X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/2b1f4228c2987459445d30443f92038f9ea080c6..0db11b71efad3781186cc2da9f31686a6562d065:/client/cmdhfmf.c

diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c
index b2d5494f..ba8295ec 100644
--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@@ -20,8 +20,18 @@ int CmdHF14AMifare(const char *Cmd)
 	uint32_t nt = 0, nr = 0;
 	uint64_t par_list = 0, ks_list = 0, r_key = 0;
 	int16_t isOK = 0;
-
-	UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}};
+	int tmpchar; 
+	uint8_t blockNo = 0;
+	
+	char cmdp = param_getchar(Cmd, 0);	
+	if ( cmdp == 'H' || cmdp == 'h') {
+		PrintAndLog("Usage:  hf mf mifare <block number>");
+		PrintAndLog("        sample: hf mf mifare 0");
+		return 0;
+	}	
+	
+	blockNo = param_get8(Cmd, 0);
+	UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, 0}};
 
 	// message
 	printf("-------------------------------------------------------------------------\n");
@@ -29,32 +39,32 @@ int CmdHF14AMifare(const char *Cmd)
 	printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n");
 	printf("-------------------------------------------------------------------------\n");
 
+	clock_t t1 = clock();
 	
 start:
     clearCommandBuffer();
     SendCommand(&c);
 	
 	//flush queue
-	while (ukbhit()) getchar();
+	while (ukbhit()) {
+		tmpchar = getchar();
+		(void)tmpchar;
+	}
 
 	// wait cycle
 	while (true) {
         printf(".");
 		fflush(stdout);
 		if (ukbhit()) {
-			getchar();
+			tmpchar = getchar();
+			(void)tmpchar;
 			printf("\naborted via keyboard!\n");
 			break;
 		}
 		
 		UsbCommand resp;
-		if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) {
+		if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) {
 			isOK  = resp.arg[0];
-			uid = (uint32_t)bytes_to_num(resp.d.asBytes +  0, 4);
-			nt =  (uint32_t)bytes_to_num(resp.d.asBytes +  4, 4);
-			par_list = bytes_to_num(resp.d.asBytes +  8, 8);
-			ks_list = bytes_to_num(resp.d.asBytes +  16, 8);
-			nr = bytes_to_num(resp.d.asBytes + 24, 4);
 			printf("\n\n");
 			switch (isOK) {
 				case -1 : PrintAndLog("Button pressed. Aborted.\n"); break;
@@ -64,6 +74,11 @@ start:
 						  PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break;
 				default: ;
 			}
+			uid = (uint32_t)bytes_to_num(resp.d.asBytes +  0, 4);
+			nt =  (uint32_t)bytes_to_num(resp.d.asBytes +  4, 4);
+			par_list = bytes_to_num(resp.d.asBytes +  8, 8);
+			ks_list = bytes_to_num(resp.d.asBytes +  16, 8);
+			nr = bytes_to_num(resp.d.asBytes + 24, 4);
 			break;
 		}
 	}	
@@ -81,12 +96,12 @@ start:
 		c.arg[0] = false;
 		goto start;
 	} else {
-		isOK = 0;
-		printf("------------------------------------------------------------------\n");
 		PrintAndLog("Found valid key: %012"llx" \n", r_key);
 	}
 	
-	PrintAndLog("");
+	t1 = clock() - t1;
+	if ( t1 > 0 )
+		PrintAndLog("Time in darkside: %.0f ticks\n", (float)t1);
 	return 0;
 }
 
@@ -305,8 +320,10 @@ int CmdHF14AMfDump(const char *Cmd)
 	}
 	
 	// Read keys A from file
+	size_t bytes_read;
 	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		if (fread( keyA[sectorNo], 1, 6, fin ) == 0) {
+		bytes_read = fread( keyA[sectorNo], 1, 6, fin );
+		if ( bytes_read == 0) {
 			PrintAndLog("File reading error.");
 			fclose(fin);
 			return 2;
@@ -315,7 +332,8 @@ int CmdHF14AMfDump(const char *Cmd)
 	
 	// Read keys B from file
 	for (sectorNo=0; sectorNo<numSectors; sectorNo++) {
-		if (fread( keyB[sectorNo], 1, 6, fin ) == 0) {
+		bytes_read = fread( keyB[sectorNo], 1, 6, fin );
+		if ( bytes_read == 0) {
 			PrintAndLog("File reading error.");
 			fclose(fin);
 			return 2;
@@ -472,8 +490,10 @@ int CmdHF14AMfRestore(const char *Cmd)
 		return 1;
 	}
 	
+	size_t bytes_read;
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
-		if (fread(keyA[sectorNo], 1, 6, fkeys) == 0) {
+		bytes_read = fread( keyA[sectorNo], 1, 6, fkeys );
+		if ( bytes_read == 0) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
 			fclose(fkeys);
 			return 2;
@@ -481,7 +501,8 @@ int CmdHF14AMfRestore(const char *Cmd)
 	}
 
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
-		if (fread(keyB[sectorNo], 1, 6, fkeys) == 0) {
+		bytes_read = fread( keyB[sectorNo], 1, 6, fkeys );
+		if ( bytes_read == 0) {
 			PrintAndLog("File reading error (dumpkeys.bin).");
 			fclose(fkeys);
 			return 2;
@@ -499,9 +520,9 @@ int CmdHF14AMfRestore(const char *Cmd)
 	for (sectorNo = 0; sectorNo < numSectors; sectorNo++) {
 		for(blockNo = 0; blockNo < NumBlocksPerSector(sectorNo); blockNo++) {
 			UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}};
-			memcpy(c.d.asBytes, key, 6);
-			
-			if (fread(bldata, 1, 16, fdump) == 0) {
+			memcpy(c.d.asBytes, key, 6);			
+			bytes_read = fread(bldata, 1, 16, fdump);
+			if ( bytes_read == 0) {
 				PrintAndLog("File reading error (dumpdata.bin).");
 				fclose(fdump);
 				return 2;
@@ -552,7 +573,7 @@ int CmdHF14AMfNested(const char *Cmd)
 	uint8_t trgKeyType = 0;
 	uint8_t SectorsCnt = 0;
 	uint8_t key[6] = {0, 0, 0, 0, 0, 0};
-	uint8_t keyBlock[14*6];
+	uint8_t keyBlock[6*6];
 	uint64_t key64 = 0;
 	bool transferToEml = false;
 	
@@ -572,10 +593,11 @@ int CmdHF14AMfNested(const char *Cmd)
 		PrintAndLog("t - transfer keys into emulator memory");
 		PrintAndLog("d - write keys to binary file");
 		PrintAndLog(" ");
-		PrintAndLog("      sample1: hf mf nested 1 0 A FFFFFFFFFFFF ");
-		PrintAndLog("      sample2: hf mf nested 1 0 A FFFFFFFFFFFF t ");
-		PrintAndLog("      sample3: hf mf nested 1 0 A FFFFFFFFFFFF d ");
-		PrintAndLog("      sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A");
+		PrintAndLog(" samples:");
+		PrintAndLog("              hf mf nested 1 0 A FFFFFFFFFFFF ");
+		PrintAndLog("              hf mf nested 1 0 A FFFFFFFFFFFF t ");
+		PrintAndLog("              hf mf nested 1 0 A FFFFFFFFFFFF d ");
+		PrintAndLog("              hf mf nested o 0 A FFFFFFFFFFFF 4 A");
 		return 0;
 	}	
 	
@@ -626,44 +648,38 @@ int CmdHF14AMfNested(const char *Cmd)
 	transferToEml |= (ctmp == 'd' || ctmp == 'D');
 	
 	if (cmdp == 'o') {
-		PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A');
 		int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true);
-		if (isOK) {
-			switch (isOK) {
-				case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
-				case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
-				case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
-				default : PrintAndLog("Unknown Error.\n");
-			}
-			return 2;
-		}
-		key64 = bytes_to_num(keyBlock, 6);
-		if (key64) {
-			PrintAndLog("Found valid key:%012"llx, key64);
-
-			// transfer key to the emulator
-			if (transferToEml) {
-				uint8_t sectortrailer;
-				if (trgBlockNo < 32*4) { 	// 4 block sector
-					sectortrailer = (trgBlockNo & 0x03) + 3;
-				} else {					// 16 block sector
-					sectortrailer = (trgBlockNo & 0x0f) + 15;
+		switch (isOK) {
+			case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
+			case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
+			case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
+			case -4 : PrintAndLog("No valid key found"); break;
+			case -5 : 
+				key64 = bytes_to_num(keyBlock, 6);
+
+				// transfer key to the emulator
+				if (transferToEml) {
+					uint8_t sectortrailer;
+					if (trgBlockNo < 32*4) { 	// 4 block sector
+						sectortrailer = (trgBlockNo & 0x03) + 3;
+					} else {					// 16 block sector
+						sectortrailer = (trgBlockNo & 0x0f) + 15;
+					}
+					mfEmlGetMem(keyBlock, sectortrailer, 1);
+			
+					if (!trgKeyType)
+						num_to_bytes(key64, 6, keyBlock);
+					else
+						num_to_bytes(key64, 6, &keyBlock[10]);
+					mfEmlSetMem(keyBlock, sectortrailer, 1);		
 				}
-				mfEmlGetMem(keyBlock, sectortrailer, 1);
-		
-				if (!trgKeyType)
-					num_to_bytes(key64, 6, keyBlock);
-				else
-					num_to_bytes(key64, 6, &keyBlock[10]);
-				mfEmlSetMem(keyBlock, sectortrailer, 1);		
-			}
-		} else {
-			PrintAndLog("No valid key found");
+				return 0;
+			default : PrintAndLog("Unknown Error.\n");
 		}
+		return 2;
 	}
 	else { // ------------------------------------  multiple sectors working
-		clock_t time1;
-		time1 = clock();
+		clock_t t1 = clock();
 
 		e_sector = calloc(SectorsCnt, sizeof(sector));
 		if (e_sector == NULL) return 1;
@@ -675,14 +691,6 @@ int CmdHF14AMfNested(const char *Cmd)
 		num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 3 * 6));
 		num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 4 * 6));
 		num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6));
-		num_to_bytes(0x4d3a99c351dd, 6, (uint8_t*)(keyBlock + 6 * 6));
-		num_to_bytes(0x1a982c7e459a, 6, (uint8_t*)(keyBlock + 7 * 6));
-		num_to_bytes(0xd3f7d3f7d3f7, 6, (uint8_t*)(keyBlock + 8 * 6));
-		num_to_bytes(0x714c5c886e97, 6, (uint8_t*)(keyBlock + 9 * 6));
-		num_to_bytes(0x587ee5f9350f, 6, (uint8_t*)(keyBlock + 10 * 6));
-		num_to_bytes(0xa0478cc39091, 6, (uint8_t*)(keyBlock + 11 * 6));
-		num_to_bytes(0x533cb6c723f6, 6, (uint8_t*)(keyBlock + 12 * 6));
-		num_to_bytes(0x8fd0a4f256e9, 6, (uint8_t*)(keyBlock + 13 * 6));
 
 		PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt);
 		for (i = 0; i < SectorsCnt; i++) {
@@ -693,58 +701,88 @@ int CmdHF14AMfNested(const char *Cmd)
 				
 				if (!res) {
 					e_sector[i].Key[j] = key64;
-					e_sector[i].foundKey[j] = 1;
+					e_sector[i].foundKey[j] = TRUE;
 				}
 			}
 		}
+		clock_t t2 = clock() - t1;
+		if ( t2 > 0 )
+			PrintAndLog("Time to check 6 known keys: %.0f ticks", (float)t2 );
+
+		PrintAndLog("enter nested...");	
 		
 		// nested sectors
 		iterations = 0;
-		PrintAndLog("nested...");
 		bool calibrate = true;
+
 		for (i = 0; i < NESTED_SECTOR_RETRY; i++) {
-			for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
-				for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { 
+			for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; ++sectorNo) {
+				for (trgKeyType = 0; trgKeyType < 2; ++trgKeyType) { 
+
 					if (e_sector[sectorNo].foundKey[trgKeyType]) continue;
-					PrintAndLog("-----------------------------------------------");
+					
 					int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate);
-					if(isOK) {
-						switch (isOK) {
-							case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
-							case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
-							case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
-							default : PrintAndLog("Unknown Error.\n");
-						}
-						free(e_sector);
-						return 2;
-					} else {
-						calibrate = false;
+					switch (isOK) {
+						case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break;
+						case -2 : PrintAndLog("Button pressed. Aborted.\n"); break;
+						case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break;
+						case -4 : //key not found
+							calibrate = false;
+							iterations++;
+							continue; 
+						case -5 :
+							calibrate = false;
+							iterations++;
+							e_sector[sectorNo].foundKey[trgKeyType] = 1;
+							e_sector[sectorNo].Key[trgKeyType] = bytes_to_num(keyBlock, 6);
+							continue;
+							
+						default : PrintAndLog("Unknown Error.\n");
 					}
-					
-					iterations++;
+					free(e_sector);
+					return 2;
+				}
+			}
+		}
+		
+		t1 = clock() - t1;
+		if ( t1 > 0 )
+			PrintAndLog("Time in nested: %.0f ticks \n", (float)t1);
 
-					key64 = bytes_to_num(keyBlock, 6);
-					if (key64) {
-						PrintAndLog("Found valid key:%012"llx, key64);
-						e_sector[sectorNo].foundKey[trgKeyType] = 1;
-						e_sector[sectorNo].Key[trgKeyType] = key64;
-					}
+		// 20160116 If Sector A is found, but not Sector B,  try just reading it of the tag?
+		PrintAndLog("trying to read key B...");
+		for (i = 0; i < SectorsCnt; i++) {
+			// KEY A  but not KEY B
+			if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) {
+				
+				uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);
+				
+				PrintAndLog("Reading block %d", sectrail);
+							
+				UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}};
+				num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A
+				clearCommandBuffer();
+				SendCommand(&c);
+
+				UsbCommand resp;
+				if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue;
+					
+				uint8_t isOK  = resp.arg[0] & 0xff;
+				if (!isOK) continue;
+
+				uint8_t *data = resp.d.asBytes;
+				key64 = bytes_to_num(data+10, 6);
+				if (key64) {
+					PrintAndLog("Data:%s", sprint_hex(data+10, 6));
+					e_sector[i].foundKey[1] = TRUE;
+					e_sector[i].Key[1] = key64;
 				}
 			}
 		}
 
-		printf("Time in nested: %1.3f (%1.3f sec per key)\n\n", ((float)clock() - time1)/CLOCKS_PER_SEC, ((float)clock() - time1)/iterations/CLOCKS_PER_SEC);
 		
-		PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations);
 		//print them
-		PrintAndLog("|---|----------------|---|----------------|---|");
-		PrintAndLog("|sec|key A           |res|key B           |res|");
-		PrintAndLog("|---|----------------|---|----------------|---|");
-		for (i = 0; i < SectorsCnt; i++) {
-			PrintAndLog("|%03d|  %012"llx"  | %d |  %012"llx"  | %d |", i,
-				e_sector[i].Key[0], e_sector[i].foundKey[0], e_sector[i].Key[1], e_sector[i].foundKey[1]);
-		}
-		PrintAndLog("|---|----------------|---|----------------|---|");
+		printKeyTable( SectorsCnt, e_sector );
 		
 		// transfer them to the emulator
 		if (transferToEml) {
@@ -804,7 +842,7 @@ int CmdHF14AMfNestedHard(const char *Cmd)
 	char ctmp;
 	ctmp = param_getchar(Cmd, 0);
 
-	if (ctmp != 'R' && ctmp != 'r' && strlen(Cmd) < 20) {
+	if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) {
 		PrintAndLog("Usage:");
 		PrintAndLog("      hf mf hardnested <block number> <key A|B> <key (12 hex symbols)>");
 		PrintAndLog("                       <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]");
@@ -829,15 +867,17 @@ int CmdHF14AMfNestedHard(const char *Cmd)
 	bool nonce_file_read = false;
 	bool nonce_file_write = false;
 	bool slow = false;
+	int tests = 0;
+	
 	
 	if (ctmp == 'R' || ctmp == 'r') {
 		nonce_file_read = true;
 		if (!param_gethex(Cmd, 1, trgkey, 12)) {
 			know_target_key = true;
 		}
-
+	} else if (ctmp == 'T' || ctmp == 't') {
+		tests = param_get32ex(Cmd, 1, 100, 10);
 	} else {
-
 		blockNo = param_get8(Cmd, 0);
 		ctmp = param_getchar(Cmd, 1);
 		if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') {
@@ -883,15 +923,16 @@ int CmdHF14AMfNestedHard(const char *Cmd)
 		}
 	}
 
-	PrintAndLog("--target block no:%3d, target key type:%c, known target key: 0x%02x%02x%02x%02x%02x%02x%s, file action: %s, Slow: %s ", 
+	PrintAndLog("--target block no:%3d, target key type:%c, known target key: 0x%02x%02x%02x%02x%02x%02x%s, file action: %s, Slow: %s, Tests: %d ", 
 			trgBlockNo, 
 			trgKeyType?'B':'A', 
 			trgkey[0], trgkey[1], trgkey[2], trgkey[3], trgkey[4], trgkey[5],
 			know_target_key?"":" (not set)",
 			nonce_file_write?"write":nonce_file_read?"read":"none",
-			slow?"Yes":"No");
+			slow?"Yes":"No",
+			tests);
 
-	int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key?trgkey:NULL, nonce_file_read, nonce_file_write, slow);
+	int16_t isOK = mfnestedhard(blockNo, keyType, key, trgBlockNo, trgKeyType, know_target_key?trgkey:NULL, nonce_file_read, nonce_file_write, slow, tests);
 
 	if (isOK) {
 		switch (isOK) {
@@ -925,6 +966,8 @@ int CmdHF14AMfChk(const char *Cmd)
 	uint8_t *keyBlock = NULL, *p;
 	uint8_t stKeyBlock = 20;
 	
+	sector *e_sector = NULL;
+	
 	int i, res;
 	int	keycnt = 0;
 	char ctmp	= 0x00;
@@ -933,14 +976,15 @@ int CmdHF14AMfChk(const char *Cmd)
 	uint8_t keyType = 0;
 	uint64_t key64 = 0;
 	
+	uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
+		
 	int transferToEml = 0;
 	int createDumpFile = 0;
 
 	keyBlock = calloc(stKeyBlock, 6);
 	if (keyBlock == NULL) return 1;
 
-	uint64_t defaultKeys[] =
-	{
+	uint64_t defaultKeys[] = {
 		0xffffffffffff, // Default key (first key used by program if no user defined key)
 		0x000000000000, // Blank key
 		0xa0a1a2a3a4a5, // NFCForum MAD key
@@ -958,9 +1002,8 @@ int CmdHF14AMfChk(const char *Cmd)
 	int defaultKeysSize = sizeof(defaultKeys) / sizeof(uint64_t);
 
 	for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++)
-	{
 		num_to_bytes(defaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6));
-	}
+
 	
 	if (param_getchar(Cmd, 0)=='*') {
 		blockNo = 3;
@@ -971,9 +1014,9 @@ int CmdHF14AMfChk(const char *Cmd)
 			case '4': SectorsCnt = 40; break;
 			default:  SectorsCnt = 16;
 		}
-	}
-	else
+	} else {
 		blockNo = param_get8(Cmd, 0);
+	}
 	
 	ctmp = param_getchar(Cmd, 1);
 	switch (ctmp) {	
@@ -988,6 +1031,7 @@ int CmdHF14AMfChk(const char *Cmd)
 		break;
 	default:
 		PrintAndLog("Key type must be A , B or ?");
+		free(keyBlock);
 		return 1;
 	};
 	
@@ -1006,7 +1050,7 @@ int CmdHF14AMfChk(const char *Cmd)
 				}
 				keyBlock = p;
 			}
-			PrintAndLog("chk key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
+			PrintAndLog("key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
 			(keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
 			(keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4],	(keyBlock + 6*keycnt)[5], 6);
 			keycnt++;
@@ -1039,13 +1083,14 @@ int CmdHF14AMfChk(const char *Cmd)
 						if (!p) {
 							PrintAndLog("Cannot allocate memory for defKeys");
 							free(keyBlock);
+							fclose(f);
 							return 2;
 						}
 						keyBlock = p;
 					}
 					memset(keyBlock + 6 * keycnt, 0, 6);
 					num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt);
-					PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
+					PrintAndLog("check key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6));
 					keycnt++;
 					memset(buf, 0, sizeof(buf));
 				}
@@ -1062,80 +1107,147 @@ int CmdHF14AMfChk(const char *Cmd)
 	if (keycnt == 0) {
 		PrintAndLog("No key specified, trying default keys");
 		for (;keycnt < defaultKeysSize; keycnt++)
-			PrintAndLog("chk default key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
+			PrintAndLog("key[%2d] %02x%02x%02x%02x%02x%02x", keycnt,
 				(keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2],
 				(keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4],	(keyBlock + 6*keycnt)[5], 6);
 	}
 	
 	// initialize storage for found keys
-	bool validKey[2][40];
-	uint8_t foundKey[2][40][6];
-	for (uint16_t t = 0; t < 2; t++) {
-		for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
-			validKey[t][sectorNo] = false;
-			for (uint16_t i = 0; i < 6; i++) {
-				foundKey[t][sectorNo][i] = 0xff;
-			}
-		}
+	e_sector = calloc(SectorsCnt, sizeof(sector));
+	if (e_sector == NULL) {
+		free(keyBlock);
+		return 1;
 	}
+
+	uint8_t trgKeyType = 0;
+	uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt;
+	
+	// time
+	clock_t t1 = clock();
 	
-	for ( int t = !keyType; t < 2; keyType==2?(t++):(t=2) ) {
-		int b=blockNo;
+	// check keys.
+	for (trgKeyType = !keyType;  trgKeyType < 2;  (keyType==2) ? (++trgKeyType) : (trgKeyType=2) ) {
+
+		int b = blockNo;
 		for (int i = 0; i < SectorsCnt; ++i) {
-			PrintAndLog("--sector:%2d, block:%3d, key type:%C, key count:%2d ", i, b, t?'B':'A', keycnt);
-			uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt;
-			for (uint32_t c = 0; c < keycnt; c+=max_keys) {
-				uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c;
-				res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64);
-				if (res != 1) {
-					if (!res) {
-						PrintAndLog("Found valid key:[%012"llx"]",key64);
-						num_to_bytes(key64, 6, foundKey[t][i]);
-						validKey[t][i] = true;
-					} 
-				} else {
-					PrintAndLog("Command execute timeout");
+			
+			// skip already found keys.
+			if (e_sector[i].foundKey[trgKeyType]) continue;
+			
+			
+			for (uint32_t c = 0; c < keycnt; c += max_keys) {
+				
+				uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c;
+				
+				res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64);
+				if (!res) {
+					//PrintAndLog("Sector:%3d Block:%3d, key type: %C  -- Found key [%012"llx"]", i, b, trgKeyType ? 'B':'A', key64);
+										 
+					e_sector[i].Key[trgKeyType] = key64;
+					e_sector[i].foundKey[trgKeyType] = TRUE;
+					break;
+				} else {					
+					e_sector[i].Key[trgKeyType] = 0xffffffffffff;
+					e_sector[i].foundKey[trgKeyType] = FALSE;
 				}
+				printf(".");
 			}
-			b<127?(b+=4):(b+=16);	
+			b < 127 ? ( b +=4 ) : ( b += 16 );	
 		}
 	}
+	t1 = clock() - t1;
+	if ( t1 > 0 )
+		printf("\nTime in checkkeys: %.0f ticks\n", (float)t1);
+
+	// 20160116 If Sector A is found, but not Sector B,  try just reading it of the tag?
+	PrintAndLog("testing to read B...");
+	for (i = 0; i < SectorsCnt; i++) {
+		// KEY A  but not KEY B
+		if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) {
+						
+			uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1);
+			
+			PrintAndLog("Reading block %d", sectrail);
+			
+			UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}};
+			num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A
+			clearCommandBuffer();
+			SendCommand(&c);
 
-	if (transferToEml) {
-		uint8_t block[16];
-		for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) {
-			if (validKey[0][sectorNo] || validKey[1][sectorNo]) {
-				mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
-				for (uint16_t t = 0; t < 2; t++) {
-					if (validKey[t][sectorNo]) {
-						memcpy(block + t*10, foundKey[t][sectorNo], 6);
-					}
-				}
-				mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1);
+			UsbCommand resp;
+			if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue;
+				
+			uint8_t isOK  = resp.arg[0] & 0xff;
+			if (!isOK) continue;
+
+			uint8_t *data = resp.d.asBytes;
+			key64 = bytes_to_num(data+10, 6);
+			if (key64) {
+				PrintAndLog("Data:%s", sprint_hex(data+10, 6));
+				e_sector[i].foundKey[1] = 1;
+				e_sector[i].Key[1] = key64;
 			}
 		}
-		PrintAndLog("Found keys have been transferred to the emulator memory");
 	}
 
+
+	//print them
+	printKeyTable( SectorsCnt, e_sector );
+	
+	if (transferToEml) {
+		uint8_t block[16] = {0x00};
+		for (uint8_t i = 0; i < SectorsCnt; ++i ) {
+			mfEmlGetMem(block, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);
+			if (e_sector[i].foundKey[0])
+				num_to_bytes(e_sector[i].Key[0], 6, block);
+			if (e_sector[i].foundKey[1])
+				num_to_bytes(e_sector[i].Key[1], 6, block+10);
+			mfEmlSetMem(block, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1);
+		}
+		PrintAndLog("Found keys have been transferred to the emulator memory");
+	}
+	
 	if (createDumpFile) {
 		FILE *fkeys = fopen("dumpkeys.bin","wb");
 		if (fkeys == NULL) { 
 			PrintAndLog("Could not create file dumpkeys.bin");
 			free(keyBlock);
+			free(e_sector);
 			return 1;
 		}
-		for (uint16_t t = 0; t < 2; t++) {
-			fwrite(foundKey[t], 1, 6*SectorsCnt, fkeys);
+		PrintAndLog("Printing keys to binary file dumpkeys.bin...");
+	
+		for( i=0; i<SectorsCnt; i++) {
+			num_to_bytes(e_sector[i].Key[0], 6, tempkey);
+			fwrite ( tempkey, 1, 6, fkeys );
+		}
+		for(i=0; i<SectorsCnt; i++) {
+			num_to_bytes(e_sector[i].Key[1], 6, tempkey);
+			fwrite ( tempkey, 1, 6, fkeys );
 		}
 		fclose(fkeys);
-		PrintAndLog("Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.");
+		PrintAndLog("Found keys have been dumped to file dumpkeys.bin. 0xffffffffffff has been inserted for unknown keys.");			
 	}
-
+	
 	free(keyBlock);
+	free(e_sector);
 	PrintAndLog("");
 	return 0;
 }
 
+void printKeyTable( uint8_t sectorscnt, sector *e_sector ){
+	PrintAndLog("|---|----------------|---|----------------|---|");
+	PrintAndLog("|sec|key A           |res|key B           |res|");
+	PrintAndLog("|---|----------------|---|----------------|---|");
+	for (uint8_t i = 0; i < sectorscnt; ++i) {
+		PrintAndLog("|%03d|  %012"llx"  | %d |  %012"llx"  | %d |", i,
+			e_sector[i].Key[0], e_sector[i].foundKey[0], 
+			e_sector[i].Key[1], e_sector[i].foundKey[1]
+		);
+	}
+	PrintAndLog("|---|----------------|---|----------------|---|");
+}
+
 int CmdHF14AMf1kSim(const char *Cmd)
 {
 	uint8_t uid[7] = {0, 0, 0, 0, 0, 0, 0};
@@ -1168,10 +1280,12 @@ int CmdHF14AMf1kSim(const char *Cmd)
 		}
 		pnr +=2;
 	}
+	
 	if (param_getchar(Cmd, pnr) == 'n') {
 		exitAfterNReads = param_get8(Cmd,pnr+1);
 		pnr += 2;
 	}
+	
 	if (param_getchar(Cmd, pnr) == 'i' ) {
 		//Using a flag to signal interactiveness, least significant bit
 		flags |= FLAG_INTERACTIVE;
@@ -1182,10 +1296,13 @@ int CmdHF14AMf1kSim(const char *Cmd)
 		//Using a flag to signal interactiveness, least significant bit
 		flags |= FLAG_NR_AR_ATTACK;
 	}
+	
 	PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ",
 				flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4):
 											  flags & FLAG_7B_UID_IN_DATA	? sprint_hex(uid,7): "N/A"
-				, exitAfterNReads, flags,flags);
+				, exitAfterNReads
+				, flags
+				, flags);
 
 
 	UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}};
@@ -1200,40 +1317,39 @@ int CmdHF14AMf1kSim(const char *Cmd)
 
 		UsbCommand resp;		
 		PrintAndLog("Press pm3-button or send another cmd to abort simulation");
-		//while(! WaitForResponseTimeout(CMD_ACK,&resp,1500)) {
-			//We're waiting only 1.5 s at a time, otherwise we get the
-			// annoying message about "Waiting for a response... "
-		//}
-		while(!ukbhit() ){
-			if (!WaitForResponseTimeout(CMD_ACK,&resp,1500) ) continue;
+
+		while( !ukbhit() ){
+			if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
 
 			if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
+			
 			if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
 
-					memset(data, 0x00, sizeof(data));
-					memset(key, 0x00, sizeof(key));
-					int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
-					
-					memcpy(data, resp.d.asBytes, len);
-					
-					uint64_t corr_uid = 0;
-					if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {
-						corr_uid = (data[3] << 24) | (data[2] << 16) | (data[1] << 8) | data[0];
-				tryMfk32(corr_uid, data, key);
-			} else {
-						corr_uid |= (uint64_t)data[2] << 48; 
-						corr_uid |= (uint64_t)data[1] << 40; 
-						corr_uid |= (uint64_t)data[0] << 32;
-						corr_uid |= data[7] << 24;
-						corr_uid |= data[6] << 16;
-						corr_uid |= data[5] << 8;
-						corr_uid |= data[4];
-				tryMfk64(corr_uid, data, key);
-					}
-					PrintAndLog("--");
+				memset(data, 0x00, sizeof(data));
+				memset(key, 0x00, sizeof(key));
+				int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1];
+				
+				memcpy(data, resp.d.asBytes, len);
+				
+				uint64_t corr_uid = 0;
+				
+				// this IF?  what was I thinking of?
+				if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) {
+					corr_uid = ((uint64_t)(data[3] << 24)) | (data[2] << 16) | (data[1] << 8) | data[0];
+					tryMfk32(corr_uid, data, key);
+				} else {
+					corr_uid |= (uint64_t)data[2] << 48; 
+					corr_uid |= (uint64_t)data[1] << 40; 
+					corr_uid |= (uint64_t)data[0] << 32;
+					corr_uid |= (uint64_t)data[7] << 24;
+					corr_uid |= (uint64_t)data[6] << 16;
+					corr_uid |= (uint64_t)data[5] << 8;
+					corr_uid |= (uint64_t)data[4];
+					tryMfk64(corr_uid, data, key);
 				}
-			}
-	
+			PrintAndLog("--");
+		}
+	}
 	return 0;
 }
 
@@ -1364,7 +1480,7 @@ int CmdHF14AMfELoad(const char *Cmd)
 
 	len = param_getstr(Cmd,nameParamNo,filename);
 	
-	if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
 	fnameptr += len;
 
@@ -1461,7 +1577,7 @@ int CmdHF14AMfESave(const char *Cmd)
 
 	len = param_getstr(Cmd,nameParamNo,filename);
 	
-	if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+	if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 	
 	// user supplied filename?
 	if (len < 1) {
@@ -1738,7 +1854,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 		return 0;
 	} else {
 		len = strlen(Cmd);
-		if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 
 		memcpy(filename, Cmd, len);
 		fnameptr += len;
@@ -1779,6 +1895,7 @@ int CmdHF14AMfCLoad(const char *Cmd)
 
 			if (mfCSetBlock(blockNum, buf8, NULL, flags)) {
 				PrintAndLog("Can't set magic card block: %d", blockNum);
+				fclose(f);
 				return 3;
 			}
 			blockNum++;
@@ -1908,7 +2025,7 @@ int CmdHF14AMfCSave(const char *Cmd) {
 		return 0;
 	} else {
 		len = strlen(Cmd);
-		if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4;
+		if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5;
 	
 		// get filename based on UID
 		if (len < 1) {
@@ -1966,6 +2083,7 @@ int CmdHF14AMfSniff(const char *Cmd){
 	bool wantSaveToEmlFile = 0;
 
 	//var 
+	int tmpchar;
 	int res = 0;
 	int len = 0;
 	int blockLen = 0;
@@ -2016,7 +2134,8 @@ int CmdHF14AMfSniff(const char *Cmd){
 		printf(".");
 		fflush(stdout);
 		if (ukbhit()) {
-			getchar();
+			tmpchar = getchar();
+			(void)tmpchar;
 			printf("\naborted via keyboard!\n");
 			break;
 		}
@@ -2027,7 +2146,10 @@ int CmdHF14AMfSniff(const char *Cmd){
 			uint16_t traceLen = resp.arg[1];
 			len = resp.arg[2];
 
-			if (res == 0) return 0;						// we are done
+			if (res == 0) {
+				free(buf);
+				return 0;						// we are done
+			}
 
 			if (res == 1) {								// there is (more) data to be transferred
 				if (pckNum == 0) {						// first packet, (re)allocate necessary buffer
@@ -2049,6 +2171,11 @@ int CmdHF14AMfSniff(const char *Cmd){
 					bufsize = traceLen;
 					memset(buf, 0x00, traceLen);
 				}
+				if (bufPtr == NULL) {
+					PrintAndLog("Cannot allocate memory for trace");
+					free(buf);
+					return 2;
+				}
 				memcpy(bufPtr, resp.d.asBytes, len);
 				bufPtr += len;
 				pckNum++;
@@ -2125,48 +2252,46 @@ int CmdHf14MfDecryptBytes(const char *Cmd){
 	return tryDecryptWord( nt, ar_enc, at_enc, data, len);
 }
 
-static command_t CommandTable[] =
-{
-  {"help",		CmdHelp,				1, "This help"},
-  {"dbg",		CmdHF14AMfDbg,			0, "Set default debug mode"},
-  {"rdbl",		CmdHF14AMfRdBl,			0, "Read MIFARE classic block"},
-  {"rdsc",		CmdHF14AMfRdSc,			0, "Read MIFARE classic sector"},
-  {"dump",		CmdHF14AMfDump,			0, "Dump MIFARE classic tag to binary file"},
-  {"restore",	CmdHF14AMfRestore,		0, "Restore MIFARE classic binary file to BLANK tag"},
-  {"wrbl",		CmdHF14AMfWrBl,			0, "Write MIFARE classic block"},
-  {"chk",		CmdHF14AMfChk,			0, "Test block keys"},
-  {"mifare",	CmdHF14AMifare,			0, "Read parity error messages."},
-  {"nested",	CmdHF14AMfNested,		0, "Test nested authentication"},
+static command_t CommandTable[] = {
+	{"help",		CmdHelp,				1, "This help"},
+	{"dbg",			CmdHF14AMfDbg,			0, "Set default debug mode"},
+	{"rdbl",		CmdHF14AMfRdBl,			0, "Read MIFARE classic block"},
+	{"rdsc",		CmdHF14AMfRdSc,			0, "Read MIFARE classic sector"},
+	{"dump",		CmdHF14AMfDump,			0, "Dump MIFARE classic tag to binary file"},
+	{"restore",		CmdHF14AMfRestore,		0, "Restore MIFARE classic binary file to BLANK tag"},
+	{"wrbl",		CmdHF14AMfWrBl,			0, "Write MIFARE classic block"},
+	{"chk",			CmdHF14AMfChk,			0, "Test block keys"},
+	{"mifare",		CmdHF14AMifare,			0, "Read parity error messages."},
+	{"nested",		CmdHF14AMfNested,		0, "Test nested authentication"},
 	{"hardnested", 	CmdHF14AMfNestedHard, 	0, "Nested attack for hardened Mifare cards"},
-  {"sniff",		CmdHF14AMfSniff,		0, "Sniff card-reader communication"},
-  {"sim",		CmdHF14AMf1kSim,		0, "Simulate MIFARE card"},
-  {"eclr",		CmdHF14AMfEClear,		0, "Clear simulator memory block"},
-  {"eget",		CmdHF14AMfEGet,			0, "Get simulator memory block"},
-  {"eset",		CmdHF14AMfESet,			0, "Set simulator memory block"},
-  {"eload",		CmdHF14AMfELoad,		0, "Load from file emul dump"},
-  {"esave",		CmdHF14AMfESave,		0, "Save to file emul dump"},
-  {"ecfill",	CmdHF14AMfECFill,		0, "Fill simulator memory with help of keys from simulator"},
-  {"ekeyprn",	CmdHF14AMfEKeyPrn,		0, "Print keys from simulator memory"},
-  {"csetuid",	CmdHF14AMfCSetUID,		0, "Set UID for magic Chinese card"},
-  {"csetblk",	CmdHF14AMfCSetBlk,		0, "Write block - Magic Chinese card"},
-  {"cgetblk",	CmdHF14AMfCGetBlk,		0, "Read block - Magic Chinese card"},
-  {"cgetsc",	CmdHF14AMfCGetSc,		0, "Read sector - Magic Chinese card"},
-  {"cload",		CmdHF14AMfCLoad,		0, "Load dump into magic Chinese card"},
-  {"csave",		CmdHF14AMfCSave,		0, "Save dump from magic Chinese card into file or emulator"},
-  {"decrypt",   CmdHf14MfDecryptBytes,  1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
-  {NULL, NULL, 0, NULL}
+	{"sniff",		CmdHF14AMfSniff,		0, "Sniff card-reader communication"},
+	{"sim",			CmdHF14AMf1kSim,		0, "Simulate MIFARE card"},
+	{"eclr",		CmdHF14AMfEClear,		0, "Clear simulator memory block"},
+	{"eget",		CmdHF14AMfEGet,			0, "Get simulator memory block"},
+	{"eset",		CmdHF14AMfESet,			0, "Set simulator memory block"},
+	{"eload",		CmdHF14AMfELoad,		0, "Load from file emul dump"},
+	{"esave",		CmdHF14AMfESave,		0, "Save to file emul dump"},
+	{"ecfill",		CmdHF14AMfECFill,		0, "Fill simulator memory with help of keys from simulator"},
+	{"ekeyprn",		CmdHF14AMfEKeyPrn,		0, "Print keys from simulator memory"},
+	{"csetuid",		CmdHF14AMfCSetUID,		0, "Set UID for magic Chinese card"},
+	{"csetblk",		CmdHF14AMfCSetBlk,		0, "Write block - Magic Chinese card"},
+	{"cgetblk",		CmdHF14AMfCGetBlk,		0, "Read block - Magic Chinese card"},
+	{"cgetsc",		CmdHF14AMfCGetSc,		0, "Read sector - Magic Chinese card"},
+	{"cload",		CmdHF14AMfCLoad,		0, "Load dump into magic Chinese card"},
+	{"csave",		CmdHF14AMfCSave,		0, "Save dump from magic Chinese card into file or emulator"},
+	{"decrypt",		CmdHf14MfDecryptBytes,  1, "[nt] [ar_enc] [at_enc] [data] - to decrypt snoop or trace"},
+	{NULL, NULL, 0, NULL}
 };
 
-int CmdHFMF(const char *Cmd)
-{
+int CmdHFMF(const char *Cmd) {
 	// flush
-	WaitForResponseTimeout(CMD_ACK,NULL,100);
+	clearCommandBuffer();
+	//WaitForResponseTimeout(CMD_ACK,NULL,100);
 	CmdsParse(CommandTable, Cmd);
 	return 0;
 }
 
-int CmdHelp(const char *Cmd)
-{
+int CmdHelp(const char *Cmd) {
 	CmdsHelp(CommandTable);
 	return 0;
 }