]> git.zerfleddert.de Git - proxmark3-svn/commitdiff
FIX: 'hf 14a sim x' - adjusted and shows messages when verbose.
authoriceman1001 <iceman@iuse.se>
Sun, 29 Jan 2017 22:09:23 +0000 (23:09 +0100)
committericeman1001 <iceman@iuse.se>
Sun, 29 Jan 2017 22:09:23 +0000 (23:09 +0100)
FIX: 'hf mf sim x i' - same as above.

In general we only use Moebius attack for "sim x",  that means a clean up on device side code. simpler to understand. It still tries to gather 8 different collections of nonces combo. When one is complete, it get sent to client which runs moebius direct.

armsrc/iso14443a.c
client/cmdhf14a.c
client/cmdhfmf.c
client/cmdhfmf.h
include/mifare.h

index d49e6ae1cd009b4c91814e12b9a44c32c4ef5aa1..396048742ba790c80143187a7fdcd4c91015d3cd 100644 (file)
@@ -871,17 +871,9 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
        uint8_t cardAUTHKEY = 0xff;  // no authentication
        // allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys
 
-       nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (std, moebius)
-       memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
-
-       uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius)
-       memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
-       uint8_t nonce1_count = 0;
-       uint8_t nonce2_count = 0;
-       uint8_t moebius_n_count = 0;
-       bool gettingMoebius = false;
-       uint8_t mM = 0; // moebius_modifier for collection storage
-
+       nonces_t ar_nr_nonces[ATTACK_KEY_COUNT]; // for attack types moebius
+       memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces));
+       uint8_t moebius_count = 0;
        
        switch (tagType) {
                case 1: { // MIFARE Classic 1k 
@@ -1056,7 +1048,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                
                // Clean receive command buffer
                if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) {
-                       DbpString("Button press");
+                       Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
                        break;
                }       
                p_response = NULL;
@@ -1153,15 +1145,21 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                                EmSendCmdEx(emdata, sizeof(emdata), false);
                                p_response = NULL;
                        } else {
+                                                               
+                               cardAUTHKEY = receivedCmd[0] - 0x60;
+                               cardAUTHSC = receivedCmd[1] / 4; // received block num
                                
-                               // incease nonce at every command recieved. this is time consuming.
+                               // incease nonce at AUTH requests. this is time consuming.
                                nonce = prand();
-                               num_to_bytes(nonce, 4, response5);
-                               prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE);
-                               
-                               cardAUTHSC = receivedCmd[1] / 4; // received block num
-                               cardAUTHKEY = receivedCmd[0] - 0x60;
-                               p_response = &responses[5]; order = 7;
+                               //num_to_bytes(nonce, 4, response5);
+                               num_to_bytes(nonce, 4, dynamic_response_info.response);                         
+                               dynamic_response_info.response_n = 4;
+
+                               //prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE);
+                               prepare_tag_modulation(&dynamic_response_info, DYNAMIC_MODULATION_BUFFER_SIZE);
+                               p_response = &dynamic_response_info;
+                               //p_response = &responses[5]; 
+                               order = 7;
                        }
                } else if(receivedCmd[0] == ISO14443A_CMD_RATS) {       // Received a RATS request
                        if (tagType == 1 || tagType == 2) {     // RATS not supported
@@ -1178,69 +1176,60 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                        // Collect AR/NR per keytype & sector
                        if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
                                
-                                       for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                               int8_t index = -1;
+                               int8_t empty = -1;
+                               for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                                       // find which index to use
+                                       if ( (cardAUTHSC == ar_nr_nonces[i].sector) &&  (cardAUTHKEY == ar_nr_nonces[i].keytype)) 
+                                               index = i;
+
+                                       // keep track of empty slots.
+                                       if ( ar_nr_nonces[i].state == EMPTY)
+                                               empty = i;
+                               }
+                               // if no empty slots.  Choose first and overwrite.
+                               if ( index == -1 ) {
+                                       if ( empty == -1 ) {
+                                               index = 0;
+                                               ar_nr_nonces[index].state = EMPTY;
+                                       } else {
+                                               index = empty;
+                                       }
+                               }
+
+                               switch(ar_nr_nonces[index].state) {
+                                       case EMPTY: {
+                                               // first nonce collect
+                                               ar_nr_nonces[index].cuid = cuid;
+                                               ar_nr_nonces[index].sector = cardAUTHSC;
+                                               ar_nr_nonces[index].keytype = cardAUTHKEY;
+                                               ar_nr_nonces[index].nonce = nonce;
+                                               ar_nr_nonces[index].nr = nr;
+                                               ar_nr_nonces[index].ar = ar;
+                                               ar_nr_nonces[index].state = FIRST;
+                                               break;
+                                       } 
+                                       case FIRST : { 
+                                               // second nonce collect
+                                               ar_nr_nonces[index].nonce2 = nonce;
+                                               ar_nr_nonces[index].nr2 = nr;
+                                               ar_nr_nonces[index].ar2 = ar;
+                                               ar_nr_nonces[index].state = SECOND;
+
+                                               // send to client
+                                               cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t));
                                                
-                                               if ( ar_nr_collected[i+mM] == 0 || (
-                                                                       (cardAUTHSC == ar_nr_resp[i+mM].sector) && 
-                                                                       (cardAUTHKEY == ar_nr_resp[i+mM].keytype) &&
-                                                                       (ar_nr_collected[i+mM] > 0)
-                                                               )
-                                                       ) {
-                                                               
-                                                       // if first auth for sector, or matches sector and keytype of previous auth
-                                                       if (ar_nr_collected[i+mM] > 1) continue;
-                                                               
-                                                       // if we haven't already collected 2 nonces for this sector
-                                                       if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
-                                                               // Avoid duplicates... probably not necessary, ar should vary. 
-                                                               if (ar_nr_collected[i+mM]==0) {
-                                                                       // first nonce collect
-                                                                       nonce1_count++;
-                                                                       // add this nonce to first moebius nonce
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
-                                                                       ar_nr_collected[i+ATTACK_KEY_COUNT]++;
-                                                               } else { 
-                                                                       // second nonce collect (std and moebius)
-                                                                       ar_nr_resp[i+mM].nonce2 = nonce;
-                                                                       ar_nr_resp[i+mM].nr2 = nr;
-                                                                       ar_nr_resp[i+mM].ar2 = ar;
-                                                                       
-                                                                       if (!gettingMoebius) {
-                                                                               nonce2_count++;
-                                                                               // check if this was the last second nonce we need for std attack
-                                                                               if ( nonce2_count == nonce1_count ) {
-                                                                                       // done collecting std test switch to moebius
-                                                                                       // first finish incrementing last sample
-                                                                                       ar_nr_collected[i+mM]++; 
-                                                                                       // switch to moebius collection
-                                                                                       gettingMoebius = true;
-                                                                                       mM = ATTACK_KEY_COUNT;
-                                                                                       break;
-                                                                               }
-                                                                       } else {
-                                                                               moebius_n_count++;
-                                                                               // if we've collected all the nonces we need - finish.
-                                                                               if (nonce1_count == moebius_n_count) {
-                                                                                       cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp));
-                                                                                       nonce1_count = 0;
-                                                                                       nonce2_count = 0;
-                                                                                       moebius_n_count = 0;
-                                                                                       gettingMoebius = false;
-                                                                               }
-                                                                       }
-                                                               }
-                                                               ar_nr_collected[i+mM]++;
-                                                       }
-                                                       // we found right spot for this nonce stop looking
-                                                       break;
-                                               }
+                                               ar_nr_nonces[index].state = EMPTY;
+                                               ar_nr_nonces[index].sector = 0;
+                                               ar_nr_nonces[index].keytype = 0;
+                                               
+                                               moebius_count++;
+                                               break;
                                        }
+                                       default: break;
                                }
+                       }
+                       p_response = NULL;
                        
                } else if (receivedCmd[0] == MIFARE_ULC_AUTH_1 ) { // ULC authentication, or Desfire Authentication
                } else if (receivedCmd[0] == MIFARE_ULEV1_AUTH) { // NTAG / EV-1 authentication
@@ -1318,7 +1307,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
                                dynamic_response_info.response_n += 2;
         
                                if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) {
-                                       Dbprintf("Error preparing tag response");
+                                       DbpString("Error preparing tag response");
                                        LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE);
                                        break;
                                }
@@ -1403,9 +1392,10 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) {
        */
                
        if (MF_DBGLEVEL >= 4){
-               Dbprintf("-[ Wake ups after halt [%d]", happened);
-               Dbprintf("-[ Messages after halt [%d]", happened2);
-               Dbprintf("-[ Num of received cmd [%d]", cmdsRecvd);
+               Dbprintf("-[ Wake ups after halt  [%d]", happened);
+               Dbprintf("-[ Messages after halt  [%d]", happened2);
+               Dbprintf("-[ Num of received cmd  [%d]", cmdsRecvd);
+               Dbprintf("-[ Num of moebius tries [%d]", moebius_count);
        }
        
        cmd_send(CMD_ACK,1,0,0,0,0);
@@ -2500,17 +2490,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        
        // Here, we collect CUID, NT, NR, AR, CUID2, NT2, NR2, AR2
        // This can be used in a reader-only attack.
-       nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; // for 2 separate attack types (nml, moebius)
-       memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
-
-       uint8_t ar_nr_collected[ATTACK_KEY_COUNT*2]; // for 2nd attack type (moebius)
-       memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
-       uint8_t nonce1_count = 0;
-       uint8_t nonce2_count = 0;
-       uint8_t moebius_n_count = 0;
-       bool gettingMoebius = false;
-       uint8_t mM = 0; // moebius_modifier for collection storage
-       bool doBufResetNext = false;
+       nonces_t ar_nr_nonces[ATTACK_KEY_COUNT];
+       memset(ar_nr_nonces, 0x00, sizeof(ar_nr_nonces));
 
        // -- Determine the UID
        // Can be set from emulator memory or incoming data
@@ -2752,101 +2733,63 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                                uint32_t nr = bytes_to_num(receivedCmd, 4);
                                uint32_t ar = bytes_to_num(&receivedCmd[4], 4);
 
-                               if (doBufResetNext) {
-                                       // Reset, lets try again!
-                                       if (MF_DBGLEVEL >= 4) Dbprintf("Re-read after previous NR_AR_ATTACK, resetting buffer");
-                                       memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
-                                       memset(ar_nr_collected, 0x00, sizeof(ar_nr_collected));
-                                       mM = 0;
-                                       doBufResetNext = false;
-                               }
-
-                               for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                               // Collect AR/NR per keytype & sector
+                               if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
                                        
-                                       if ( ar_nr_collected[i+mM] == 0 || (
-                                                               (cardAUTHSC == ar_nr_resp[i+mM].sector) && 
-                                                               (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && 
-                                                               (ar_nr_collected[i+mM] > 0)
-                                                       )
-                                               ) {
-
-                                               // if first auth for sector, or matches sector and keytype of previous auth
-                                               if (ar_nr_collected[i+mM] < 2) {
-                                                       // if we haven't already collected 2 nonces for this sector
-                                                       if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
-                                                               // Avoid duplicates... probably not necessary, ar should vary.
-                                                               if (ar_nr_collected[i+mM]==0) {
-                                                                       // first nonce collect
-                                                                       ar_nr_resp[i+mM].cuid = cuid;
-                                                                       ar_nr_resp[i+mM].sector = cardAUTHSC;
-                                                                       ar_nr_resp[i+mM].keytype = cardAUTHKEY;
-                                                                       ar_nr_resp[i+mM].nonce = nonce;
-                                                                       ar_nr_resp[i+mM].nr = nr;
-                                                                       ar_nr_resp[i+mM].ar = ar;
-                                                                       nonce1_count++;
-                                                                       // add this nonce to first moebius nonce
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
-                                                                       ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
-                                                                       ar_nr_collected[i+ATTACK_KEY_COUNT]++;
-                                                               } else { // second nonce collect (std and moebius)
-                                                                       ar_nr_resp[i+mM].nonce2 = nonce;
-                                                                       ar_nr_resp[i+mM].nr2 = nr;
-                                                                       ar_nr_resp[i+mM].ar2 = ar;
-                                                                       if (!gettingMoebius) {
-                                                                               nonce2_count++;
-                                                                               // check if this was the last second nonce we need for std attack
-                                                                               if ( nonce2_count == nonce1_count ) {
-                                                                                       // done collecting std test switch to moebius
-                                                                                       // first finish incrementing last sample
-                                                                                       ar_nr_collected[i+mM]++; 
-                                                                                       // switch to moebius collection
-                                                                                       gettingMoebius = true;
-                                                                                       mM = ATTACK_KEY_COUNT;
-                                                                                       break;
-                                                                               }
-                                                                       } else {
-                                                                               moebius_n_count++;
-                                                                               // if we've collected all the nonces we need - finish.
-
-                                                                               if (nonce1_count == moebius_n_count) {
-                                                                                       cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_resp, sizeof(ar_nr_resp));
-                                                                                       nonce1_count = 0;
-                                                                                       nonce2_count = 0;
-                                                                                       moebius_n_count = 0;
-                                                                                       gettingMoebius = false;
-                                                                                       doBufResetNext = true;
-                                                                                       finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE));
-                                                                               }
-                                                                       }
-                                                               }
-                                                               ar_nr_collected[i+mM]++;
-                                                       }
+                                       int8_t index = -1;
+                                       int8_t empty = -1;
+                                       for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+                                               // find which index to use
+                                               if ( (cardAUTHSC == ar_nr_nonces[i].sector) &&  (cardAUTHKEY == ar_nr_nonces[i].keytype)) 
+                                                       index = i;
+
+                                               // keep track of empty slots.
+                                               if ( ar_nr_nonces[i].state == EMPTY)
+                                                       empty = i;
+                                       }
+                                       // if no empty slots.  Choose first and overwrite.
+                                       if ( index == -1 ) {
+                                               if ( empty == -1 ) {
+                                                       index = 0;
+                                                       ar_nr_nonces[index].state = EMPTY;
+                                               } else {
+                                                       index = empty;
                                                }
-                                               // we found right spot for this nonce stop looking
-                                               break;
                                        }
-                               }
 
+                                       switch(ar_nr_nonces[index].state) {
+                                               case EMPTY: {
+                                                       // first nonce collect
+                                                       ar_nr_nonces[index].cuid = cuid;
+                                                       ar_nr_nonces[index].sector = cardAUTHSC;
+                                                       ar_nr_nonces[index].keytype = cardAUTHKEY;
+                                                       ar_nr_nonces[index].nonce = nonce;
+                                                       ar_nr_nonces[index].nr = nr;
+                                                       ar_nr_nonces[index].ar = ar;
+                                                       ar_nr_nonces[index].state = FIRST;
+                                                       break;
+                                               } 
+                                               case FIRST : { 
+                                                       // second nonce collect
+                                                       ar_nr_nonces[index].nonce2 = nonce;
+                                                       ar_nr_nonces[index].nr2 = nr;
+                                                       ar_nr_nonces[index].ar2 = ar;
+                                                       ar_nr_nonces[index].state = SECOND;
+
+                                                       // send to client
+                                                       cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, 0, 0, &ar_nr_nonces[index], sizeof(nonces_t));
+                                                       
+                                                       ar_nr_nonces[index].state = EMPTY;
+                                                       ar_nr_nonces[index].sector = 0;
+                                                       ar_nr_nonces[index].keytype = 0;
+                                                       break;
+                                               }
+                                               default: break;
+                                       }
+                               }
 
                                /*
-                               // Collect AR/NR
-                               // if(ar_nr_collected < 2 && cardAUTHSC == 2){
-                               if(ar_nr_collected < 2) {                                       
-                                       // if(ar_nr_responses[2] != nr) {
-                                               ar_nr_responses[ar_nr_collected*4]   = cuid;
-                                               ar_nr_responses[ar_nr_collected*4+1] = nonce;
-                                               ar_nr_responses[ar_nr_collected*4+2] = nr;
-                                               ar_nr_responses[ar_nr_collected*4+3] = ar;
-                                               ar_nr_collected++;
-                                       // }                                    
-               
-                                       // Interactive mode flag, means we need to send ACK
-                                       finished = ( ((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE)&& ar_nr_collected == 2);
-                               }
+                               // Interactive mode flag, means we need to send ACK
                                
                                crypto1_word(pcs, ar , 1);
                                cardRr = nr ^ crypto1_word(pcs, 0, 0);
@@ -3081,45 +3024,6 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
                }
        }
 
-       // Interactive mode flag, means we need to send ACK
-       /*
-       if((flags & FLAG_INTERACTIVE) == FLAG_INTERACTIVE && flags & FLAG_NR_AR_ATTACK == FLAG_NR_AR_ATTACK) {
-               // May just aswell send the collected ar_nr in the response aswell
-               uint8_t len = ar_nr_collected * 4 * 4;
-               cmd_send(CMD_ACK, CMD_SIMULATE_MIFARE_CARD, len, 0, &ar_nr_responses, len);
-       }
-       */
-       
-       if( ((flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) && MF_DBGLEVEL >= 1 ) {
-               for ( uint8_t   i = 0; i < ATTACK_KEY_COUNT; i++) {
-                       if (ar_nr_collected[i] == 2) {
-                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
-                               Dbprintf("../tools/mfkey/mfkey32 %08x %08x %08x %08x %08x %08x",
-                                               ar_nr_resp[i].cuid,  //UID
-                                               ar_nr_resp[i].nonce, //NT
-                                               ar_nr_resp[i].nr,    //NR1
-                                               ar_nr_resp[i].ar,    //AR1
-                                               ar_nr_resp[i].nr2,   //NR2
-                                               ar_nr_resp[i].ar2    //AR2
-                                               );
-                       }
-               }       
-               for ( uint8_t i = ATTACK_KEY_COUNT; i < ATTACK_KEY_COUNT*2; i++) {
-                       if (ar_nr_collected[i] == 2) {
-                               Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i<ATTACK_KEY_COUNT/2) ? "keyA" : "keyB", ar_nr_resp[i].sector);
-                               Dbprintf("../tools/mfkey/mfkey32v2 %08x %08x %08x %08x %08x %08x %08x",
-                                               ar_nr_resp[i].cuid,  //UID
-                                               ar_nr_resp[i].nonce, //NT
-                                               ar_nr_resp[i].nr,    //NR1
-                                               ar_nr_resp[i].ar,    //AR1
-                                               ar_nr_resp[i].nonce2,//NT2
-                                               ar_nr_resp[i].nr2,   //NR2
-                                               ar_nr_resp[i].ar2    //AR2
-                                               );
-                       }
-               }
-       }       
-       
        if (MF_DBGLEVEL >= 1) 
                Dbprintf("Emulator stopped. Tracing: %d  trace length: %d ", tracing, BigBuf_get_traceLen());
        
index ca8b8c1dadcf1441dcace8a691d092dd05ce6e9b..b6c8b3c93f245b56f90f8a9a351808424851e29f 100644 (file)
@@ -441,7 +441,6 @@ int CmdHF14ACUIDs(const char *Cmd) {
 // ## simulate iso14443a tag
 // ## greg - added ability to specify tag UID
 int CmdHF14ASim(const char *Cmd) {
-       #define ATTACK_KEY_COUNT 8
        bool errors = FALSE;
        uint8_t flags = 0;
        uint8_t tagtype = 1;    
@@ -451,7 +450,8 @@ int CmdHF14ASim(const char *Cmd) {
        bool useUIDfromEML = TRUE;
        bool setEmulatorMem = FALSE;
        bool verbose = FALSE;
-
+       nonces_t data[1];
+       
        while(param_getchar(Cmd, cmdp) != 0x00) {
                switch(param_getchar(Cmd, cmdp)) {
                        case 'h':
@@ -483,7 +483,7 @@ int CmdHF14ASim(const char *Cmd) {
                                break;
                        case 'v':
                        case 'V':
-                               verbose = true;
+                               verbose = TRUE;
                                cmdp++;
                                break;
                        case 'x':
@@ -498,7 +498,7 @@ int CmdHF14ASim(const char *Cmd) {
                                break;                          
                        default:
                                PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
-                               errors = true;
+                               errors = TRUE;
                                break;
                        }
                if(errors) break;
@@ -514,19 +514,19 @@ int CmdHF14ASim(const char *Cmd) {
        memcpy(c.d.asBytes, uid, uidlen>>1);
        clearCommandBuffer();
        SendCommand(&c);        
-
-       nonces_t data[ATTACK_KEY_COUNT*2];
        UsbCommand resp;
        
        PrintAndLog("Press pm3-button to abort simulation");
+       
        while( !ukbhit() ){
                if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;
                if ( !(flags & FLAG_NR_AR_ATTACK) ) break;
                if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;
                        
-               memcpy( data, resp.d.asBytes, sizeof(data) );
-               readerAttack(data, setEmulatorMem, verbose);
+               memcpy(data, resp.d.asBytes, sizeof(data) );
+               readerAttack(data[0], setEmulatorMem, verbose);
        }
+       showSectorTable();
        return 0;
 }
 
index 36438d7fdd5d09fa073b97fa24ad8bf44b0c0405..e6568f59f64b70d8304bc35918d506b754b52fda 100644 (file)
@@ -1361,18 +1361,16 @@ int CmdHF14AMfChk(const char *Cmd) {
        PrintAndLog("");\r
        return 0;\r
 }\r
-#define ATTACK_KEY_COUNT 8\r
+\r
 sector *k_sector = NULL;\r
 uint8_t k_sectorsCount = 16;\r
-void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {\r
+static void emptySectorTable(){\r
 \r
        // initialize storage for found keys\r
        if (k_sector == NULL)\r
                k_sector = calloc(k_sectorsCount, sizeof(sector));\r
        if (k_sector == NULL) \r
                return;\r
-\r
-       uint64_t key = 0;\r
                \r
        // empty e_sector\r
        for(int i = 0; i < k_sectorsCount; ++i){\r
@@ -1381,68 +1379,47 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) {
                k_sector[i].foundKey[0] = FALSE;\r
                k_sector[i].foundKey[1] = FALSE;\r
        }\r
+}\r
+void showSectorTable(){\r
+       if (k_sector != NULL) {\r
+               printKeyTable(k_sectorsCount, k_sector);\r
+               free(k_sector);\r
+               k_sector = NULL;\r
+       }\r
+}\r
+void readerAttack(nonces_t data, bool setEmulatorMem, bool verbose) {\r
 \r
-       if (verbose) printf("enter Moebius attack (mfkey32v2) \n");\r
+       uint64_t key = 0;       \r
+       bool success = FALSE;\r
        \r
-       for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) {\r
-               \r
-               // if no-collected data \r
-               if (data[i].ar2 == 0) continue;\r
-\r
-               // We can probably skip this, mfkey32v2 is more reliable.\r
-#ifdef HFMF_TRYMFK32\r
-               if (tryMfk32(data[i], &key, verbose)) {\r
-                       PrintAndLog("Found Key%s for sector %02d: [%012"llx"]"\r
-                               , (data[i].keytype) ? "B" : "A"\r
-                               , data[i].sector\r
-                               , key\r
-                       );\r
-\r
-                       k_sector[i].Key[data[i].keytype] = key;\r
-                       k_sector[i].foundKey[data[i].keytype] = TRUE;\r
-                       \r
-                       //set emulator memory for keys\r
-                       if (setEmulatorMem) {\r
-                               uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};\r
-                               num_to_bytes( k_sector[i].Key[0], 6, memBlock);\r
-                               num_to_bytes( k_sector[i].Key[1], 6, memBlock+10);\r
-                               PrintAndLog("Setting Emulator Memory Block %02d: [%s]"\r
-                                       , ((data[i].sector)*4) + 3\r
-                                       , sprint_hex( memBlock, sizeof(memBlock))\r
-                                       );\r
-                               mfEmlSetMem( memBlock, ((data[i].sector)*4) + 3, 1);\r
-                       }\r
-                       continue;\r
-               }\r
-#endif\r
-               \r
-               //moebius attack                        \r
-               if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) {\r
-                       uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector;\r
-                       uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype;\r
-\r
-                       PrintAndLog("Reader is trying authenticate with: Key %s, sector %02d: [%012"llx"]"\r
-                               , keyType ? "B" : "A"\r
-                               , sectorNum\r
-                               , key\r
-                       );\r
-\r
-                       k_sector[sectorNum].Key[keyType] = key;\r
-                       k_sector[sectorNum].foundKey[keyType] = TRUE;\r
-\r
-                       //set emulator memory for keys\r
-                       if (setEmulatorMem) {\r
-                               uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};\r
-                               num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock);\r
-                               num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10);\r
-                               //iceman,  guessing this will not work so well for 4K tags.\r
-                               PrintAndLog("Setting Emulator Memory Block %02d: [%s]"\r
-                                       , (sectorNum*4) + 3\r
-                                       , sprint_hex( memBlock, sizeof(memBlock))\r
-                                       );\r
-                               mfEmlSetMem( memBlock, (sectorNum*4) + 3, 1);\r
-                       }\r
-                       continue;\r
+       if (k_sector == NULL)\r
+               emptySectorTable();\r
+\r
+       success = tryMfk32_moebius(data, &key, verbose);\r
+       if (success) {\r
+               uint8_t sector = data.sector;\r
+               uint8_t keytype = data.keytype;\r
+\r
+               PrintAndLog("Reader is trying authenticate with: Key %s, sector %02d: [%012"llx"]"\r
+                       , keytype ? "B" : "A"\r
+                       , sector\r
+                       , key\r
+               );\r
+\r
+               k_sector[sector].Key[keytype] = key;\r
+               k_sector[sector].foundKey[keytype] = TRUE;\r
+\r
+               //set emulator memory for keys\r
+               if (setEmulatorMem) {\r
+                       uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0};\r
+                       num_to_bytes( k_sector[sector].Key[0], 6, memBlock);\r
+                       num_to_bytes( k_sector[sector].Key[1], 6, memBlock+10);\r
+                       //iceman,  guessing this will not work so well for 4K tags.\r
+                       PrintAndLog("Setting Emulator Memory Block %02d: [%s]"\r
+                               , (sector*4) + 3\r
+                               , sprint_hex( memBlock, sizeof(memBlock))\r
+                               );\r
+                       mfEmlSetMem( memBlock, (sector*4) + 3, 1);\r
                }\r
        }\r
 }\r
@@ -1453,18 +1430,17 @@ int CmdHF14AMf1kSim(const char *Cmd) {
        uint8_t exitAfterNReads = 0;\r
        uint8_t flags = (FLAG_UID_IN_EMUL | FLAG_4B_UID_IN_DATA);\r
        int uidlen = 0;\r
-       bool setEmulatorMem = false;\r
        uint8_t cmdp = 0;\r
-       bool errors = false;\r
-\r
-       // If set to true, we should show our workings when doing NR_AR_ATTACK.\r
-       bool verbose = false;\r
-\r
+       bool errors = FALSE;\r
+       bool verbose = FALSE;\r
+       bool setEmulatorMem = FALSE;\r
+       nonces_t data[1];\r
+               \r
        while(param_getchar(Cmd, cmdp) != 0x00) {\r
                switch(param_getchar(Cmd, cmdp)) {\r
                case 'e':\r
                case 'E':\r
-                       setEmulatorMem = true;\r
+                       setEmulatorMem = TRUE;\r
                        cmdp++;\r
                        break;\r
                case 'h':\r
@@ -1489,11 +1465,11 @@ int CmdHF14AMf1kSim(const char *Cmd) {
                                case  8: flags = FLAG_4B_UID_IN_DATA; break;\r
                                default: return usage_hf14_mf1ksim();\r
                        }\r
-                       cmdp +=2;\r
+                       cmdp += 2;\r
                        break;\r
                case 'v':\r
                case 'V':\r
-                       verbose = true;\r
+                       verbose = TRUE;\r
                        cmdp++;\r
                        break;\r
                case 'x':\r
@@ -1503,7 +1479,7 @@ int CmdHF14AMf1kSim(const char *Cmd) {
                        break;\r
                default:\r
                        PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));\r
-                       errors = true;\r
+                       errors = TRUE;\r
                        break;\r
                }\r
                if(errors) break;\r
@@ -1521,27 +1497,20 @@ int CmdHF14AMf1kSim(const char *Cmd) {
        memcpy(c.d.asBytes, uid, sizeof(uid));\r
        clearCommandBuffer();\r
        SendCommand(&c);\r
+       UsbCommand resp;                \r
 \r
-       if(flags & FLAG_INTERACTIVE) {          \r
+       if(flags & FLAG_INTERACTIVE) {\r
                PrintAndLog("Press pm3-button or send another cmd to abort simulation");\r
 \r
-               nonces_t data[ATTACK_KEY_COUNT*2];\r
-               UsbCommand resp;                \r
-\r
                while( !ukbhit() ){\r
                        if (!WaitForResponseTimeout(CMD_ACK, &resp, 1500) ) continue;\r
                        if ( !(flags & FLAG_NR_AR_ATTACK) ) break;\r
                        if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break;\r
 \r
-                       memcpy( data, resp.d.asBytes, sizeof(data) );                   \r
-                       readerAttack(data, setEmulatorMem, verbose);\r
-               }\r
-               \r
-               if (k_sector != NULL) {\r
-                       printKeyTable(k_sectorsCount, k_sector);\r
-                       free(k_sector);\r
-                       k_sector = NULL;\r
+                       memcpy(data, resp.d.asBytes, sizeof(data));\r
+                       readerAttack(data[0], setEmulatorMem, verbose);\r
                }\r
+               showSectorTable();\r
        }\r
        return 0;\r
 }\r
index a2f9328ae5beafd236bd5d5824e98341b85f0830..26df2df46b935c63d66888664197c3b46dfc95e8 100644 (file)
@@ -61,6 +61,7 @@ int CmdHF14AMfCLoad(const char* cmd);
 int CmdHF14AMfCSave(const char* cmd);\r
 int CmdHf14MfDecryptBytes(const char *Cmd);\r
 \r
-void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose);\r
+void showSectorTable(void);\r
+void readerAttack(nonces_t data, bool setEmulatorMem, bool verbose);\r
 void printKeyTable( uint8_t sectorscnt, sector *e_sector );\r
 #endif\r
index 11c977d579626a028500ccb1d668c56961519982..e6643f5f235f95b34d82631f56019539c393a8d6 100644 (file)
@@ -74,6 +74,11 @@ typedef struct {
   uint32_t nr2;
   uint8_t  sector;
   uint8_t  keytype;
+  enum {
+               EMPTY,
+               FIRST,
+               SECOND,
+       } state;
 } nonces_t;
 
 #endif // _MIFARE_H_
Impressum, Datenschutz