X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/6c84c900179a0ff0959046ff0d65c68ab9077c50..be6e909c5bda0ae2d1ff2ea057127e099356c232:/client/cmdhfmf.c diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index ec5d4487..0e3024a0 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -18,7 +18,7 @@ int usage_hf14_mifare(void){ PrintAndLog("options:"); PrintAndLog(" h this help"); PrintAndLog(" (Optional) target other key A than block 0."); - PrintAndLog("sample:"); + PrintAndLog("samples:"); PrintAndLog(" hf mf mifare"); PrintAndLog(" hf mf mifare 16"); return 0; @@ -26,11 +26,11 @@ int usage_hf14_mifare(void){ int usage_hf14_mf1ksim(void){ PrintAndLog("Usage: hf mf sim [h] u n i x"); PrintAndLog("options:"); - PrintAndLog(" h this help"); - PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID 4b from emulator memory will be used"); - PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); - PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); - PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); + PrintAndLog(" h this help"); + PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID 4b from emulator memory will be used"); + PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); + PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); + PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); PrintAndLog("samples:"); PrintAndLog(" hf mf sim u 0a0a0a0a"); PrintAndLog(" hf mf sim u 11223344556677"); @@ -56,15 +56,70 @@ int usage_hf14_sniff(void){ PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file."); PrintAndLog("Usage: hf mf sniff [h] [l] [d] [f]"); PrintAndLog("options:"); - PrintAndLog(" h this help"); - PrintAndLog(" l save encrypted sequence to logfile `uid.log`"); - PrintAndLog(" d decrypt sequence and put it to log file `uid.log`"); -// PrintAndLog(" n/a e decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory"); - PrintAndLog(" f decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`"); + PrintAndLog(" h this help"); + PrintAndLog(" l save encrypted sequence to logfile `uid.log`"); + PrintAndLog(" d decrypt sequence and put it to log file `uid.log`"); +// PrintAndLog(" n/a e decrypt sequence, collect read and write commands and save the result of the sequence to emulator memory"); + PrintAndLog(" f decrypt sequence, collect read and write commands and save the result of the sequence to emulator dump file `uid.eml`"); PrintAndLog("sample:"); PrintAndLog(" hf mf sniff l d f"); return 0; } +int usage_hf14_nested(void){ + PrintAndLog("Usage:"); + PrintAndLog(" all sectors: hf mf nested [t,d]"); + PrintAndLog(" one sector: hf mf nested o "); + PrintAndLog(" [t]"); + PrintAndLog("options:"); + PrintAndLog(" h this help"); + PrintAndLog(" card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); + PrintAndLog(" t transfer keys into emulator memory"); + PrintAndLog(" d write keys to binary file"); + PrintAndLog(" "); + PrintAndLog("samples:"); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF t "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF d "); + PrintAndLog(" hf mf nested o 0 A FFFFFFFFFFFF 4 A"); + return 0; +} +int usage_hf14_hardnested(void){ + PrintAndLog("Usage:"); + PrintAndLog(" hf mf hardnested "); + PrintAndLog(" [known target key (12 hex symbols)] [w] [s]"); + PrintAndLog(" or hf mf hardnested r [known target key]"); + PrintAndLog(" "); + PrintAndLog("options:"); + PrintAndLog(" h this help"); + PrintAndLog(" w acquire nonces and write them to binary file nonces.bin"); + PrintAndLog(" s slower acquisition (required by some non standard cards)"); + PrintAndLog(" r read nonces.bin and start attack"); + PrintAndLog(" "); + PrintAndLog("samples:"); + PrintAndLog(" hf mf hardnested 0 A FFFFFFFFFFFF 4 A"); + PrintAndLog(" hf mf hardnested 0 A FFFFFFFFFFFF 4 A w"); + PrintAndLog(" hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s"); + PrintAndLog(" hf mf hardnested r"); + PrintAndLog(" "); + PrintAndLog("Add the known target key to check if it is present in the remaining key space:"); + PrintAndLog(" sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF"); + return 0; +} +int usage_hf14_chk(void){ + PrintAndLog("Usage: hf mf chk |<*card memory> [t|d] [] []"); + PrintAndLog("options:"); + PrintAndLog(" h this help"); + PrintAndLog(" * all sectors"); + PrintAndLog(" card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); + PrintAndLog(" d write keys to binary file"); + PrintAndLog(" t write keys to emulator memory\n"); + PrintAndLog(" "); + PrintAndLog("samples:"); + PrintAndLog(" hf mf chk 0 A 1234567890ab keys.dic"); + PrintAndLog(" hf mf chk *1 ? t"); + PrintAndLog(" hf mf chk *1 ? d"); + return 0; +} int CmdHF14AMifare(const char *Cmd) { uint32_t uid = 0; @@ -86,6 +141,8 @@ int CmdHF14AMifare(const char *Cmd) { printf("Press button on the proxmark3 device to abort both proxmark3 and client.\n"); printf("-------------------------------------------------------------------------\n"); clock_t t1 = clock(); + time_t start, end; + time(&start); start: clearCommandBuffer(); @@ -120,9 +177,9 @@ start: switch (isOK) { case -1 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -2 : PrintAndLog("Card is not vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break; - case -3 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator is not predictable).\n"); break; - case -4 : PrintAndLog("Card is not vulnerable to Darkside attack (its random number generator seems to be based on the wellknown"); + case -2 : PrintAndLog("Card isn't vulnerable to Darkside attack (doesn't send NACK on authentication requests).\n"); break; + case -3 : PrintAndLog("Card isn't vulnerable to Darkside attack (its random number generator is not predictable).\n"); break; + case -4 : PrintAndLog("Card isn't vulnerable to Darkside attack (its random number generator seems to be based on the wellknown"); PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break; default: ; } @@ -154,13 +211,14 @@ start: } END: t1 = clock() - t1; + time(&end); + unsigned long elapsed_time = difftime(end, start); if ( t1 > 0 ) - PrintAndLog("Time in darkside: %.0f ticks\n", (float)t1); + PrintAndLog("Time in darkside: %.0f ticks %u seconds\n", (float)t1, elapsed_time); return 0; } -int CmdHF14AMfWrBl(const char *Cmd) -{ +int CmdHF14AMfWrBl(const char *Cmd) { uint8_t blockNo = 0; uint8_t keyType = 0; uint8_t key[6] = {0, 0, 0, 0, 0, 0}; @@ -209,8 +267,7 @@ int CmdHF14AMfWrBl(const char *Cmd) return 0; } -int CmdHF14AMfRdBl(const char *Cmd) -{ +int CmdHF14AMfRdBl(const char *Cmd) { uint8_t blockNo = 0; uint8_t keyType = 0; uint8_t key[6] = {0, 0, 0, 0, 0, 0}; @@ -258,8 +315,7 @@ int CmdHF14AMfRdBl(const char *Cmd) return 0; } -int CmdHF14AMfRdSc(const char *Cmd) -{ +int CmdHF14AMfRdSc(const char *Cmd) { int i; uint8_t sectorNo = 0; uint8_t keyType = 0; @@ -316,8 +372,7 @@ int CmdHF14AMfRdSc(const char *Cmd) return 0; } -uint8_t FirstBlockOfSector(uint8_t sectorNo) -{ +uint8_t FirstBlockOfSector(uint8_t sectorNo) { if (sectorNo < 32) { return sectorNo * 4; } else { @@ -325,8 +380,7 @@ uint8_t FirstBlockOfSector(uint8_t sectorNo) } } -uint8_t NumBlocksPerSector(uint8_t sectorNo) -{ +uint8_t NumBlocksPerSector(uint8_t sectorNo) { if (sectorNo < 32) { return 4; } else { @@ -632,30 +686,14 @@ int CmdHF14AMfNested(const char *Cmd) { FILE *fkeys; uint8_t standart[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; - - char cmdp, ctmp; - if (strlen(Cmd)<3) { - PrintAndLog("Usage:"); - PrintAndLog(" all sectors: hf mf nested [t,d]"); - PrintAndLog(" one sector: hf mf nested o "); - PrintAndLog(" [t]"); - PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); - PrintAndLog("t - transfer keys into emulator memory"); - PrintAndLog("d - write keys to binary file"); - PrintAndLog(" "); - PrintAndLog(" samples:"); - PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF "); - PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF t "); - PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF d "); - PrintAndLog(" hf mf nested o 0 A FFFFFFFFFFFF 4 A"); - return 0; - } + if (strlen(Cmd)<3) return usage_hf14_nested(); + char cmdp, ctmp; cmdp = param_getchar(Cmd, 0); blockNo = param_get8(Cmd, 1); ctmp = param_getchar(Cmd, 2); - + if (ctmp != 'a' && ctmp != 'A' && ctmp != 'b' && ctmp != 'B') { PrintAndLog("Key type must be A or B"); return 1; @@ -703,7 +741,7 @@ int CmdHF14AMfNested(const char *Cmd) { switch (isOK) { case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; + case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break; case -4 : PrintAndLog("No valid key found"); break; case -5 : key64 = bytes_to_num(keyBlock, 6); @@ -731,7 +769,10 @@ int CmdHF14AMfNested(const char *Cmd) { } else { // ------------------------------------ multiple sectors working clock_t t1 = clock(); - + unsigned long elapsed_time; + time_t start, end; + time(&start); + e_sector = calloc(SectorsCnt, sizeof(sector)); if (e_sector == NULL) return 1; @@ -757,9 +798,11 @@ int CmdHF14AMfNested(const char *Cmd) { } } clock_t t2 = clock() - t1; + time(&end); + elapsed_time = difftime(end, start); if ( t2 > 0 ) - PrintAndLog("Time to check 6 known keys: %.0f ticks", (float)t2 ); - + PrintAndLog("Time to check 6 known keys: %.0f ticks %u seconds\n", (float)t2 , elapsed_time); + PrintAndLog("enter nested..."); // nested sectors @@ -776,7 +819,7 @@ int CmdHF14AMfNested(const char *Cmd) { switch (isOK) { case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; + case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (its random number generator is not predictable).\n"); break; case -4 : //key not found calibrate = false; iterations++; @@ -797,8 +840,11 @@ int CmdHF14AMfNested(const char *Cmd) { } t1 = clock() - t1; + time(&end); + elapsed_time = difftime(end, start); if ( t1 > 0 ) - PrintAndLog("Time in nested: %.0f ticks \n", (float)t1); + PrintAndLog("Time in nested: %.0f ticks %u seconds\n", (float)t1, elapsed_time); + // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? PrintAndLog("trying to read key B..."); @@ -891,27 +937,8 @@ int CmdHF14AMfNestedHard(const char *Cmd) { char ctmp; ctmp = param_getchar(Cmd, 0); - - if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) { - PrintAndLog("Usage:"); - PrintAndLog(" hf mf hardnested "); - PrintAndLog(" [known target key (12 hex symbols)] [w] [s]"); - PrintAndLog(" or hf mf hardnested r [known target key]"); - PrintAndLog(" "); - PrintAndLog("Options: "); - PrintAndLog(" w: Acquire nonces and write them to binary file nonces.bin"); - PrintAndLog(" s: Slower acquisition (required by some non standard cards)"); - PrintAndLog(" r: Read nonces.bin and start attack"); - PrintAndLog(" "); - PrintAndLog(" sample1: hf mf hardnested 0 A FFFFFFFFFFFF 4 A"); - PrintAndLog(" sample2: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w"); - PrintAndLog(" sample3: hf mf hardnested 0 A FFFFFFFFFFFF 4 A w s"); - PrintAndLog(" sample4: hf mf hardnested r"); - PrintAndLog(" "); - PrintAndLog("Add the known target key to check if it is present in the remaining key space:"); - PrintAndLog(" sample5: hf mf hardnested 0 A A0A1A2A3A4A5 4 A FFFFFFFFFFFF"); - return 0; - } + if (ctmp != 'H' && ctmp != 'h' ) return usage_hf14_hardnested(); + if (ctmp != 'R' && ctmp != 'r' && ctmp != 'T' && ctmp != 't' && strlen(Cmd) < 20) return usage_hf14_hardnested(); bool know_target_key = false; bool nonce_file_read = false; @@ -919,7 +946,6 @@ int CmdHF14AMfNestedHard(const char *Cmd) { bool slow = false; int tests = 0; - if (ctmp == 'R' || ctmp == 'r') { nonce_file_read = true; if (!param_gethex(Cmd, 1, trgkey, 12)) { @@ -997,17 +1023,8 @@ int CmdHF14AMfNestedHard(const char *Cmd) { } int CmdHF14AMfChk(const char *Cmd) { - if (strlen(Cmd)<3) { - PrintAndLog("Usage: hf mf chk |<*card memory> [t|d] [] []"); - PrintAndLog(" * - all sectors"); - PrintAndLog("card memory - 0 - MINI(320 bytes), 1 - 1K, 2 - 2K, 4 - 4K, - 1K"); - PrintAndLog("d - write keys to binary file"); - PrintAndLog("t - write keys to emulator memory\n"); - PrintAndLog(" sample: hf mf chk 0 A 1234567890ab keys.dic"); - PrintAndLog(" hf mf chk *1 ? t"); - PrintAndLog(" hf mf chk *1 ? d"); - return 0; - } + + if (strlen(Cmd)<3) return usage_hf14_chk(); FILE * f; char filename[FILE_PATH_SIZE]={0}; @@ -1168,11 +1185,22 @@ int CmdHF14AMfChk(const char *Cmd) { return 1; } + // empty e_sector + for(int i = 0; i < SectorsCnt; ++i){ + e_sector[i].Key[0] = 0xffffffffffff; + e_sector[i].Key[1] = 0xffffffffffff; + e_sector[i].foundKey[0] = FALSE; + e_sector[i].foundKey[1] = FALSE; + } + + uint8_t trgKeyType = 0; uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt; // time clock_t t1 = clock(); + time_t start, end; + time(&start); // check keys. for (trgKeyType = !keyType; trgKeyType < 2; (keyType==2) ? (++trgKeyType) : (trgKeyType=2) ) { @@ -1182,22 +1210,16 @@ int CmdHF14AMfChk(const char *Cmd) { // skip already found keys. if (e_sector[i].foundKey[trgKeyType]) continue; - - + for (uint32_t c = 0; c < keycnt; c += max_keys) { uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c; res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64); if (!res) { - //PrintAndLog("Sector:%3d Block:%3d, key type: %C -- Found key [%012"llx"]", i, b, trgKeyType ? 'B':'A', key64); - e_sector[i].Key[trgKeyType] = key64; e_sector[i].foundKey[trgKeyType] = TRUE; break; - } else { - e_sector[i].Key[trgKeyType] = 0xffffffffffff; - e_sector[i].foundKey[trgKeyType] = FALSE; } printf("."); fflush(stdout); @@ -1206,36 +1228,41 @@ int CmdHF14AMfChk(const char *Cmd) { } } t1 = clock() - t1; + time(&end); + unsigned long elapsed_time = difftime(end, start); if ( t1 > 0 ) - printf("\nTime in checkkeys: %.0f ticks\n", (float)t1); + PrintAndLog("\nTime in checkkeys: %.0f ticks %u seconds\n", (float)t1, elapsed_time); + // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? - PrintAndLog("testing to read B..."); - for (i = 0; i < SectorsCnt; i++) { - // KEY A but not KEY B - if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) { - - uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); - - PrintAndLog("Reading block %d", sectrail); - - UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; - num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A - clearCommandBuffer(); - SendCommand(&c); - - UsbCommand resp; - if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue; + if ( keyType != 1 ) { + PrintAndLog("testing to read key B..."); + for (i = 0; i < SectorsCnt; i++) { + // KEY A but not KEY B + if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) { + + uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); - uint8_t isOK = resp.arg[0] & 0xff; - if (!isOK) continue; - - uint8_t *data = resp.d.asBytes; - key64 = bytes_to_num(data+10, 6); - if (key64) { - PrintAndLog("Data:%s", sprint_hex(data+10, 6)); - e_sector[i].foundKey[1] = 1; - e_sector[i].Key[1] = key64; + PrintAndLog("Reading block %d", sectrail); + + UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; + num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A + clearCommandBuffer(); + SendCommand(&c); + + UsbCommand resp; + if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue; + + uint8_t isOK = resp.arg[0] & 0xff; + if (!isOK) continue; + + uint8_t *data = resp.d.asBytes; + key64 = bytes_to_num(data+10, 6); + if (key64) { + PrintAndLog("Data:%s", sprint_hex(data+10, 6)); + e_sector[i].foundKey[1] = 1; + e_sector[i].Key[1] = key64; + } } } }