uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2];
memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
- bool collectMoebius = false;
+ bool gettingMoebius = false;
uint8_t nonce1_count = 0;
uint8_t nonce2_count = 0;
uint8_t moebius_n_count = 0;
//Collect AR/NR per keytype & sector
if(flags & FLAG_NR_AR_ATTACK) {
for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
- if ( ar_nr_collected[i+mM]==0 || (cardAUTHSC == ar_nr_resp[i+mM].sector && cardAUTHKEY == ar_nr_resp[i+mM].keytype && ar_nr_collected[i+mM] > 0) ) {
+ if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
// if first auth for sector, or matches sector and keytype of previous auth
if (ar_nr_collected[i+mM] < 2) {
// if we haven't already collected 2 nonces for this sector
ar_nr_resp[i+mM].nonce2 = nonce;
ar_nr_resp[i+mM].nr2 = nr;
ar_nr_resp[i+mM].ar2 = ar;
- if (!collectMoebius) {
+ if (!gettingMoebius) {
nonce2_count++;
//check if this was the last second nonce we need for std attack
if ( nonce2_count == nonce1_count ) {
//done collecting std test switch to moebius
- collectMoebius = true;
+ //finish incrementing last sample
+ ar_nr_collected[i+mM]++;
+ //switch to moebius collection
+ gettingMoebius = true;
mM = ATTACK_KEY_COUNT;
nonce = nonce*7;
+ break;
}
} else {
moebius_n_count++;
}
}
ar_nr_collected[i+mM]++;
- break;
}
- } else { //already collected 2 nonces for sector - reader looping? - quit
+ } else { //already collected 2 nonces for sector - dump out
//finished = true;
}
+ // we found right spot for this nonce stop looking
+ break;
}
}
}
-
+
// --- crypto
crypto1_word(pcs, nr , 1);
cardRr = ar ^ crypto1_word(pcs, 0, 0);
}
if (len == 4 && (receivedCmd[0] == 0x60 || receivedCmd[0] == 0x61)) {
- if (receivedCmd[1] >= 16 * 4) {
+
+ // if authenticating to a block that shouldn't exist - as long as we are not doing the reader attack
+ if (receivedCmd[1] >= 16 * 4 && !(flags & FLAG_NR_AR_ATTACK)) {
//is this the correct response to an auth on a out of range block? marshmellow
EmSend4bit(mf_crypto1_encrypt4bit(pcs, CARD_NACK_NA));
if (MF_DBGLEVEL >= 2) Dbprintf("Reader tried to operate (0x%02x) on out of range block: %d (0x%02x), nacking",receivedCmd[0],receivedCmd[1],receivedCmd[1]);
cmdp = param_getchar(Cmd, pnr);\r
if (cmdp == 'x' || cmdp == 'X') {\r
flags |= FLAG_NR_AR_ATTACK;\r
+ pnr++;\r
}\r
\r
cmdp = param_getchar(Cmd, pnr);\r
if (ar_resp[i].ar2 > 0) {\r
//PrintAndLog("Trying sector %d, cuid %08x, nt %08x, ar %08x, nr %08x, ar2 %08x, nr2 %08x",ar_resp[i].sector, ar_resp[i].cuid,ar_resp[i].nonce,ar_resp[i].ar,ar_resp[i].nr,ar_resp[i].ar2,ar_resp[i].nr2);\r
if (mfkey32(ar_resp[i], &key)) {\r
- PrintAndLog("Found Key%s for sector %d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+ PrintAndLog("Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
\r
for (uint8_t ii = 0; ii<ATTACK_KEY_COUNT; ii++) {\r
if (key_cnt[ii]==0 || stSector[ii]==ar_resp[i].sector) {\r
char cmd1[36];\r
memset(cmd1,0x00,sizeof(cmd1));\r
snprintf(cmd1,sizeof(cmd1),"%04x%08xFF078069%04x%08x",(uint32_t) (sector_trailer[i].keyA>>32), (uint32_t) (sector_trailer[i].keyA &0xFFFFFFFF),(uint32_t) (sector_trailer[i].keyB>>32), (uint32_t) (sector_trailer[i].keyB &0xFFFFFFFF));\r
- //PrintAndLog("%s",cmd1);\r
+ PrintAndLog("Setting Emulator Memory Block %02d: [%s]",stSector[i]*4+3, cmd1);\r
if (param_gethex(cmd1, 0, memBlock, 32)) {\r
PrintAndLog("block data must include 32 HEX symbols");\r
return 1;\r
for (uint8_t i = ATTACK_KEY_COUNT; i<ATTACK_KEY_COUNT*2; i++) {\r
if (ar_resp[i].ar2 > 0) {\r
if (tryMfk32_moebius(ar_resp[i], &key)) {\r
- PrintAndLog("M-Found Key%s for sector %d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
+ PrintAndLog("M-Found Key%s for sector %02d: [%04x%08x]", (ar_resp[i].keytype) ? "B" : "A", ar_resp[i].sector, (uint32_t) (key>>32), (uint32_t) (key &0xFFFFFFFF));\r
}\r
}\r
}\r
clock_t t1 = clock();
bool isSuccess = FALSE;
uint8_t counter=0;
- //PrintAndLog("Enter mfkey32");
- //PrintAndLog("Trying sector %d, cuid %08x, nt %08x, nr %08x, ar %08x, nr2 %08x, ar2 %08x",data.sector, uid, nt,nr0_enc,ar0_enc,nr1_enc,ar1_enc);
- // Generate lfsr succesors of the tag challenge
- //prng_successor(nt, 64);
- //prng_successor(nt, 96);
-
- // Extract the keystream from the messages
- //ks2 = ar0_enc ^ prng_successor(nt, 64);
s = lfsr_recovery32(ar0_enc ^ prng_successor(nt, 64), 0);
projects / proxmark3-svn / commitdiff