X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/d9ed4e191445d342d11e35fbe4886980e40771a8..ed8c2aeb6383c373da49d4b0b53fe15c7bfc1613:/client/cmdhfmf.c diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index d6e39444..a8a1eb80 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -213,9 +213,16 @@ start: } printf("\n"); - // par == 0 - if (isOK == -1 && par_list == 0) { - if (!nonce2key_ex(uid, nt, nr, ks_list, &r_key) ){ + // par == 0, and -4 + if (isOK == -4 && par_list == 0) { + // this special attack when parities is zero, uses checkkeys. Which now with block/keytype option also needs. + // but it uses 0|1 instead of 0x60|0x61... + if (nonce2key_ex(blockNo, keytype - 0x60 , uid, nt, nr, ks_list, &r_key) ){ + PrintAndLog("Key not found (lfsr_common_prefix list is null)."); + PrintAndLog("Failing is expected to happen in 25%% of all cases. Trying again with a different reader nonce..."); + c.arg[0] = false; + goto start; + } else { PrintAndLog("Found valid key: %012"llx" \n", r_key); goto END; } @@ -232,6 +239,16 @@ start: c.arg[0] = false; goto start; } else { + + // nonce2key found a candidate key. Lets verify it. + uint8_t keyblock[] = {0,0,0,0,0,0}; + num_to_bytes(r_key, 6, keyblock); + uint64_t key64 = 0; + int res = mfCheckKeys(blockNo, keytype - 0x60 , false, 1, keyblock, &key64); + if ( res > 0 ) { + PrintAndLog("Candidate Key found (%012"llx") - Test authentication failed. Starting over darkside attack", r_key); + goto start; + } PrintAndLog("Found valid key: %012"llx" \n", r_key); } END: