From: iceman1001 Date: Sun, 29 Jan 2017 10:29:15 +0000 (+0100) Subject: FIX: 'hf 14a sim x' - this fixes the error with using moebius attack and sim. Updat... X-Git-Url: https://git.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/commitdiff_plain/7e735c1398b9c3643d292614db10c7e58c58db85 FIX: 'hf 14a sim x' - this fixes the error with using moebius attack and sim. Updating the nonce variable doesn't change the premodulated response. And it should update everytime it gets a command. One concering issue is that this takes time. Successfully works with two PM3. One acting reader, another sim. --- diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index 2b4f9ea1..d49e6ae1 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -1058,12 +1058,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { if(!GetIso14443aCommandFromReader(receivedCmd, receivedCmdPar, &len)) { DbpString("Button press"); break; - } - - // incease nonce at every command recieved - nonce = prand(); - num_to_bytes(nonce, 4, response5); - + } p_response = NULL; // Okay, look at the command now. @@ -1158,6 +1153,12 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { EmSendCmdEx(emdata, sizeof(emdata), false); p_response = NULL; } else { + + // incease nonce at every command recieved. this is time consuming. + nonce = prand(); + num_to_bytes(nonce, 4, response5); + prepare_tag_modulation(&responses[5], DYNAMIC_MODULATION_BUFFER_SIZE); + cardAUTHSC = receivedCmd[1] / 4; // received block num cardAUTHKEY = receivedCmd[0] - 0x60; p_response = &responses[5]; order = 7; @@ -1173,7 +1174,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { LogTrace(receivedCmd, Uart.len, Uart.startTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.endTime*16 - DELAY_AIR2ARM_AS_TAG, Uart.parity, TRUE); uint32_t nr = bytes_to_num(receivedCmd,4); uint32_t ar = bytes_to_num(receivedCmd+4,4); - + // Collect AR/NR per keytype & sector if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) { @@ -1279,8 +1280,8 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { dynamic_response_info.response_n = 2; } break; - case 0xaa: - case 0xbb: { + case 0xAA: + case 0xBB: { dynamic_response_info.response[0] = receivedCmd[0] ^ 0x11; dynamic_response_info.response_n = 2; } break; @@ -1313,7 +1314,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { dynamic_response_info.response[1] = receivedCmd[1]; // Add CRC bytes, always used in ISO 14443A-4 compliant cards - AppendCrc14443a(dynamic_response_info.response,dynamic_response_info.response_n); + AppendCrc14443a(dynamic_response_info.response, dynamic_response_info.response_n); dynamic_response_info.response_n += 2; if (prepare_tag_modulation(&dynamic_response_info,DYNAMIC_MODULATION_BUFFER_SIZE) == false) { @@ -1333,7 +1334,7 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { // comment this limit if you want to simulation longer if (!tracing) { - Dbprintf("Trace Full. Simulation stopped."); + DbpString("Trace Full. Simulation stopped."); break; } // comment this limit if you want to simulation longer @@ -1366,9 +1367,10 @@ void SimulateIso14443aTag(int tagType, int flags, byte_t* data) { set_tracing(FALSE); BigBuf_free_keep_EM(); LED_A_OFF(); - + + /* if(flags & FLAG_NR_AR_ATTACK && MF_DBGLEVEL >= 1) { - /* + for ( uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) { if (ar_nr_collected[i] == 2) { Dbprintf("Collected two pairs of AR/NR which can be used to extract %s from reader for sector %d:", (i= 4){ Dbprintf("-[ Wake ups after halt [%d]", happened); Dbprintf("-[ Messages after halt [%d]", happened2); diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 0ea171af..6b944df3 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1383,62 +1383,64 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) { printf("enter reader attack\n"); for (uint8_t i = 0; i < ATTACK_KEY_COUNT; ++i) { - if (data[i].ar2 > 0) { + + // if no-collected data + if (data[i].ar2 == 0) continue; - // We can probably skip this, mfkey32v2 is more reliable. + // We can probably skip this, mfkey32v2 is more reliable. #ifdef HFMF_TRYMFK32 - if (tryMfk32(data[i], &key, verbose)) { - PrintAndLog("Found Key%s for sector %02d: [%012"llx"]" - , (data[i].keytype) ? "B" : "A" - , data[i].sector - , key - ); - - k_sector[i].Key[data[i].keytype] = key; - k_sector[i].foundKey[data[i].keytype] = TRUE; - - //set emulator memory for keys - if (setEmulatorMem) { - uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0}; - num_to_bytes( k_sector[i].Key[0], 6, memBlock); - num_to_bytes( k_sector[i].Key[1], 6, memBlock+10); - PrintAndLog("Setting Emulator Memory Block %02d: [%s]" - , ((data[i].sector)*4) + 3 - , sprint_hex( memBlock, sizeof(memBlock)) - ); - mfEmlSetMem( memBlock, ((data[i].sector)*4) + 3, 1); - } - continue; + if (tryMfk32(data[i], &key, verbose)) { + PrintAndLog("Found Key%s for sector %02d: [%012"llx"]" + , (data[i].keytype) ? "B" : "A" + , data[i].sector + , key + ); + + k_sector[i].Key[data[i].keytype] = key; + k_sector[i].foundKey[data[i].keytype] = TRUE; + + //set emulator memory for keys + if (setEmulatorMem) { + uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0}; + num_to_bytes( k_sector[i].Key[0], 6, memBlock); + num_to_bytes( k_sector[i].Key[1], 6, memBlock+10); + PrintAndLog("Setting Emulator Memory Block %02d: [%s]" + , ((data[i].sector)*4) + 3 + , sprint_hex( memBlock, sizeof(memBlock)) + ); + mfEmlSetMem( memBlock, ((data[i].sector)*4) + 3, 1); } + continue; + } #endif - //moebius attack - if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) { - uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector; - uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype; - - PrintAndLog("M-Found Key%s for sector %02d: [%012"llx"]" - , keyType ? "B" : "A" - , sectorNum - , key - ); - - k_sector[sectorNum].Key[keyType] = key; - k_sector[sectorNum].foundKey[keyType] = TRUE; - - //set emulator memory for keys - if (setEmulatorMem) { - uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0}; - num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock); - num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10); - PrintAndLog("Setting Emulator Memory Block %02d: [%s]" - , (sectorNum*4) + 3 - , sprint_hex( memBlock, sizeof(memBlock)) - ); - mfEmlSetMem( memBlock, (sectorNum*4) + 3, 1); - } - continue; + + //moebius attack + if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) { + uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector; + uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype; + + PrintAndLog("Found Key%s for sector %02d: [%012"llx"]" + , keyType ? "B" : "A" + , sectorNum + , key + ); + + k_sector[sectorNum].Key[keyType] = key; + k_sector[sectorNum].foundKey[keyType] = TRUE; + + //set emulator memory for keys + if (setEmulatorMem) { + uint8_t memBlock[16] = {0,0,0,0,0,0, 0xff, 0x0F, 0x80, 0x69, 0,0,0,0,0,0}; + num_to_bytes( k_sector[sectorNum].Key[0], 6, memBlock); + num_to_bytes( k_sector[sectorNum].Key[1], 6, memBlock+10); + //iceman, guessing this will not work so well for 4K tags. + PrintAndLog("Setting Emulator Memory Block %02d: [%s]" + , (sectorNum*4) + 3 + , sprint_hex( memBlock, sizeof(memBlock)) + ); + mfEmlSetMem( memBlock, (sectorNum*4) + 3, 1); } - + continue; } } } diff --git a/client/nonce2key/nonce2key.c b/client/nonce2key/nonce2key.c index fa734144..64d35873 100644 --- a/client/nonce2key/nonce2key.c +++ b/client/nonce2key/nonce2key.c @@ -280,8 +280,9 @@ bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool verbose) { } isSuccess = (counter > 0); t1 = clock() - t1; - if ( t1 > 0 ) PrintAndLog("Time in mfkey32_moebius: %.0f ticks - possible keys %d", (float)t1, counter); - + if (verbose) { + if ( t1 > 0 ) PrintAndLog("Time in mfkey32_moebius: %.0f ticks - possible keys %d", (float)t1, counter); + } *outputkey = ( isSuccess ) ? outkey : 0; crypto1_destroy(s); return isSuccess;