMode > 4) return usage_hf14_dbg();
@@ -1570,7 +1653,6 @@ void printKeyTable( uint8_t sectorscnt, sector *e_sector ){
 }
 
 // EMULATOR COMMANDS
-
 int CmdHF14AMfEGet(const char *Cmd)
 {
 	uint8_t blockNo = 0;
@@ -1584,7 +1666,7 @@ int CmdHF14AMfEGet(const char *Cmd)
 	
 	blockNo = param_get8(Cmd, 0);
 
-	PrintAndLog(" ");
+	PrintAndLog("");
 	if (!mfEmlGetMem(data, blockNo, 1)) {
 		PrintAndLog("data[%3d]:%s", blockNo, sprint_hex(data, 16));
 	} else {