X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/b112787d4f40c5fd948594303653f6b0ce444700..9358e49641482a35af56ac291e2e07f07e9361ec:/client/cmdhfmf.c diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index bd7fa589..797b5657 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -21,8 +21,17 @@ int CmdHF14AMifare(const char *Cmd) uint64_t par_list = 0, ks_list = 0, r_key = 0; int16_t isOK = 0; int tmpchar; + uint8_t blockNo = 0; - UsbCommand c = {CMD_READER_MIFARE, {true, 0, 0}}; + char cmdp = param_getchar(Cmd, 0); + if ( cmdp == 'H' || cmdp == 'h') { + PrintAndLog("Usage: hf mf mifare "); + PrintAndLog(" sample: hf mf mifare 0"); + return 0; + } + + blockNo = param_get8(Cmd, 0); + UsbCommand c = {CMD_READER_MIFARE, {true, blockNo, 0}}; // message printf("-------------------------------------------------------------------------\n"); @@ -54,13 +63,8 @@ start: } UsbCommand resp; - if (WaitForResponseTimeout(CMD_ACK,&resp,1000)) { + if (WaitForResponseTimeout(CMD_ACK, &resp, 1500)) { isOK = resp.arg[0]; - uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4); - nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4); - par_list = bytes_to_num(resp.d.asBytes + 8, 8); - ks_list = bytes_to_num(resp.d.asBytes + 16, 8); - nr = bytes_to_num(resp.d.asBytes + 24, 4); printf("\n\n"); switch (isOK) { case -1 : PrintAndLog("Button pressed. Aborted.\n"); break; @@ -70,6 +74,11 @@ start: PrintAndLog("generating polynomial with 16 effective bits only, but shows unexpected behaviour.\n"); break; default: ; } + uid = (uint32_t)bytes_to_num(resp.d.asBytes + 0, 4); + nt = (uint32_t)bytes_to_num(resp.d.asBytes + 4, 4); + par_list = bytes_to_num(resp.d.asBytes + 8, 8); + ks_list = bytes_to_num(resp.d.asBytes + 16, 8); + nr = bytes_to_num(resp.d.asBytes + 24, 4); break; } } @@ -87,14 +96,12 @@ start: c.arg[0] = false; goto start; } else { - isOK = 0; - printf("------------------------------------------------------------------\n"); PrintAndLog("Found valid key: %012"llx" \n", r_key); } + t1 = clock() - t1; - if ( t1 > 0 ){ - PrintAndLog("Time in darkside: %f ticks - %1.2f sec\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC); - } + if ( t1 > 0 ) + PrintAndLog("Time in darkside: %.0f ticks\n", (float)t1); return 0; } @@ -513,9 +520,9 @@ int CmdHF14AMfRestore(const char *Cmd) for (sectorNo = 0; sectorNo < numSectors; sectorNo++) { for(blockNo = 0; blockNo < NumBlocksPerSector(sectorNo); blockNo++) { UsbCommand c = {CMD_MIFARE_WRITEBL, {FirstBlockOfSector(sectorNo) + blockNo, keyType, 0}}; - memcpy(c.d.asBytes, key, 6); - - if (fread(bldata, 1, 16, fdump) == 0) { + memcpy(c.d.asBytes, key, 6); + bytes_read = fread(bldata, 1, 16, fdump); + if ( bytes_read == 0) { PrintAndLog("File reading error (dumpdata.bin)."); fclose(fdump); return 2; @@ -566,7 +573,7 @@ int CmdHF14AMfNested(const char *Cmd) uint8_t trgKeyType = 0; uint8_t SectorsCnt = 0; uint8_t key[6] = {0, 0, 0, 0, 0, 0}; - uint8_t keyBlock[14*6]; + uint8_t keyBlock[6*6]; uint64_t key64 = 0; bool transferToEml = false; @@ -586,10 +593,11 @@ int CmdHF14AMfNested(const char *Cmd) PrintAndLog("t - transfer keys into emulator memory"); PrintAndLog("d - write keys to binary file"); PrintAndLog(" "); - PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF "); - PrintAndLog(" sample2: hf mf nested 1 0 A FFFFFFFFFFFF t "); - PrintAndLog(" sample3: hf mf nested 1 0 A FFFFFFFFFFFF d "); - PrintAndLog(" sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A"); + PrintAndLog(" samples:"); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF t "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF d "); + PrintAndLog(" hf mf nested o 0 A FFFFFFFFFFFF 4 A"); return 0; } @@ -640,40 +648,35 @@ int CmdHF14AMfNested(const char *Cmd) transferToEml |= (ctmp == 'd' || ctmp == 'D'); if (cmdp == 'o') { - PrintAndLog("--target block no:%3d, target key type:%c ", trgBlockNo, trgKeyType?'B':'A'); int16_t isOK = mfnested(blockNo, keyType, key, trgBlockNo, trgKeyType, keyBlock, true); - if (isOK) { - switch (isOK) { - case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; - case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; - default : PrintAndLog("Unknown Error.\n"); - } - return 2; - } - key64 = bytes_to_num(keyBlock, 6); - if (key64) { - PrintAndLog("Found valid key:%012"llx, key64); - - // transfer key to the emulator - if (transferToEml) { - uint8_t sectortrailer; - if (trgBlockNo < 32*4) { // 4 block sector - sectortrailer = (trgBlockNo & 0x03) + 3; - } else { // 16 block sector - sectortrailer = (trgBlockNo & 0x0f) + 15; + switch (isOK) { + case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; + case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; + case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; + case -4 : PrintAndLog("No valid key found"); break; + case -5 : + key64 = bytes_to_num(keyBlock, 6); + + // transfer key to the emulator + if (transferToEml) { + uint8_t sectortrailer; + if (trgBlockNo < 32*4) { // 4 block sector + sectortrailer = (trgBlockNo & 0x03) + 3; + } else { // 16 block sector + sectortrailer = (trgBlockNo & 0x0f) + 15; + } + mfEmlGetMem(keyBlock, sectortrailer, 1); + + if (!trgKeyType) + num_to_bytes(key64, 6, keyBlock); + else + num_to_bytes(key64, 6, &keyBlock[10]); + mfEmlSetMem(keyBlock, sectortrailer, 1); } - mfEmlGetMem(keyBlock, sectortrailer, 1); - - if (!trgKeyType) - num_to_bytes(key64, 6, keyBlock); - else - num_to_bytes(key64, 6, &keyBlock[10]); - mfEmlSetMem(keyBlock, sectortrailer, 1); - } - } else { - PrintAndLog("No valid key found"); + return 0; + default : PrintAndLog("Unknown Error.\n"); } + return 2; } else { // ------------------------------------ multiple sectors working clock_t t1 = clock(); @@ -688,14 +691,6 @@ int CmdHF14AMfNested(const char *Cmd) num_to_bytes(0xa0a1a2a3a4a5, 6, (uint8_t*)(keyBlock + 3 * 6)); num_to_bytes(0xb0b1b2b3b4b5, 6, (uint8_t*)(keyBlock + 4 * 6)); num_to_bytes(0xaabbccddeeff, 6, (uint8_t*)(keyBlock + 5 * 6)); - num_to_bytes(0x4d3a99c351dd, 6, (uint8_t*)(keyBlock + 6 * 6)); - num_to_bytes(0x1a982c7e459a, 6, (uint8_t*)(keyBlock + 7 * 6)); - num_to_bytes(0xd3f7d3f7d3f7, 6, (uint8_t*)(keyBlock + 8 * 6)); - num_to_bytes(0x714c5c886e97, 6, (uint8_t*)(keyBlock + 9 * 6)); - num_to_bytes(0x587ee5f9350f, 6, (uint8_t*)(keyBlock + 10 * 6)); - num_to_bytes(0xa0478cc39091, 6, (uint8_t*)(keyBlock + 11 * 6)); - num_to_bytes(0x533cb6c723f6, 6, (uint8_t*)(keyBlock + 12 * 6)); - num_to_bytes(0x8fd0a4f256e9, 6, (uint8_t*)(keyBlock + 13 * 6)); PrintAndLog("Testing known keys. Sector count=%d", SectorsCnt); for (i = 0; i < SectorsCnt; i++) { @@ -706,54 +701,64 @@ int CmdHF14AMfNested(const char *Cmd) if (!res) { e_sector[i].Key[j] = key64; - e_sector[i].foundKey[j] = 1; + e_sector[i].foundKey[j] = TRUE; } } } + clock_t t2 = clock() - t1; + if ( t2 > 0 ) + PrintAndLog("Time to check 6 known keys: %.0f ticks", (float)t2 ); + + PrintAndLog("enter nested..."); // nested sectors iterations = 0; - PrintAndLog("nested..."); bool calibrate = true; + for (i = 0; i < NESTED_SECTOR_RETRY; i++) { - for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) { - for (trgKeyType = 0; trgKeyType < 2; trgKeyType++) { + for (uint8_t sectorNo = 0; sectorNo < SectorsCnt; ++sectorNo) { + for (trgKeyType = 0; trgKeyType < 2; ++trgKeyType) { + if (e_sector[sectorNo].foundKey[trgKeyType]) continue; - PrintAndLog("-----------------------------------------------"); - int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate); - if(isOK) { - switch (isOK) { - case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; - case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; - case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; - default : PrintAndLog("Unknown Error.\n"); - } - free(e_sector); - return 2; - } else { - calibrate = false; - } - iterations++; - - key64 = bytes_to_num(keyBlock, 6); - if (key64) { - PrintAndLog("Found valid key:%012"llx, key64); - e_sector[sectorNo].foundKey[trgKeyType] = 1; - e_sector[sectorNo].Key[trgKeyType] = key64; + int16_t isOK = mfnested(blockNo, keyType, key, FirstBlockOfSector(sectorNo), trgKeyType, keyBlock, calibrate); + switch (isOK) { + case -1 : PrintAndLog("Error: No response from Proxmark.\n"); break; + case -2 : PrintAndLog("Button pressed. Aborted.\n"); break; + case -3 : PrintAndLog("Tag isn't vulnerable to Nested Attack (random numbers are not predictable).\n"); break; + case -4 : //key not found + calibrate = false; + iterations++; + continue; + case -5 : + calibrate = false; + iterations++; + e_sector[sectorNo].foundKey[trgKeyType] = 1; + e_sector[sectorNo].Key[trgKeyType] = bytes_to_num(keyBlock, 6); + continue; + + default : PrintAndLog("Unknown Error.\n"); } + free(e_sector); + return 2; } } } + + t1 = clock() - t1; + if ( t1 > 0 ) + PrintAndLog("Time in nested: %.0f ticks \n", (float)t1); // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? - PrintAndLog("testing to read B..."); + PrintAndLog("trying to read key B..."); for (i = 0; i < SectorsCnt; i++) { // KEY A but not KEY B if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) { uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); + PrintAndLog("Reading block %d", sectrail); + UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A clearCommandBuffer(); @@ -763,39 +768,21 @@ int CmdHF14AMfNested(const char *Cmd) if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue; uint8_t isOK = resp.arg[0] & 0xff; - uint8_t *data = resp.d.asBytes; - - if (isOK) { + if (!isOK) continue; - key64 = bytes_to_num(data+10, 6); - if (key64) { - PrintAndLog("Data:%s", sprint_hex(data+10, 6)); - e_sector[i].foundKey[1] = 1; - e_sector[i].Key[1] = key64; - } + uint8_t *data = resp.d.asBytes; + key64 = bytes_to_num(data+10, 6); + if (key64) { + PrintAndLog("Data:%s", sprint_hex(data+10, 6)); + e_sector[i].foundKey[1] = TRUE; + e_sector[i].Key[1] = key64; } } } + - t1 = clock() - t1; - if ( t1 > 0 ) { - PrintAndLog("Time in nested: %f ticks %1.2f sec (%1.2f sec per key)\n\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/iterations/CLOCKS_PER_SEC); - } - - PrintAndLog("-----------------------------------------------\nIterations count: %d\n\n", iterations); //print them - PrintAndLog("|---|----------------|---|----------------|---|"); - PrintAndLog("|sec|key A |res|key B |res|"); - PrintAndLog("|---|----------------|---|----------------|---|"); - for (i = 0; i < SectorsCnt; i++) { - PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i, - e_sector[i].Key[0], - e_sector[i].foundKey[0], - e_sector[i].Key[1], - e_sector[i].foundKey[1] - ); - } - PrintAndLog("|---|----------------|---|----------------|---|"); + printKeyTable( SectorsCnt, e_sector ); // transfer them to the emulator if (transferToEml) { @@ -979,6 +966,8 @@ int CmdHF14AMfChk(const char *Cmd) uint8_t *keyBlock = NULL, *p; uint8_t stKeyBlock = 20; + sector *e_sector = NULL; + int i, res; int keycnt = 0; char ctmp = 0x00; @@ -987,14 +976,15 @@ int CmdHF14AMfChk(const char *Cmd) uint8_t keyType = 0; uint64_t key64 = 0; + uint8_t tempkey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}; + int transferToEml = 0; int createDumpFile = 0; keyBlock = calloc(stKeyBlock, 6); if (keyBlock == NULL) return 1; - uint64_t defaultKeys[] = - { + uint64_t defaultKeys[] = { 0xffffffffffff, // Default key (first key used by program if no user defined key) 0x000000000000, // Blank key 0xa0a1a2a3a4a5, // NFCForum MAD key @@ -1012,9 +1002,8 @@ int CmdHF14AMfChk(const char *Cmd) int defaultKeysSize = sizeof(defaultKeys) / sizeof(uint64_t); for (int defaultKeyCounter = 0; defaultKeyCounter < defaultKeysSize; defaultKeyCounter++) - { num_to_bytes(defaultKeys[defaultKeyCounter], 6, (uint8_t*)(keyBlock + defaultKeyCounter * 6)); - } + if (param_getchar(Cmd, 0)=='*') { blockNo = 3; @@ -1025,9 +1014,9 @@ int CmdHF14AMfChk(const char *Cmd) case '4': SectorsCnt = 40; break; default: SectorsCnt = 16; } - } - else + } else { blockNo = param_get8(Cmd, 0); + } ctmp = param_getchar(Cmd, 1); switch (ctmp) { @@ -1061,7 +1050,7 @@ int CmdHF14AMfChk(const char *Cmd) } keyBlock = p; } - PrintAndLog("chk key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, + PrintAndLog("key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2], (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6); keycnt++; @@ -1101,7 +1090,7 @@ int CmdHF14AMfChk(const char *Cmd) } memset(keyBlock + 6 * keycnt, 0, 6); num_to_bytes(strtoll(buf, NULL, 16), 6, keyBlock + 6*keycnt); - PrintAndLog("chk custom key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6)); + PrintAndLog("check key[%2d] %012"llx, keycnt, bytes_to_num(keyBlock + 6*keycnt, 6)); keycnt++; memset(buf, 0, sizeof(buf)); } @@ -1118,115 +1107,167 @@ int CmdHF14AMfChk(const char *Cmd) if (keycnt == 0) { PrintAndLog("No key specified, trying default keys"); for (;keycnt < defaultKeysSize; keycnt++) - PrintAndLog("chk default key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, + PrintAndLog("key[%2d] %02x%02x%02x%02x%02x%02x", keycnt, (keyBlock + 6*keycnt)[0],(keyBlock + 6*keycnt)[1], (keyBlock + 6*keycnt)[2], (keyBlock + 6*keycnt)[3], (keyBlock + 6*keycnt)[4], (keyBlock + 6*keycnt)[5], 6); } // initialize storage for found keys - bool validKey[2][40]; - uint8_t foundKey[2][40][6]; - for (uint16_t t = 0; t < 2; t++) { - for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) { - validKey[t][sectorNo] = false; - for (uint16_t i = 0; i < 6; i++) { - foundKey[t][sectorNo][i] = 0xff; - } - } + e_sector = calloc(SectorsCnt, sizeof(sector)); + if (e_sector == NULL) { + free(keyBlock); + return 1; } + + uint8_t trgKeyType = 0; + uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt; + // time clock_t t1 = clock(); - - for ( int t = !keyType; t < 2; keyType==2?(t++):(t=2) ) { - int b=blockNo; + + // check keys. + for (trgKeyType = !keyType; trgKeyType < 2; (keyType==2) ? (++trgKeyType) : (trgKeyType=2) ) { + + int b = blockNo; for (int i = 0; i < SectorsCnt; ++i) { - PrintAndLog("--sector:%2d, block:%3d, key type:%C, key count:%2d ", i, b, t?'B':'A', keycnt); - uint32_t max_keys = keycnt>USB_CMD_DATA_SIZE/6?USB_CMD_DATA_SIZE/6:keycnt; - for (uint32_t c = 0; c < keycnt; c+=max_keys) { - uint32_t size = keycnt-c>max_keys?max_keys:keycnt-c; - res = mfCheckKeys(b, t, true, size, &keyBlock[6*c], &key64); - if (res != 1) { - if (!res) { - PrintAndLog("Found valid key:[%012"llx"]",key64); - num_to_bytes(key64, 6, foundKey[t][i]); - validKey[t][i] = true; - } - } else { - PrintAndLog("Command execute timeout"); + + // skip already found keys. + if (e_sector[i].foundKey[trgKeyType]) continue; + + + for (uint32_t c = 0; c < keycnt; c += max_keys) { + + uint32_t size = keycnt-c > max_keys ? max_keys : keycnt-c; + + res = mfCheckKeys(b, trgKeyType, true, size, &keyBlock[6*c], &key64); + if (!res) { + //PrintAndLog("Sector:%3d Block:%3d, key type: %C -- Found key [%012"llx"]", i, b, trgKeyType ? 'B':'A', key64); + + e_sector[i].Key[trgKeyType] = key64; + e_sector[i].foundKey[trgKeyType] = TRUE; + break; + } else { + e_sector[i].Key[trgKeyType] = 0xffffffffffff; + e_sector[i].foundKey[trgKeyType] = FALSE; } + printf("."); + fflush(stdout); } - b<127?(b+=4):(b+=16); + b < 127 ? ( b +=4 ) : ( b += 16 ); } } t1 = clock() - t1; - if ( t1 > 0 ){ - printf("Time in checkkeys: %f ticks %1.2f sec (%1.2f sec per key)\n\n", (float)t1, ((float)t1)/CLOCKS_PER_SEC, ((float)t1)/keycnt/CLOCKS_PER_SEC); + if ( t1 > 0 ) + printf("\nTime in checkkeys: %.0f ticks\n", (float)t1); + + // 20160116 If Sector A is found, but not Sector B, try just reading it of the tag? + PrintAndLog("testing to read B..."); + for (i = 0; i < SectorsCnt; i++) { + // KEY A but not KEY B + if ( e_sector[i].foundKey[0] && !e_sector[i].foundKey[1] ) { + + uint8_t sectrail = (FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1); + + PrintAndLog("Reading block %d", sectrail); + + UsbCommand c = {CMD_MIFARE_READBL, {sectrail, 0, 0}}; + num_to_bytes(e_sector[i].Key[0], 6, c.d.asBytes); // KEY A + clearCommandBuffer(); + SendCommand(&c); + + UsbCommand resp; + if ( !WaitForResponseTimeout(CMD_ACK,&resp,1500)) continue; + + uint8_t isOK = resp.arg[0] & 0xff; + if (!isOK) continue; + + uint8_t *data = resp.d.asBytes; + key64 = bytes_to_num(data+10, 6); + if (key64) { + PrintAndLog("Data:%s", sprint_hex(data+10, 6)); + e_sector[i].foundKey[1] = 1; + e_sector[i].Key[1] = key64; + } + } } + + //print them + printKeyTable( SectorsCnt, e_sector ); + if (transferToEml) { - uint8_t block[16]; - for (uint16_t sectorNo = 0; sectorNo < SectorsCnt; sectorNo++) { - if (validKey[0][sectorNo] || validKey[1][sectorNo]) { - mfEmlGetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1); - for (uint16_t t = 0; t < 2; t++) { - if (validKey[t][sectorNo]) { - memcpy(block + t*10, foundKey[t][sectorNo], 6); - } - } - mfEmlSetMem(block, FirstBlockOfSector(sectorNo) + NumBlocksPerSector(sectorNo) - 1, 1); - } + uint8_t block[16] = {0x00}; + for (uint8_t i = 0; i < SectorsCnt; ++i ) { + mfEmlGetMem(block, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1); + if (e_sector[i].foundKey[0]) + num_to_bytes(e_sector[i].Key[0], 6, block); + if (e_sector[i].foundKey[1]) + num_to_bytes(e_sector[i].Key[1], 6, block+10); + mfEmlSetMem(block, FirstBlockOfSector(i) + NumBlocksPerSector(i) - 1, 1); } PrintAndLog("Found keys have been transferred to the emulator memory"); } - + if (createDumpFile) { FILE *fkeys = fopen("dumpkeys.bin","wb"); if (fkeys == NULL) { PrintAndLog("Could not create file dumpkeys.bin"); free(keyBlock); + free(e_sector); return 1; } - for (uint16_t t = 0; t < 2; t++) { - fwrite(foundKey[t], 1, 6*SectorsCnt, fkeys); + PrintAndLog("Printing keys to binary file dumpkeys.bin..."); + + for( i=0; i n i x"); PrintAndLog(" h this help"); - PrintAndLog(" u (Optional) UID. If not specified, the UID from emulator memory will be used"); + PrintAndLog(" u (Optional) UID 4,7 or 10bytes. If not specified, the UID from emulator memory will be used"); PrintAndLog(" n (Optional) Automatically exit simulation after blocks have been read by reader. 0 = infinite"); PrintAndLog(" i (Optional) Interactive, means that console will not be returned until simulation finishes or is aborted"); PrintAndLog(" x (Optional) Crack, performs the 'reader attack', nr/ar attack against a legitimate reader, fishes out the key(s)"); - PrintAndLog(""); - PrintAndLog(" sample: hf mf sim u 0a0a0a0a "); + PrintAndLog("samples:"); + PrintAndLog(" hf mf sim u 0a0a0a0a"); + PrintAndLog(" hf mf sim u 11223344556677"); + PrintAndLog(" hf mf sim u 112233445566778899AA"); return 0; } uint8_t pnr = 0; if (param_getchar(Cmd, pnr) == 'u') { - if(param_gethex(Cmd, pnr+1, uid, 8) == 0) - { - flags |= FLAG_4B_UID_IN_DATA; // UID from packet - } else if(param_gethex(Cmd,pnr+1,uid,14) == 0) { - flags |= FLAG_7B_UID_IN_DATA;// UID from packet - } else { - PrintAndLog("UID, if specified, must include 8 or 14 HEX symbols"); - return 1; + + param_gethex_ex(Cmd, pnr+1, uid, &uidlen); + switch(uidlen){ + case 20: flags |= FLAG_10B_UID_IN_DATA; break; + case 14: flags |= FLAG_7B_UID_IN_DATA; break; + case 8: flags |= FLAG_4B_UID_IN_DATA; break; + default: + PrintAndLog("UID, if specified, must include 8, 14 or 20 HEX symbols , %d", uidlen>>1); + return 1; } pnr +=2; } @@ -1237,24 +1278,20 @@ int CmdHF14AMf1kSim(const char *Cmd) } if (param_getchar(Cmd, pnr) == 'i' ) { - //Using a flag to signal interactiveness, least significant bit flags |= FLAG_INTERACTIVE; pnr++; } if (param_getchar(Cmd, pnr) == 'x' ) { - //Using a flag to signal interactiveness, least significant bit flags |= FLAG_NR_AR_ATTACK; } - PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) ", - flags & FLAG_4B_UID_IN_DATA ? sprint_hex(uid,4): - flags & FLAG_7B_UID_IN_DATA ? sprint_hex(uid,7): "N/A" + PrintAndLog(" uid:%s, numreads:%d, flags:%d (0x%02x) " + , (uidlen == 0 ) ? "N/A" : sprint_hex(uid, uidlen) , exitAfterNReads , flags , flags); - UsbCommand c = {CMD_SIMULATE_MIFARE_CARD, {flags, exitAfterNReads,0}}; memcpy(c.d.asBytes, uid, sizeof(uid)); clearCommandBuffer(); @@ -1272,43 +1309,32 @@ int CmdHF14AMf1kSim(const char *Cmd) if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue; if ( !(flags & FLAG_NR_AR_ATTACK) ) break; - if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break; - memset(data, 0x00, sizeof(data)); - memset(key, 0x00, sizeof(key)); - int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1]; - - memcpy(data, resp.d.asBytes, len); - - uint64_t corr_uid = 0; - - // this IF? what was I thinking of? - if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) { - corr_uid = ((uint64_t)(data[3] << 24)) | (data[2] << 16) | (data[1] << 8) | data[0]; - tryMfk32(corr_uid, data, key); - } else { - corr_uid |= (uint64_t)data[2] << 48; - corr_uid |= (uint64_t)data[1] << 40; - corr_uid |= (uint64_t)data[0] << 32; - corr_uid |= (uint64_t)data[7] << 24; - corr_uid |= (uint64_t)data[6] << 16; - corr_uid |= (uint64_t)data[5] << 8; - corr_uid |= (uint64_t)data[4]; - tryMfk64(corr_uid, data, key); - } - PrintAndLog("--"); + memset(data, 0x00, sizeof(data)); + memset(key, 0x00, sizeof(key)); + int len = (resp.arg[1] > sizeof(data)) ? sizeof(data) : resp.arg[1]; + + memcpy(data, resp.d.asBytes, len); + + // CUID is always 4 first bytes. + uint64_t cuid = bytes_to_num(data, 4 ); + + // this needs to be fixed. ICEMAN + if ( memcmp(data, "\x00\x00\x00\x00", 4) == 0 ) { + tryMfk32(cuid, data, key); + } else { + tryMfk64(cuid, data, key); + } } } return 0; } -int CmdHF14AMfDbg(const char *Cmd) -{ +int CmdHF14AMfDbg(const char *Cmd) { int dbgMode = param_get32ex(Cmd, 0, 0, 10); - if (dbgMode > 4) { + if (dbgMode > 4) PrintAndLog("Max debug mode parameter is 4 \n"); - } if (strlen(Cmd) < 1 || !param_getchar(Cmd, 0) || dbgMode > 4) { PrintAndLog("Usage: hf mf dbg "); @@ -1323,10 +1349,24 @@ int CmdHF14AMfDbg(const char *Cmd) UsbCommand c = {CMD_MIFARE_SET_DBGMODE, {dbgMode, 0, 0}}; SendCommand(&c); - return 0; } +void printKeyTable( uint8_t sectorscnt, sector *e_sector ){ + PrintAndLog("|---|----------------|---|----------------|---|"); + PrintAndLog("|sec|key A |res|key B |res|"); + PrintAndLog("|---|----------------|---|----------------|---|"); + for (uint8_t i = 0; i < sectorscnt; ++i) { + PrintAndLog("|%03d| %012"llx" | %d | %012"llx" | %d |", i, + e_sector[i].Key[0], e_sector[i].foundKey[0], + e_sector[i].Key[1], e_sector[i].foundKey[1] + ); + } + PrintAndLog("|---|----------------|---|----------------|---|"); +} + +// EMULATOR COMMANDS + int CmdHF14AMfEGet(const char *Cmd) { uint8_t blockNo = 0; @@ -1656,8 +1696,9 @@ int CmdHF14AMfEKeyPrn(const char *Cmd) return 0; } -int CmdHF14AMfCSetUID(const char *Cmd) -{ +// CHINESE MAGIC COMMANDS + +int CmdHF14AMfCSetUID(const char *Cmd) { uint8_t wipeCard = 0; uint8_t uid[8] = {0x00}; uint8_t oldUid[8] = {0x00}; @@ -1669,11 +1710,13 @@ int CmdHF14AMfCSetUID(const char *Cmd) int argi=0; if (strlen(Cmd) < 1 || param_getchar(Cmd, argi) == 'h') { - PrintAndLog("Usage: hf mf csetuid [ATQA 4 hex symbols SAK 2 hex symbols] [w]"); - PrintAndLog("sample: hf mf csetuid 01020304"); - PrintAndLog("sample: hf mf csetuid 01020304 0004 08 w"); PrintAndLog("Set UID, ATQA, and SAK for magic Chinese card (only works with such cards)"); PrintAndLog("If you also want to wipe the card then add 'w' at the end of the command line."); + PrintAndLog(""); + PrintAndLog("Usage: hf mf csetuid [ATQA 4 hex symbols SAK 2 hex symbols] [w]"); + PrintAndLog(""); + PrintAndLog("sample: hf mf csetuid 01020304"); + PrintAndLog(" hf mf csetuid 01020304 0004 08 w"); return 0; } @@ -1714,7 +1757,7 @@ int CmdHF14AMfCSetUID(const char *Cmd) PrintAndLog("--wipe card:%s uid:%s", (wipeCard)?"YES":"NO", sprint_hex(uid, 4)); - res = mfCSetUID(uid, (atqaPresent)?atqa:NULL, (atqaPresent)?sak:NULL, oldUid, wipeCard); + res = mfCSetUID(uid, (atqaPresent) ? atqa : NULL, (atqaPresent) ? sak : NULL, oldUid, wipeCard); if (res) { PrintAndLog("Can't set UID. error=%d", res); return 1; @@ -1725,8 +1768,7 @@ int CmdHF14AMfCSetUID(const char *Cmd) return 0; } -int CmdHF14AMfCSetBlk(const char *Cmd) -{ +int CmdHF14AMfCSetBlk(const char *Cmd) { uint8_t block[16] = {0x00}; uint8_t blockNo = 0; uint8_t params = MAGIC_SINGLE; @@ -1761,8 +1803,7 @@ int CmdHF14AMfCSetBlk(const char *Cmd) return 0; } -int CmdHF14AMfCLoad(const char *Cmd) -{ +int CmdHF14AMfCLoad(const char *Cmd) { FILE * f; char filename[FILE_PATH_SIZE]; char * fnameptr = filename; @@ -2025,6 +2066,8 @@ int CmdHF14AMfCSave(const char *Cmd) { } } + + int CmdHF14AMfSniff(const char *Cmd){ bool wantLogToFile = 0; @@ -2039,15 +2082,17 @@ int CmdHF14AMfSniff(const char *Cmd){ int blockLen = 0; int pckNum = 0; int num = 0; - uint8_t uid[7]; - uint8_t uid_len; - uint8_t atqa[2] = {0x00}; - uint8_t sak; + uint8_t uid[10]; + uint8_t uid_len = 0; + uint8_t atqa[2] = {0x00, 0x00}; + uint8_t sak = 0; bool isTag; uint8_t *buf = NULL; uint16_t bufsize = 0; uint8_t *bufPtr = NULL; + memset(uid, 0x00, sizeof(uid)); + char ctmp = param_getchar(Cmd, 0); if ( ctmp == 'h' || ctmp == 'H' ) { PrintAndLog("It continuously gets data from the field and saves it to: log, emulator, emulator file."); @@ -2096,9 +2141,10 @@ int CmdHF14AMfSniff(const char *Cmd){ uint16_t traceLen = resp.arg[1]; len = resp.arg[2]; + // we are done? if (res == 0) { free(buf); - return 0; // we are done + return 0; } if (res == 1) { // there is (more) data to be transferred @@ -2151,21 +2197,21 @@ int CmdHF14AMfSniff(const char *Cmd){ memcpy(atqa, bufPtr + 2 + 7, 2); uid_len = (atqa[0] & 0xC0) == 0x40 ? 7 : 4; sak = bufPtr[11]; - PrintAndLog("tag select uid:%s atqa:0x%02x%02x sak:0x%02x", + PrintAndLog("tag select uid| %s atqa:0x%02x%02x sak:0x%02x", sprint_hex(uid + (7 - uid_len), uid_len), atqa[1], atqa[0], sak); if (wantLogToFile || wantDecrypt) { - FillFileNameByUID(logHexFileName, uid + (7 - uid_len), ".log", uid_len); + FillFileNameByUID(logHexFileName, uid + (10 - uid_len), ".log", uid_len); AddLogCurrentDT(logHexFileName); } if (wantDecrypt) mfTraceInit(uid, atqa, sak, wantSaveToEmlFile); } else { - PrintAndLog("%s(%d):%s", isTag ? "TAG":"RDR", num, sprint_hex(bufPtr, len)); + PrintAndLog("%03d| %s |%s", num, isTag ? "TAG" : "RDR", sprint_hex(bufPtr, len)); if (wantLogToFile) - AddLogHex(logHexFileName, isTag ? "TAG: ":"RDR: ", bufPtr, len); + AddLogHex(logHexFileName, isTag ? "TAG| ":"RDR| ", bufPtr, len); if (wantDecrypt) mfTraceDecode(bufPtr, len, wantSaveToEmlFile); num++;