]> git.zerfleddert.de Git - proxmark3-svn/commitdiff
FIX: 'hf 14a sim x' - this fixes the error with using moebius attack and sim. Updat...
authoriceman1001 <iceman@iuse.se>
Sun, 29 Jan 2017 10:29:15 +0000 (11:29 +0100)
committericeman1001 <iceman@iuse.se>
Sun, 29 Jan 2017 10:29:15 +0000 (11:29 +0100)
armsrc/iso14443a.c
client/cmdhfmf.c
client/nonce2key/nonce2key.c

index 2b4f9ea1f01c6795a26892721b70c94dc79a7568..d49e6ae1cd009b4c91814e12b9a44c32c4ef5aa1 100644 (file)
@@ -1058,12 +1058,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
                        DbpString("Button press");
                        break;
-               }
-               
-               // incease nonce at every command recieved
-               nonce = prand();
-               num_to_bytes(nonce, 4, response5);
-               
+               }       
                p_response = NULL;
                
                // Okay, look at the command now.
@@ -1158,6 +1153,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                                EmSendCmdEx(emdata, sizeof(emdata), false);
                                p_response = NULL;
                        } else {
+                               
+                               // incease nonce at every command recieved. this is time consuming.
+                               nonce = prand();
+                               num_to_bytes(nonce, 4, response5);
+                               prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE);
+                               
                                cardAUTHSC = receivedCmd[1] / 4; // received block num
                                cardAUTHKEY = receivedCmd[0] - 0x60;
                                p_response = &responses[5]; order = 7;
@@ -1173,7 +1174,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                        LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                        uint32_t nr = bytes_to_num(receivedCmd,4);
                        uint32_t ar = bytes_to_num(receivedCmd+4,4);
-
+                
                        // Collect AR/NR per keytype & sector
                        if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
                                
@@ -1279,8 +1280,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                                  dynamic_response_info.response_n = 2;
                                } break;
 
-                               case 0xaa:
-                               case 0xbb: {
+                               case 0xAA:
+                               case 0xBB: {
                                  dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11;
                                  dynamic_response_info.response_n = 2;
                                } break;
@@ -1313,7 +1314,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                                dynamic_response_info.response[1] = receivedCmd[1];
 
                                // Add CRC bytes, always used in ISO 14443A-4 compliant cards
-                               AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n);
+                               AppendCrc14443a(dynamic_response_info.response, dynamic_response_info.response_n);
                                dynamic_response_info.response_n += 2;
         
                                if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
@@ -1333,7 +1334,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
 
                // comment this limit if you want to simulation longer          
                if (!tracing) {
-                       Dbprintf("Trace Full. Simulation stopped.");
+                       DbpString("Trace Full. Simulation stopped.");
                        break;
                }
                // comment this limit if you want to simulation longer
@@ -1366,9 +1367,10 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
        set_tracing(FALSE);
        BigBuf_free_keep_EM();
        LED_A_OFF();
-       
+
+       /*      
        if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) {
-               /*
+
                for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
                        if (ar_nr_collected[i] == 2) {
                                Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
@@ -1382,7 +1384,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                                                );
                        }
                }       
-               */
+
                for ( uint8_t   i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
                        if (ar_nr_collected[i] == 2) {
                                Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
@@ -1398,7 +1400,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                        }
                }
        }
-       
+       */
+               
        if (MF_DBGLEVEL >= 4){
                Dbprintf("-[ Wake ups after halt [%d]", happened);
                Dbprintf("-[ Messages after halt [%d]", happened2);
index 0ea171afce13084a06621625175801541bbc39b8..6b944df37e56bebf94d401632746f0a6eca61f9a 100644 (file)
@@ -1383,62 +1383,64 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
 \r
        printf("enter reader attack\n");\r
        for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) {\r
-               if (data[i].ar2 > 0) {\r
+               \r
+               // if no-collected data \r
+               if (data[i].ar2 == 0) continue;\r
 \r
-                       // We can probably skip this, mfkey32v2 is more reliable.\r
+               // We can probably skip this, mfkey32v2 is more reliable.\r
 #ifdef HFMF_TRYMFK32\r
-                       if (tryMfk32(data[i], &key, verbose)) {\r
-                               PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"\r
-                                       , (data[i].keytype) ? "B" : "A"\r
-                                       , data[i].sector\r
-                                       , key\r
-                               );\r
-\r
-                               k_sector[i].Key[data[i].keytype] = key;\r
-                               k_sector[i].foundKey[data[i].keytype] = TRUE;\r
-                               \r
-                               //set emulator memory for keys\r
-                               if (setEmulatorMem) {\r
-                                       uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};\r
-                                       num_to_bytes( k_sector[i].Key[0], 6, memBlock);\r
-                                       num_to_bytes( k_sector[i].Key[1], 6, memBlock+10);\r
-                                       PrintAndLog("Setting Emulator Memory Block %02d: [%s]"\r
-                                               , ((data[i].sector)*4) + 3\r
-                                               , sprint_hex( memBlock, sizeof(memBlock))\r
-                                               );\r
-                                       mfEmlSetMem( memBlock, ((data[i].sector)*4) + 3, 1);\r
-                               }\r
-                               continue;\r
+               if (tryMfk32(data[i], &key, verbose)) {\r
+                       PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"\r
+                               , (data[i].keytype) ? "B" : "A"\r
+                               , data[i].sector\r
+                               , key\r
+                       );\r
+\r
+                       k_sector[i].Key[data[i].keytype] = key;\r
+                       k_sector[i].foundKey[data[i].keytype] = TRUE;\r
+                       \r
+                       //set emulator memory for keys\r
+                       if (setEmulatorMem) {\r
+                               uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};\r
+                               num_to_bytes( k_sector[i].Key[0], 6, memBlock);\r
+                               num_to_bytes( k_sector[i].Key[1], 6, memBlock+10);\r
+                               PrintAndLog("Setting Emulator Memory Block %02d: [%s]"\r
+                                       , ((data[i].sector)*4) + 3\r
+                                       , sprint_hex( memBlock, sizeof(memBlock))\r
+                                       );\r
+                               mfEmlSetMem( memBlock, ((data[i].sector)*4) + 3, 1);\r
                        }\r
+                       continue;\r
+               }\r
 #endif\r
-                       //moebius attack                        \r
-                       if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) {\r
-                               uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector;\r
-                               uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype;\r
-\r
-                               PrintAndLog("M-Found Key%s for sector %02d: [%012"llx"]"\r
-                                       , keyType ? "B" : "A"\r
-                                       , sectorNum\r
-                                       , key\r
-                               );\r
-\r
-                               k_sector[sectorNum].Key[keyType] = key;\r
-                               k_sector[sectorNum].foundKey[keyType] = TRUE;\r
-\r
-                               //set emulator memory for keys\r
-                               if (setEmulatorMem) {\r
-                                       uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};\r
-                                       num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock);\r
-                                       num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10);\r
-                                       PrintAndLog("Setting Emulator Memory Block %02d: [%s]"\r
-                                               , (sectorNum*4) + 3\r
-                                               , sprint_hex( memBlock, sizeof(memBlock))\r
-                                               );\r
-                                       mfEmlSetMem( memBlock, (sectorNum*4) + 3, 1);\r
-                               }\r
-                               continue;\r
+               \r
+               //moebius attack                        \r
+               if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) {\r
+                       uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector;\r
+                       uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype;\r
+\r
+                       PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"\r
+                               , keyType ? "B" : "A"\r
+                               , sectorNum\r
+                               , key\r
+                       );\r
+\r
+                       k_sector[sectorNum].Key[keyType] = key;\r
+                       k_sector[sectorNum].foundKey[keyType] = TRUE;\r
+\r
+                       //set emulator memory for keys\r
+                       if (setEmulatorMem) {\r
+                               uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};\r
+                               num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock);\r
+                               num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10);\r
+                               //iceman,  guessing this will not work so well for 4K tags.\r
+                               PrintAndLog("Setting Emulator Memory Block %02d: [%s]"\r
+                                       , (sectorNum*4) + 3\r
+                                       , sprint_hex( memBlock, sizeof(memBlock))\r
+                                       );\r
+                               mfEmlSetMem( memBlock, (sectorNum*4) + 3, 1);\r
                        }\r
-\r
+                       continue;\r
                }\r
        }\r
 }\r
index fa73414490cd645232d3b594d42e35ebb5da9740..64d3587303acdf6afd25dd43d4dd69971b01c853 100644 (file)
@@ -280,8 +280,9 @@ bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool verbose) {
        }
     isSuccess  = (counter > 0);
        t1 = clock() - t1;
-       if ( t1 > 0 ) PrintAndLog("Time in mfkey32_moebius: %.0f ticks  - possible keys %d", (float)t1, counter);
-
+       if (verbose) {
+               if ( t1 > 0 ) PrintAndLog("Time in mfkey32_moebius: %.0f ticks  - possible keys %d", (float)t1, counter);
+       }
        *outputkey = ( isSuccess ) ? outkey : 0;
        crypto1_destroy(s);
        return isSuccess;
Impressum, Datenschutz